[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 7 Jul 2017 11:27:58 -0700
From: Kees Cook <keescook@...omium.org>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Andy Lutomirski <luto@...nel.org>,
Michal Hocko <mhocko@...nel.org>,
Ben Hutchings <ben@...adent.org.uk>, Willy Tarreau <w@....eu>,
Hugh Dickins <hughd@...gle.com>,
Oleg Nesterov <oleg@...hat.com>,
"Jason A. Donenfeld" <Jason@...c4.com>,
Rik van Riel <riel@...hat.com>,
Larry Woodman <lwoodman@...hat.com>,
"Kirill A. Shutemov" <kirill@...temov.name>,
Tony Luck <tony.luck@...el.com>,
"James E.J. Bottomley" <jejb@...isc-linux.org>,
Helge Diller <deller@....de>,
James Hogan <james.hogan@...tec.com>,
Laura Abbott <labbott@...hat.com>, Greg KH <greg@...ah.com>,
"security@...nel.org" <security@...nel.org>,
Qualys Security Advisory <qsa@...lys.com>,
LKML <linux-kernel@...r.kernel.org>,
Ximin Luo <infinity0@...ian.org>
Subject: Re: [RFC][PATCH] exec: Use init rlimits for setuid exec
On Fri, Jul 7, 2017 at 9:22 AM, Linus Torvalds
<torvalds@...ux-foundation.org> wrote:
> On Thu, Jul 6, 2017 at 11:40 PM, Kees Cook <keescook@...omium.org> wrote:
> So I definitely like this approach, as long as we clarify that crazy
> security_bprm_secureexec() model. That code really is insane.
Yeah, it really seems like security_bprm_secureexec() should be
checking the bprm cred, though there are comments in the LSMs about
why this isn't done. I'll dig through the history there; it may be an
artifact of the old cred installation ordering...
It seems like an LSM would want to see "current creds" and "new creds"
as distinct things for comparing the results, but I'll check it out.
> In contrast, if the code just did:
>
> if (security_bprm_secureexec(bprm)) {
> if (current->signal->rlim[RLIMIT_STACK].rlim_cur > _STK_LIM)
> current->signal->rlim[RLIMIT_STACK].rlim_cur = _STK_LIM;
> }
>
> and leave the hard limit alone entirely. At least that doesn't let
> anybody escape the limits that the sysadmin has set.
Sounds good to me.
>
> Hmm? Yes, this allows people to try to attack suid binaries with a
> really small stack. But that's a pre-existing attack - do we have
> worries about it?
Agreed, I think that's out of scope for this.
-Kees
--
Kees Cook
Pixel Security
Powered by blists - more mailing lists