mirror of
https://github.com/torvalds/linux.git
synced 2024-12-27 13:22:23 +00:00
This series has the ultimate goal of providing a sane stack rlimit when
running set*id processes. To do this, the bprm_secureexec LSM hook is collapsed into the bprm_set_creds hook so the secureexec-ness of an exec can be determined early enough to make decisions about rlimits and the resulting memory layouts. Other logic acting on the secureexec-ness of an exec is similarly consolidated. Capabilities needed some special handling, but the refactoring removed other special handling, so that was a wash. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Kees Cook <kees@outflux.net> iQIcBAABCgAGBQJZrwRKAAoJEIly9N/cbcAmhboP/iwLbYfWngIJdu3pYKrW+CEg uUVY6RNnsumJ5yEhD/yQKXSPmZ8PkC8vexPYvf8TcPOlMRQuhVvdiR0FfSUvkMWy pB8ZVCyAV1uSnW4BH61FCxHInrahy8jlvQwnAujvw+FNxhcQjyEGKupOLIMGLioQ 8G5Ihf+hOjiXRhKbXueQi89n8i4jEI5YTH1RnC+Gsy8jG11EC9BhPddKSMaUKZA3 HYYqUyV0daYpGuxTOxaRdDO5wb6rlS+B46hqtOsSsIBOQkCjnLCRcdeMCqvXjQmv kyZj03cPlUjEHqh3d3nB6utvVWReGf/p986//kQjT1OZPhATbySAu7wUHoLik3dU zuexudNTBROf6YXahMxSJp348GS++xoBFARa78402E++U7C4/eoclbLCWAylBwVA H+QAHFYRC2WFoskejSYBRPz6HLr1SIaSYMsKbkHqP07zi6p3ic2Uq3XvOP2zL/5p l/mXa1Fs2vcDOWPER8a8b9mVkJDvuXj6J11lG+q80UWAWC3sd9GkSwOen80ps3Xo /7dd+h2BAJSSVxZQFxd5YCx99mT0ntQZ797PhjxOY6SX/xUdOCAp9x1zDU5OUovP q2ty3UTd7tq8h1RnHOnrn9cKmMmI7kpBvEfPGM507cEVjyfsMu2jJtUxN9dXOAkB aebEsg3C8M6z5OdGVpWH =Yva4 -----END PGP SIGNATURE----- Merge tag 'secureexec-v4.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux Pull secureexec update from Kees Cook: "This series has the ultimate goal of providing a sane stack rlimit when running set*id processes. To do this, the bprm_secureexec LSM hook is collapsed into the bprm_set_creds hook so the secureexec-ness of an exec can be determined early enough to make decisions about rlimits and the resulting memory layouts. Other logic acting on the secureexec-ness of an exec is similarly consolidated. Capabilities needed some special handling, but the refactoring removed other special handling, so that was a wash" * tag 'secureexec-v4.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: exec: Consolidate pdeath_signal clearing exec: Use sane stack rlimit under secureexec exec: Consolidate dumpability logic smack: Remove redundant pdeath_signal clearing exec: Use secureexec for clearing pdeath_signal exec: Use secureexec for setting dumpability LSM: drop bprm_secureexec hook commoncap: Move cap_elevated calculation into bprm_set_creds commoncap: Refactor to remove bprm_secureexec hook smack: Refactor to remove bprm_secureexec hook selinux: Refactor to remove bprm_secureexec hook apparmor: Refactor to remove bprm_secureexec hook binfmt: Introduce secureexec flag exec: Correct comments about "point of no return" exec: Rename bprm->cred_prepared to called_set_creds
This commit is contained in:
commit
828f4257d1
@ -252,7 +252,7 @@ create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec,
|
||||
NEW_AUX_ENT(AT_EUID, from_kuid_munged(cred->user_ns, cred->euid));
|
||||
NEW_AUX_ENT(AT_GID, from_kgid_munged(cred->user_ns, cred->gid));
|
||||
