| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202005191211.97BCF9DA@keescook>
Date: Tue, 19 May 2020 12:14:40 -0700
From: Kees Cook <keescook@...omium.org>
To: "Eric W. Biederman" <ebiederm@...ssion.com>
Cc: linux-kernel@...r.kernel.org,
Linus Torvalds <torvalds@...ux-foundation.org>,
Oleg Nesterov <oleg@...hat.com>, Jann Horn <jannh@...gle.com>,
Greg Ungerer <gerg@...ux-m68k.org>,
Rob Landley <rob@...dley.net>,
Bernd Edlinger <bernd.edlinger@...mail.de>,
linux-fsdevel@...r.kernel.org, Al Viro <viro@...IV.linux.org.uk>,
Alexey Dobriyan <adobriyan@...il.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Casey Schaufler <casey@...aufler-ca.com>,
linux-security-module@...r.kernel.org,
James Morris <jmorris@...ei.org>,
"Serge E. Hallyn" <serge@...lyn.com>,
Andy Lutomirski <luto@...capital.net>
Subject: Re: [PATCH v2 3/8] exec: Convert security_bprm_set_creds into
security_bprm_repopulate_creds
On Tue, May 19, 2020 at 02:03:23PM -0500, Eric W. Biederman wrote:
> Kees Cook <keescook@...omium.org> writes:
>
> > On Mon, May 18, 2020 at 07:31:14PM -0500, Eric W. Biederman wrote:
> >> [...]
> >> diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h
> >> index d1217fcdedea..8605ab4a0f89 100644
> >> --- a/include/linux/binfmts.h
> >> +++ b/include/linux/binfmts.h
> >> @@ -27,10 +27,10 @@ struct linux_binprm {
> >> unsigned long argmin; /* rlimit marker for copy_strings() */
> >> unsigned int
> >> /*
> >> - * True if most recent call to cap_bprm_set_creds
> >> + * True if most recent call to security_bprm_set_creds
> >> * resulted in elevated privileges.
> >> */
> >> - cap_elevated:1,
> >> + active_secureexec:1,
> >
> > Also, I'd like it if this comment could be made more verbose as well, for
> > anyone trying to understand the binfmt execution flow for the first time.
> > Perhaps:
> >
> > /*
> > * Must be set True during the any call to
> > * bprm_set_creds hook where the execution would
> > * reuslt in elevated privileges. (The hook can be
> > * called multiple times during nested interpreter
> > * resolution across binfmt_script, binfmt_misc, etc).
> > */
> Well it is not during but after the call that it becomes true.
> I think most recent covers the case of multiple calls.
I'm thinking of an LSM writing reading these comments to decide what
they need to do to the flags, so it's a direction to them to set it to
true if they have determined that privilege was gained. (Though in
theory, this is all moot since only the commoncap hook cares.)
> I think having the loop explicitly in the code a few patches
> later makes it clear that there is a loop dealing with interpreters.
>
> Conciseness has a virtue in that it is easy to absorb. Seeing
> active says most recent and secureexec does not is enough to ask
> questions and look at the code.
I still think a hint about the nature of nested exec resolution would be
nice in here somewhere, especially given that this value is zeroed
before each call to the hook.
--
Kees Cook
Powered by blists - more mailing lists