[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <875zcrpx1g.fsf@x220.int.ebiederm.org>
Date: Tue, 19 May 2020 14:03:23 -0500
From: ebiederm@...ssion.com (Eric W. Biederman)
To: Kees Cook <keescook@...omium.org>
Cc: linux-kernel@...r.kernel.org,
Linus Torvalds <torvalds@...ux-foundation.org>,
Oleg Nesterov <oleg@...hat.com>, Jann Horn <jannh@...gle.com>,
Greg Ungerer <gerg@...ux-m68k.org>,
Rob Landley <rob@...dley.net>,
Bernd Edlinger <bernd.edlinger@...mail.de>,
linux-fsdevel@...r.kernel.org, Al Viro <viro@...IV.linux.org.uk>,
Alexey Dobriyan <adobriyan@...il.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Casey Schaufler <casey@...aufler-ca.com>,
linux-security-module@...r.kernel.org,
James Morris <jmorris@...ei.org>,
"Serge E. Hallyn" <serge@...lyn.com>,
Andy Lutomirski <luto@...capital.net>
Subject: Re: [PATCH v2 3/8] exec: Convert security_bprm_set_creds into security_bprm_repopulate_creds
Kees Cook <keescook@...omium.org> writes:
> On Mon, May 18, 2020 at 07:31:14PM -0500, Eric W. Biederman wrote:
>>
>> Rename bprm->cap_elevated to bprm->active_secureexec and initialize it
>> in prepare_binprm instead of in cap_bprm_set_creds. Initializing
>> bprm->active_secureexec in prepare_binprm allows multiple
>> implementations of security_bprm_repopulate_creds to play nicely with
>> each other.
>>
>> Rename security_bprm_set_creds to security_bprm_reopulate_creds to
>> emphasize that this path recomputes part of bprm->cred. This
>> recomputation avoids the time of check vs time of use problems that
>> are inherent in unix #! interpreters.
>>
>> In short two renames and a move in the location of initializing
>> bprm->active_secureexec.
>
> I like this much better than the direct call to the capabilities hook.
> Thanks!
>
> Reviewed-by: Kees Cook <keescook@...omium.org>
>
> One nit is a bikeshed on the name "active_secureexec", since
> the word "active" isn't really associated with any other part of the
> binfmt logic. It's supposed to be "latest state from the binfmt loop",
> so instead of "active", I considered these words that I also didn't
> like: "current", "this", "recent", and "now". Is "latest" better than
> "active"? Probably not.
I had pretty much the same problem. Active at least conveys that it
is still malleable and might change.
>> [...]
>> diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h
>> index d1217fcdedea..8605ab4a0f89 100644
>> --- a/include/linux/binfmts.h
>> +++ b/include/linux/binfmts.h
>> @@ -27,10 +27,10 @@ struct linux_binprm {
>> unsigned long argmin; /* rlimit marker for copy_strings() */
>> unsigned int
>> /*
>> - * True if most recent call to cap_bprm_set_creds
>> + * True if most recent call to security_bprm_set_creds
>> * resulted in elevated privileges.
>> */
>> - cap_elevated:1,
>> + active_secureexec:1,
>
> Also, I'd like it if this comment could be made more verbose as well, for
> anyone trying to understand the binfmt execution flow for the first time.
> Perhaps:
>
> /*
> * Must be set True during the any call to
> * bprm_set_creds hook where the execution would
> * reuslt in elevated privileges. (The hook can be
> * called multiple times during nested interpreter
> * resolution across binfmt_script, binfmt_misc, etc).
> */
Well it is not during but after the call that it becomes true.
I think most recent covers the case of multiple calls.
I think having the loop explicitly in the code a few patches
later makes it clear that there is a loop dealing with interpreters.
Conciseness has a virtue in that it is easy to absorb. Seeing
active says most recent and secureexec does not is enough to ask
questions and look at the code.
Eric
Powered by blists - more mailing lists