NEW_AUX_ENT(AT_EGID, from_kgid_munged(cred->user_ns, cred->egid));
|
||||
NEW_AUX_ENT(AT_SECURE, security_bprm_secureexec(bprm));
|
||||
NEW_AUX_ENT(AT_SECURE, bprm->secureexec);
|
||||
NEW_AUX_ENT(AT_RANDOM, (elf_addr_t)(unsigned long)u_rand_bytes);
|
||||
#ifdef ELF_HWCAP2
|
||||
NEW_AUX_ENT(AT_HWCAP2, ELF_HWCAP2);
|
||||
|
@ -650,7 +650,7 @@ static int create_elf_fdpic_tables(struct linux_binprm *bprm,
|
||||
NEW_AUX_ENT(AT_EUID, (elf_addr_t) from_kuid_munged(cred->user_ns, cred->euid));
|
||||
NEW_AUX_ENT(AT_GID, (elf_addr_t) from_kgid_munged(cred->user_ns, cred->gid));
|
||||
NEW_AUX_ENT(AT_EGID, (elf_addr_t) from_kgid_munged(cred->user_ns, cred->egid));
|
||||
NEW_AUX_ENT(AT_SECURE, security_bprm_secureexec(bprm));
|
||||
NEW_AUX_ENT(AT_SECURE, bprm->secureexec);
|
||||
NEW_AUX_ENT(AT_EXECFN, bprm->exec);
|
||||
|
||||
#ifdef ARCH_DLINFO
|
||||
|
@ -890,7 +890,7 @@ static int load_flat_shared_library(int id, struct lib_info *libs)
|
||||
* as we're past the point of no return and are dealing with shared
|
||||
* libraries.
|
||||
*/
|
||||
bprm.cred_prepared = 1;
|
||||
bprm.called_set_creds = 1;
|
||||
|
||||
res = prepare_binprm(&bprm);
|
||||
|
||||
|
56
fs/exec.c
56
fs/exec.c
@ -1259,6 +1259,12 @@ void __set_task_comm(struct task_struct *tsk, const char *buf, bool exec)
|
||||
perf_event_comm(tsk, exec);
|
||||
}
|
||||
|
||||
/*
|
||||
* Calling this is the point of no return. None of the failures will be
|
||||
* seen by userspace since either the process is already taking a fatal
|
||||
* signal (via de_thread() or coredump), or will have SEGV raised
|
||||
* (after exec_mmap()) by search_binary_handlers (see below).
|
||||
*/
|
||||
int flush_old_exec(struct linux_binprm * bprm)
|
||||
{
|
||||
int retval;
|
||||
@ -1286,7 +1292,13 @@ int flush_old_exec(struct linux_binprm * bprm)
|
||||
if (retval)
|
||||
goto out;
|
||||
|
||||
bprm->mm = NULL; /* We're using it now */
|
||||
/*
|
||||
* After clearing bprm->mm (to mark that current is using the
|
||||
* prepared mm now), we have nothing left of the original
|
||||
* process. If anything from here on returns an error, the check
|
||||
* in search_binary_handler() will SEGV current.
|
||||
*/
|
||||
bprm->mm = NULL;
|
||||
|
||||
set_fs(USER_DS);
|
||||
current->flags &= ~(PF_RANDOMIZE | PF_FORKNOEXEC | PF_KTHREAD |
|
||||
@ -1331,15 +1343,38 @@ EXPORT_SYMBOL(would_dump);
|
||||
|
||||
void setup_new_exec(struct linux_binprm * bprm)
|
||||
{
|
||||
/*
|
||||
* Once here, prepare_binrpm() will not be called any more, so
|
||||
* the final state of setuid/setgid/fscaps can be merged into the
|
||||
* secureexec flag.
|
||||
*/
|
||||
bprm->secureexec |= bprm->cap_elevated;
|
||||
|
||||
if (bprm->secureexec) {
|
||||
/* Make sure parent cannot signal privileged process. */
|
||||
current->pdeath_signal = 0;
|
||||
|
||||
/*
|
||||
* For secureexec, reset the stack limit to sane default to
|
||||
* avoid bad behavior from the prior rlimits. This has to
|
||||
* happen before arch_pick_mmap_layout(), which examines
|
||||
* RLIMIT_STACK, but after the point of no return to avoid
|
||||
* needing to clean up the change on failure.
