From patchwork Tue Oct 18 07:17:24 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 3984 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:4ac7:0:0:0:0:0 with SMTP id y7csp1819376wrs; Tue, 18 Oct 2022 00:23:56 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4Ir9fRFuIub/lCX2dZ/BhAFfsS41h/QWxiulAlMbMCOc9yYz3vMnlydO3wT1J1nGVrXIb0 X-Received: by 2002:a17:902:7296:b0:180:1330:b3c0 with SMTP id d22-20020a170902729600b001801330b3c0mr1694897pll.170.1666077836095; Tue, 18 Oct 2022 00:23:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666077836; cv=none; d=google.com; s=arc-20160816; b=YMgllM0OQuKrwLJbdeyNVG8yvKWi9+XnOrXAnHA1esLvlL/LCsQtpk2lXrBrqBroJA muFTtfQhjsYtIpUhtnuipJd17b/PuHOG8snqmn1PGKK5vuMShX/XLNbh+3RFnRCAgC4t RHiFCceFmzIBQoVZ78kBs8O56FUdtKhTVYnnO+pMZeaE16yxWDjghgRyzhXJfphnbGDf mjlompoDwGivO3c1OMrnYh1EX5oztQEc7lDkYKz5WcOETnBx5c+km701duFHRW5Zdq6U lCPk0K2z2zm2UzKBGBQbiNJ2J3K+WqrS+MZZrWyROdiJfW9KqMnoJ5IzvEynXUcxdGAz zLew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=+WPhMYfNHJ7IkVsrnLKCMI0knahjH/ILooZWa3gsnak=; b=zALT36iAtHhoAgE+dGWJswO9PIk+vq5yOp7xBe135FX6o2ClBIqk6sX4Th2H5j/qdc zmYx716bJ+dFcrjghxyMGpvSvR6mbdciqsGK9BMvpwfSiVsqjRqVFUsyvznMRs5sxUXX pQreq9Qbs0Hc+l0yQVrbDI10vPDr001sYVRIZ1gTl31ESG/ntjmo0r5/ojSxGltF1rOD YxpUppKNtGG/dyYecgGxg/0V6djOvTSUSc6lUyVHvzkXicAPuuahijzy3auYD6mj7p6G +KJFe4IO33YCw1tNpGHgzGXA4j2MKVDKEba99fQYK9XP8n0dGuUzk1830/IswZ6b6PZb ZsPQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=AmW4E1j4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z188-20020a6333c5000000b0043882f3e74bsi13664113pgz.441.2022.10.18.00.23.42; Tue, 18 Oct 2022 00:23:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=AmW4E1j4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230164AbiJRHRg (ORCPT + 99 others); Tue, 18 Oct 2022 03:17:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53510 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230121AbiJRHRc (ORCPT ); Tue, 18 Oct 2022 03:17:32 -0400 Received: from mail-pl1-x630.google.com (mail-pl1-x630.google.com [IPv6:2607:f8b0:4864:20::630]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7CAE3DF3D for ; Tue, 18 Oct 2022 00:17:29 -0700 (PDT) Received: by mail-pl1-x630.google.com with SMTP id c24so13028758plo.3 for ; Tue, 18 Oct 2022 00:17:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=+WPhMYfNHJ7IkVsrnLKCMI0knahjH/ILooZWa3gsnak=; b=AmW4E1j4T7QfPNnh9U/FRHyDVB+LaUhI1xOg81gtwVTbvpoocoLxgq7zX/jEU20pv5 Y/9n4N8KVrAzaWYS96wbeS7fj2oIDMGSBJi3M7OL/SXoou2qh49F6dHqxWCWwGTCX1st pfWGKfn8pROfh3m0U5u4COYdcn5UjZFQb2oMM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=+WPhMYfNHJ7IkVsrnLKCMI0knahjH/ILooZWa3gsnak=; b=NSHYdOPWsTx5MGekMMQ8Db53UgT/STIGf0Vs/6ZE4TICS9Dy6db+xtJwix7N/n+WBu gV1sHcysW3RGNiQR/pmrB1yOVd94XbMP/PWwdHLYWYBhSwynKqU+hNNvTUtSEQZbE15e UJ3BcaDvHu6W9so161jrpPCJunEUXxrS7mLvkz1uV6BdJqDuJdHYritQE6lfvTBXP0Lp uhaJIm+Jyy/viN5NgwTTNYO0c0aB/IormEdoNO4G5bV3c75Jat4r2N0J2ys/wWs5IdQD f2ZA1L+e38IxBvE7HjFX6srhyreb+A6bkaT7nkdC4MQyryeO66Q5dGaU80c5b5b/ljXI I+xA== X-Gm-Message-State: ACrzQf3MdHdiA2H/V8RXbnl/UGkHExF04e+QhiiU/rmEaImWfuEHVxRj sOo93NYAHeIk5dv92i9YkpR+Uw== X-Received: by 2002:a17:903:246:b0:179:96b5:1ad2 with SMTP id j6-20020a170903024600b0017996b51ad2mr1689962plh.37.1666077448997; Tue, 18 Oct 2022 00:17:28 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id 1-20020a620601000000b005626a1c77c8sm8334879pfg.80.2022.10.18.00.17.