On Tue, 18 Jul 2017, Kees Cook wrote: > The commoncap implementation of the bprm_secureexec hook is the only LSM > that depends on the final call to its bprm_set_creds hook (since it may > be called for multiple files, it ignores bprm->called_set_creds). As a > result, it cannot safely _clear_ bprm->secureexec since other LSMs may > have set it. Instead, remove the bprm_secureexec hook by introducing a > new flag to bprm specific to commoncap: cap_elevated. This is similar to > cap_effective, but that is used for a specific subset of elevated > privileges, and exists solely to track state from bprm_set_creds to > bprm_secureexec. As such, it will be removed in the next patch. > > Here, set the new bprm->cap_elevated flag when setuid/setgid has happened > from bprm_fill_uid() or fscapabilities have been prepared. This temporarily > moves the bprm_secureexec hook to a static inline. The helper will be > removed in the next patch; this makes the step easier to review and bisect, > since this does not introduce any changes to inputs nor outputs to the > "elevated privileges" calculation. > > The new flag is merged with the bprm->secureexec flag in setup_new_exec() > since this marks the end of any further prepare_binprm() calls. > > Cc: Serge Hallyn <[email protected]> > Cc: Andy Lutomirski <[email protected]> > Signed-off-by: Kees Cook <[email protected]>
Acked-by: James Morris <[email protected]> -- James Morris <[email protected]>