|
||||
*/
|
||||
if (current->signal->rlim[RLIMIT_STACK].rlim_cur > _STK_LIM)
|
||||
current->signal->rlim[RLIMIT_STACK].rlim_cur = _STK_LIM;
|
||||
}
|
||||
|
||||
arch_pick_mmap_layout(current->mm);
|
||||
|
||||
/* This is the point of no return */
|
||||
current->sas_ss_sp = current->sas_ss_size = 0;
|
||||
|
||||
if (uid_eq(current_euid(), current_uid()) && gid_eq(current_egid(), current_gid()))
|
||||
set_dumpable(current->mm, SUID_DUMP_USER);
|
||||
else
|
||||
/* Figure out dumpability. */
|
||||
if (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP ||
|
||||
bprm->secureexec)
|
||||
set_dumpable(current->mm, suid_dumpable);
|
||||
else
|
||||
set_dumpable(current->mm, SUID_DUMP_USER);
|
||||
|
||||
arch_setup_new_exec();
|
||||
perf_event_exec();
|
||||
@ -1351,15 +1386,6 @@ void setup_new_exec(struct linux_binprm * bprm)
|
||||
*/
|
||||
current->mm->task_size = TASK_SIZE;
|
||||
|
||||
/* install the new credentials */
|
||||
if (!uid_eq(bprm->cred->uid, current_euid()) ||
|
||||
!gid_eq(bprm->cred->gid, current_egid())) {
|
||||
current->pdeath_signal = 0;
|
||||
} else {
|
||||
if (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)
|
||||
set_dumpable(current->mm, suid_dumpable);
|
||||
}
|
||||
|
||||
/* An exec changes our domain. We are no longer part of the thread
|
||||
group */
|
||||
current->self_exec_id++;
|
||||
@ -1548,7 +1574,7 @@ int prepare_binprm(struct linux_binprm *bprm)
|
||||
retval = security_bprm_set_creds(bprm);
|
||||
if (retval)
|
||||
return retval;
|
||||
bprm->cred_prepared = 1;
|
||||
bprm->called_set_creds = 1;
|
||||
|
||||
memset(bprm->buf, 0, BINPRM_BUF_SIZE);
|
||||
return kernel_read(bprm->file, 0, bprm->buf, BINPRM_BUF_SIZE);
|
||||
|
@ -25,11 +25,25 @@ struct linux_binprm {
|
||||
struct mm_struct *mm;
|
||||
unsigned long p; /* current top of mem */
|
||||
unsigned int
|
||||
cred_prepared:1,/* true if creds already prepared (multiple
|
||||
* preps happen for interpreters) */
|
||||
cap_effective:1;/* true if has elevated effective capabilities,
|
||||
* false if not; except for init which inherits
|
||||
* its parent's caps anyway */
|
||||
/*
|
||||
* True after the bprm_set_creds hook has been called once
|
||||
* (multiple calls can be made via prepare_binprm() for
|
||||
* binfmt_script/misc).
|
||||
*/
|
||||
called_set_creds:1,
|
||||
/*
|
||||
* True if most recent call to the commoncaps bprm_set_creds
|
||||
* hook (due to multiple prepare_binprm() calls from the
|
||||
* binfmt_script/misc handlers) resulted in elevated
|
||||
* privileges.
|
||||
*/
|
||||
cap_elevated:1,
|
||||
/*
|
||||
* Set by bprm_set_creds hook to indicate a privilege-gaining
|
||||
* exec has happened. Used to sanitize execution environment
|
||||
* and to set AT_SECURE auxv for glibc.
|
||||
*/
|
||||
secureexec:1;
|
||||
#ifdef __alpha__
|
||||
unsigned int taso:1;
|
||||
#endif
|
||||
|
@ -43,7 +43,11 @@
|
||||
* interpreters. The hook can tell whether it has already been called by
|
||||
* checking to see if @bprm->security is non-NULL. If so, then the hook
|
||||
* may decide either to retain the security information saved earlier or
|
||||
* to replace it.