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Oct 2022 00:17:28 -0700 (PDT) From: Kees Cook To: Eric Biederman Cc: Kees Cook , linux-fsdevel@vger.kernel.org, Jann Horn , Christian Brauner , Andy Lutomirski , David Laight , linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH] exec: Add comments on check_unsafe_exec() fs counting Date: Tue, 18 Oct 2022 00:17:24 -0700 Message-Id: <20221018071537.never.662-kees@kernel.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1688; h=from:subject:message-id; bh=2swpYsczlaIuQF3JhkoEYj/apHe5tfn1etEA/2Jg8CE=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBjTlMDiVTpJfOh2CK4GfTNinAtSvCBsM52w9sFjjLW slnuGpSJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCY05TAwAKCRCJcvTf3G3AJqwyD/ 40TMoaejoCKGnR0OBHDCsxwwCOSAb+WJZWQgT2n89vfSQ5UK5FFm/rdx7Xyk5nu+g4m5Ov61Q7ob2p 91gck3XKFRrxkCMPOCZhh639pC8lcB/871uLLTU+NFNAfHrlfsyXnyNMG7DS4uDSR+Qo8Vqc21aigo /2EHaVg7aZPSYXpUliPxWtMHzKOdFP9om159xQyZD/9CawmpEtcr03tFl/wzzoMuJYArTLBjpNbn11 D2aubvDJS+eHIIv7cJ59SR7q8FsJaLR8VB/9XcuY+QsVp9hEnVr/f/MwwXw3k/tEH6W/3RVSCJ05pJ LLFvfX4E/pqe9q+Deagysf1pX6gjtv6qH5uSPlZwWoZnyxgfOh2awSeDDNXtQzzDIT+xKjyMk4TG/h aXu5njuWMceTFT1GvOZtHLL4Uhceb23khZvpWaK+J1/bYBXMP++c4hqpxJPwkj6GzPG5e1W7ENG+Az hMae9jAPSuYhCyK09uqcBXS49HkOro7dcZib8IopcbrKcDIa4hdu8SiZP9t42Ipq8Polo36ZqqVoU7 eRCIHsNnWfxO8TNnE/2EuN0EjVGDtWsKXjGMPwx1qNjXruJIdPzCbPUnbMEoLz0VoxKi0Oaln2m2Ne gyaK4NFHYR3MjftTXWC08z6eK3Y/CJcKuhnnl38a0dMpPIaSRfplM3wp5jbQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-Spam-Status: No, score=-2.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747009232755911637?= X-GMAIL-MSGID: =?utf-8?q?1747009232755911637?= Add some comments about what the fs counting is doing in check_unsafe_exec() and how it relates to the call graph. Specifically, we can't force an unshare of the fs because of at least Chrome: https://lore.kernel.org/lkml/86CE201B-5632-4BB7-BCF6-7CB2C2895409@chromium.org/ Cc: Eric Biederman Cc: linux-fsdevel@vger.kernel.org Signed-off-by: Kees Cook Acked-by: Christian Brauner (Microsoft) --- fs/exec.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/fs/exec.c b/fs/exec.c index 902bce45b116..01659c2ac7d8 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1571,6 +1571,12 @@ static void check_unsafe_exec(struct linux_binprm *bprm) if (task_no_new_privs(current)) bprm->unsafe |= LSM_UNSAFE_NO_NEW_PRIVS; + /* + * If another task is sharing our fs, we cannot safely + * suid exec because the differently privileged task + * will be able to manipulate the current directory, etc. + * It would be nice to force an unshare instead... + */ t = p; n_fs = 1; spin_lock(&p->fs->lock); @@ -1752,6 +1758,7 @@ static int search_binary_handler(struct linux_binprm *bprm) return retval; } +/* binfmt handlers will call back into begin_new_exec() on success. */ static int exec_binprm(struct linux_binprm *bprm) { pid_t old_pid, old_vpid; @@ -1810,6 +1817,11 @@ static int bprm_execve(struct linux_binprm *bprm, if (retval) return retval; + /* + * Check for unsafe execution states before exec_binprm(), which + * will call back into begin_new_exec(), into bprm_creds_from_file(), + * where setuid-ness is evaluated. + */ check_unsafe_exec(bprm); current->in_execve = 1;