| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20221006082735.1321612-1-keescook@chromium.org>
Date: Thu, 6 Oct 2022 01:27:33 -0700
From: Kees Cook <keescook@...omium.org>
To: Eric Biederman <ebiederm@...ssion.com>
Cc: Kees Cook <keescook@...omium.org>,
Jorge Merlino <jorge.merlino@...onical.com>,
Al Viro <viro@...iv.linux.org.uk>,
"Christian Brauner (Microsoft)" <brauner@...nel.org>,
Thomas Gleixner <tglx@...utronix.de>,
Andy Lutomirski <luto@...nel.org>,
Sebastian Andrzej Siewior <bigeasy@...utronix.de>,
Andrew Morton <akpm@...ux-foundation.org>,
John Johansen <john.johansen@...onical.com>,
Paul Moore <paul@...l-moore.com>,
James Morris <jmorris@...ei.org>,
"Serge E. Hallyn" <serge@...lyn.com>,
Stephen Smalley <stephen.smalley.work@...il.com>,
Eric Paris <eparis@...isplace.org>,
Richard Haines <richard_c_haines@...nternet.com>,
Casey Schaufler <casey@...aufler-ca.com>,
Xin Long <lucien.xin@...il.com>,
"David S. Miller" <davem@...emloft.net>,
Todd Kjos <tkjos@...gle.com>,
Ondrej Mosnacek <omosnace@...hat.com>,
Prashanth Prahlad <pprahlad@...hat.com>,
Micah Morton <mortonm@...omium.org>,
Fenghua Yu <fenghua.yu@...el.com>,
Andrei Vagin <avagin@...il.com>, linux-kernel@...r.kernel.org,
linux-mm@...ck.org, linux-fsdevel@...r.kernel.org,
apparmor@...ts.ubuntu.com, linux-security-module@...r.kernel.org,
selinux@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: [PATCH 0/2] fs/exec: Explicitly unshare fs_struct on exec
Hi,
These changes seek to address an issue reported[1] by Jorge Merlino where
high-thread-count processes would sometimes fail to setuid during a
setuid execve().
It looks to me like the solution is to explicitly do an unshare_fs(),
which should almost always be a no-op. Current testing seems to indicate
that only the swapper->init exec triggers this condition (and I'm unclear
on whether that's expected or undesirable). This has only received very
light testing so far, but I wanted to share it so other folks could look
it over.
Jorge, can you test with these patches? Your PoC triggered immediately
for me on an unpatched kernel, and did not trigger on a patched one.
I added this patch on top of the series to see if the code ever fired:
diff --git a/kernel/fork.c b/kernel/fork.c
index 53b7248f7a4b..3c197d9d8daa 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -3113,6 +3113,7 @@ int unshare_fs(void)
if (error || !new_fs)
return error;
+ pr_notice("UNSHARE of \"%s\" [%d]\n", current->comm, current->pid);
unshare_fs_finalize(&new_fs);
if (new_fs)
Thanks!
-Kees
[1] https://lore.kernel.org/lkml/20220910211215.140270-1-jorge.merlino@canonical.com/
Kees Cook (2):
fs/exec: Explicitly unshare fs_struct on exec
exec: Remove LSM_UNSAFE_SHARE
fs/exec.c | 26 ++++------------
fs/fs_struct.c | 1 -
include/linux/fdtable.h | 1 +
include/linux/fs_struct.h | 1 -
include/linux/security.h | 5 ++-
kernel/fork.c | 62 ++++++++++++++++++++++++++------------
security/apparmor/domain.c | 5 ---
security/selinux/hooks.c | 10 ------
8 files changed, 51 insertions(+), 60 deletions(-)
--
2.34.1
Powered by blists - more mailing lists