|
||||
* to replace it. The hook must set @bprm->secureexec to 1 if a "secure
|
||||
* exec" has happened as a result of this hook call. The flag is used to
|
||||
* indicate the need for a sanitized execution environment, and is also
|
||||
* passed in the ELF auxiliary table on the initial stack to indicate
|
||||
* whether libc should enable secure mode.
|
||||
* @bprm contains the linux_binprm structure.
|
||||
* Return 0 if the hook is successful and permission is granted.
|
||||
* @bprm_check_security:
|
||||
@ -71,12 +75,6 @@
|
||||
* linux_binprm structure. This hook is a good place to perform state
|
||||
* changes on the process such as clearing out non-inheritable signal
|
||||
* state. This is called immediately after commit_creds().
|
||||
* @bprm_secureexec:
|
||||
* Return a boolean value (0 or 1) indicating whether a "secure exec"
|
||||
* is required. The flag is passed in the auxiliary table
|
||||
* on the initial stack to the ELF interpreter to indicate whether libc
|
||||
* should enable secure mode.
|
||||
* @bprm contains the linux_binprm structure.
|
||||
*
|
||||
* Security hooks for filesystem operations.
|
||||
*
|
||||
@ -1388,7 +1386,6 @@ union security_list_options {
|
||||
|
||||
int (*bprm_set_creds)(struct linux_binprm *bprm);
|
||||
int (*bprm_check_security)(struct linux_binprm *bprm);
|
||||
int (*bprm_secureexec)(struct linux_binprm *bprm);
|
||||
void (*bprm_committing_creds)(struct linux_binprm *bprm);
|
||||
void (*bprm_committed_creds)(struct linux_binprm *bprm);
|
||||
|
||||
@ -1710,7 +1707,6 @@ struct security_hook_heads {
|
||||
struct list_head vm_enough_memory;
|
||||
struct list_head bprm_set_creds;
|
||||
struct list_head bprm_check_security;
|
||||
struct list_head bprm_secureexec;
|
||||
struct list_head bprm_committing_creds;
|
||||
struct list_head bprm_committed_creds;
|
||||
struct list_head sb_alloc_security;
|
||||
|
@ -85,7 +85,6 @@ extern int cap_capset(struct cred *new, const struct cred *old,
|
||||
const kernel_cap_t *inheritable,
|
||||
const kernel_cap_t *permitted);
|
||||
extern int cap_bprm_set_creds(struct linux_binprm *bprm);
|
||||
extern int cap_bprm_secureexec(struct linux_binprm *bprm);
|
||||
extern int cap_inode_setxattr(struct dentry *dentry, const char *name,
|
||||
const void *value, size_t size, int flags);
|
||||
extern int cap_inode_removexattr(struct dentry *dentry, const char *name);
|
||||
@ -232,7 +231,6 @@ int security_bprm_set_creds(struct linux_binprm *bprm);
|
||||
int security_bprm_check(struct linux_binprm *bprm);
|
||||
void security_bprm_committing_creds(struct linux_binprm *bprm);
|
||||
void security_bprm_committed_creds(struct linux_binprm *bprm);
|
||||
int security_bprm_secureexec(struct linux_binprm *bprm);
|
||||
int security_sb_alloc(struct super_block *sb);
|
||||
void security_sb_free(struct super_block *sb);
|
||||
int security_sb_copy_data(char *orig, char *copy);
|
||||
@ -541,11 +539,6 @@ static inline void security_bprm_committed_creds(struct linux_binprm *bprm)
|
||||
{
|
||||
}
|
||||
|
||||
static inline int security_bprm_secureexec(struct linux_binprm *bprm)
|
||||
{
|
||||
return cap_bprm_secureexec(bprm);
|
||||
}
|
||||
|
||||
static inline int security_sb_alloc(struct super_block *sb)
|
||||
{
|
||||
return 0;
|
||||
|
@ -758,7 +758,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
|
||||
file_inode(bprm->file)->i_mode
|
||||
};
|
||||
|
||||
if (bprm->cred_prepared)
|
||||
if (bprm->called_set_creds)
|
||||
return 0;
|
||||
|
||||
ctx = cred_ctx(bprm->cred);
|
||||
@ -807,7 +807,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
|
||||
aa_label_printk(new, GFP_ATOMIC);
|
||||
dbg_printk("\n");
|
||||
}
|
||||
bprm->unsafe |= AA_SECURE_X_NEEDED;
|
||||
bprm->secureexec = 1;
|
||||
}
|
||||
|
||||
if (label->proxy != new->proxy) {
|
||||
@ -843,23 +843,6 @@ audit:
|
||||
goto done;
|
||||
}
|
||||
|
||||
/**
|
||||
* apparmor_bprm_secureexec - determine if secureexec is needed
|
||||
* @bprm: binprm for exec (NOT NULL)
|
||||
*
|
||||
* Returns: %1 if secureexec is needed else %0
|
||||
*/
|
||||
int apparmor_bprm_secureexec(struct linux_binprm *bprm)
|
||||
{
|
||||
/* the decision to use secure exec is computed in set_creds
|
||||
* and stored in bprm->unsafe.
|
||||
*/
|
||||
if (bprm->unsafe & AA_SECURE_X_NEEDED)
|
||||
return 1;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* Functions for self directed profile change
|
||||
*/
|
||||
|
@ -30,7 +30,6 @@ struct aa_domain {
|
||||
#define AA_CHANGE_STACK 8
|
||||
|
||||
int apparmor_bprm_set_creds(struct linux_binprm *bprm);
|
||||
int apparmor_bprm_secureexec(struct linux_binprm *bprm);
|
||||
|
||||
void aa_free_domain_entries(struct aa_domain *domain);
|
||||
int aa_change_hat(const char *hats[], int count, u64 token, int flags);
|
||||
|
@ -101,9 +101,6 @@ static inline struct aa_label *aa_get_file_label(struct aa_file_ctx *ctx)
|
||||
#define AA_X_INHERIT 0x4000
|
||||
#define AA_X_UNCONFINED 0x8000
|
||||
|
||||
/* AA_SECURE_X_NEEDED - is passed in the bprm->unsafe field */
|
||||
#define AA_SECURE_X_NEEDED 0x8000
|
||||
|
||||
/* need to make conditional which ones are being set */
|
||||
struct path_cond {
|
||||
kuid_t uid;
|
||||
|
@ -694,7 +694,6 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
|
||||
LSM_HOOK_INIT(bprm_set_creds, apparmor_bprm_set_creds),
|
||||
LSM_HOOK_INIT(bprm_committing_creds, apparmor_bprm_committing_creds),
|
||||
LSM_HOOK_INIT(bprm_committed_creds, apparmor_bprm_committed_creds),
|
||||
LSM_HOOK_INIT(bprm_secureexec, apparmor_bprm_secureexec),
|
||||
|
||||
LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit),
|
||||
};
|
||||
|
@ -285,15 +285,6 @@ int cap_capset(struct cred *new,
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* Clear proposed capability sets for execve().
|
||||
*/
|
||||
static inline void bprm_clear_caps(struct linux_binprm *bprm)
|
||||
{
|
||||
cap_clear(bprm->cred->cap_permitted);
|
||||
bprm->cap_effective = false;
|
||||
}
|
||||
|
||||
/**
|
||||
* cap_inode_need_killpriv - Determine if inode change affects privileges
|
||||
* @dentry: The inode/dentry in being changed with change marked ATTR_KILL_PRIV
|
||||
@ -443,7 +434,7 @@ static int get_file_caps(struct linux_binprm *bprm, bool *effective, bool *has_c
|
||||
int rc = 0;
|
||||
struct cpu_vfs_cap_data vcaps;
|
||||
|
||||
bprm_clear_caps(bprm);
|
||||
cap_clear(bprm->cred->cap_permitted);
|
||||
|
||||
if (!file_caps_enabled)
|
||||
return 0;
|
||||
@ -476,7 +467,7 @@ static int get_file_caps(struct linux_binprm *bprm, bool *effective, bool *has_c
|
||||
|
||||
out:
|
||||
if (rc)
|
||||
bprm_clear_caps(bprm);
|
||||
cap_clear(bprm->cred->cap_permitted);
|
||||
|
||||
return rc;
|
||||
}
|
||||
@ -585,8 +576,6 @@ skip:
|
||||
if (WARN_ON(!cap_ambient_invariant_ok(new)))
|
||||
return -EPERM;
|
||||
|
||||
bprm->cap_effective = effective;
|
||||
|
||||
/*
|
||||
* Audit candidate if current->cap_effective is set
|
||||
*
|
||||
@ -614,33 +603,17 @@ skip:
|
||||
if (WARN_ON(!cap_ambient_invariant_ok(new)))
|
||||
return -EPERM;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* cap_bprm_secureexec - Determine whether a secure execution is required
|
||||
* @bprm: The execution parameters
|
||||
*
|
||||
* Determine whether a secure execution is required, return 1 if it is, and 0
|
||||
* if it is not.
|
||||
*
|
||||
* The credentials have been committed by this point, and so are no longer
|
||||
* available through @bprm->cred.
|
||||
*/
|
||||
int cap_bprm_secureexec(struct linux_binprm *bprm)
|
||||
{
|
||||
const struct cred *cred = current_cred();
|
||||
kuid_t root_uid = make_kuid(cred->user_ns, 0);
|
||||
|
||||
if (!uid_eq(cred->uid, root_uid)) {
|
||||
if (bprm->cap_effective)
|
||||
return 1;
|
||||
if (!cap_issubset(cred->cap_permitted, cred->cap_ambient))
|
||||
return 1;
|
||||
/* Check for privilege-elevated exec. */
|
||||
bprm->cap_elevated = 0;
|
||||
if (is_setid) {
|
||||
bprm->cap_elevated = 1;
|
||||
} else if (!uid_eq(new->uid, root_uid)) {
|
||||
if (effective ||
|
||||
!cap_issubset(new->cap_permitted, new->cap_ambient))
|
||||
bprm->cap_elevated = 1;
|
||||
}
|
||||
|
||||
return (!uid_eq(cred->euid, cred->uid) ||
|
||||
!gid_eq(cred->egid, cred->gid));
|
||||
return 0;
|
||||
}
|
||||
|
||||
/**
|
||||
@ -1079,7 +1052,6 @@ struct security_hook_list capability_hooks[] __lsm_ro_after_init = {
|
||||
LSM_HOOK_INIT(capget, cap_capget),
|
||||
LSM_HOOK_INIT(capset, cap_capset),
|
||||
LSM_HOOK_INIT(bprm_set_creds, cap_bprm_set_creds),
|
||||
LSM_HOOK_INIT(bprm_secureexec, cap_bprm_secureexec),
|
||||
LSM_HOOK_INIT(inode_need_killpriv, cap_inode_need_killpriv),
|
||||
LSM_HOOK_INIT(inode_killpriv, cap_inode_killpriv),
|
||||
LSM_HOOK_INIT(mmap_addr, cap_mmap_addr),
|
||||
|
@ -351,11 +351,6 @@ void security_bprm_committed_creds(struct linux_binprm *bprm)
|
||||
call_void_hook(bprm_committed_creds, bprm);
|
||||
}
|
||||
|
||||
int security_bprm_secureexec(struct linux_binprm *bprm)
|
||||
{
|
||||
return call_int_hook(bprm_secureexec, 0, bprm);
|
||||
}
|
||||
|
||||
int security_sb_alloc(struct super_block *sb)
|
||||
{
|
||||
return call_int_hook(sb_alloc_security, 0, sb);
|
||||
|
@ -2356,7 +2356,7 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
|
||||
|
||||
/* SELinux context only depends on initial program or script and not
|
||||
* the script interpreter */
|
||||
if (bprm->cred_prepared)
|
||||
if (bprm->called_set_creds)
|
||||
return 0;
|
||||
|
||||
old_tsec = current_security();
|
||||
@ -2442,30 +2442,17 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
|
||||
|
||||
/* Clear any possibly unsafe personality bits on exec: */
|
||||
bprm->per_clear |= PER_CLEAR_ON_SETID;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int selinux_bprm_secureexec(struct linux_binprm *bprm)
|
||||
{
|
||||
const struct task_security_struct *tsec = current_security();
|
||||
u32 sid, osid;
|
||||
int atsecure = 0;
|
||||
|
||||
sid = tsec->sid;
|
||||
osid = tsec->osid;
|
||||
|
||||
if (osid != sid) {
|
||||
/* Enable secure mode for SIDs transitions unless
|
||||
the noatsecure permission is granted between
|
||||
the two SIDs, i.e. ahp returns 0. */
|
||||
atsecure = avc_has_perm(osid, sid,
|
||||
SECCLASS_PROCESS,
|
||||
PROCESS__NOATSECURE, NULL);
|
||||
rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
|
||||
SECCLASS_PROCESS, PROCESS__NOATSECURE,
|
||||
NULL);
|
||||
bprm->secureexec |= !!rc;
|
||||
}
|
||||
|
||||
return !!atsecure;
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int match_file(const void *p, struct file *file, unsigned fd)
|
||||
@ -6266,7 +6253,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
|
||||
LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds),
|
||||
LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds),
|
||||
LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds),
|
||||
LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec),
|
||||
|
||||
LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security),
|
||||
LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security),
|
||||
|
@ -917,7 +917,7 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm)
|
||||
struct superblock_smack *sbsp;
|
||||
int rc;
|
||||
|
||||
if (bprm->cred_prepared)
|
||||
if (bprm->called_set_creds)
|
||||
return 0;
|
||||
|
||||
isp = inode->i_security;
|
||||
@ -950,35 +950,9 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm)
|
||||
bsp->smk_task = isp->smk_task;
|
||||
bprm->per_clear |= PER_CLEAR_ON_SETID;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* smack_bprm_committing_creds - Prepare to install the new credentials
|
||||
* from bprm.
|
||||
*
|
||||
* @bprm: binprm for exec
|
||||
*/
|
||||
static void smack_bprm_committing_creds(struct linux_binprm *bprm)
|
||||
{
|
||||
struct task_smack *bsp = bprm->cred->security;
|
||||
|
||||
/* Decide if this is a secure exec. */
|
||||
if (bsp->smk_task != bsp->smk_forked)
|
||||
current->pdeath_signal = 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* smack_bprm_secureexec - Return the decision to use secureexec.
|
||||
* @bprm: binprm for exec
|
||||
*
|
||||
* Returns 0 on success.
|
||||
*/
|
||||
static int smack_bprm_secureexec(struct linux_binprm *bprm)
|
||||
{
|
||||
struct task_smack *tsp = current_security();
|
||||
|
||||
if (tsp->smk_task != tsp->smk_forked)
|
||||
return 1;
|
||||
bprm->secureexec = 1;
|
||||
|
||||
return 0;
|
||||
}
|
||||
@ -4645,8 +4619,6 @@ static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
|
||||
LSM_HOOK_INIT(sb_parse_opts_str, smack_parse_opts_str),
|
||||
|
||||
LSM_HOOK_INIT(bprm_set_creds, smack_bprm_set_creds),
|
||||
LSM_HOOK_INIT(bprm_committing_creds, smack_bprm_committing_creds),
|
||||
LSM_HOOK_INIT(bprm_secureexec, smack_bprm_secureexec),
|
||||
|
||||
LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security),
|
||||
LSM_HOOK_INIT(inode_free_security, smack_inode_free_security),
|
||||
|
@ -76,7 +76,7 @@ static int tomoyo_bprm_set_creds(struct linux_binprm *bprm)
|
||||
* Do only if this function is called for the first time of an execve
|
||||
* operation.
|
||||
*/
|
||||
if (bprm->cred_prepared)
|
||||
if (bprm->called_set_creds)
|
||||
return 0;
|
||||
#ifndef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER
|
||||
/*
|
||||
|
Loading…
Reference in New Issue
Block a user