When the credentials have been recomputed per file the per_clear
status has not been recomputed. Update the per file calcuations to
recompute per_clear on a per file basis in a separate variable and to
combine that variable into the final per_clear value.
This makes which personality bits are clear not depend on the
permissions of shell scripts with interpreters, but instead only on
the final bprm->file that bprm_fill_uid and
security_bprm_repopulate_creds are called upon.
History Tree: git://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
Fixes: 1bb0fa189c6a ("[PATCH] NX: clean up legacy binary support")
Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com>
---
fs/exec.c | 7 ++++---
include/linux/binfmts.h | 3 +++
include/linux/lsm_hooks.h | 2 +-
security/commoncap.c | 2 +-
4 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/fs/exec.c b/fs/exec.c
index 51fab62b9fca..221d12dcaa3e 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1354,7 +1354,7 @@ int begin_new_exec(struct linux_binprm * bprm)
me->flags &= ~(PF_RANDOMIZE | PF_FORKNOEXEC | PF_KTHREAD |
PF_NOFREEZE | PF_NO_SETAFFINITY);
flush_thread();
- if (bprm->per_clear)
+ if (bprm->per_clear || bprm->active_per_clear)
me->personality &= ~PER_CLEAR_ON_SETID;
/*
@@ -1629,12 +1629,12 @@ static void bprm_fill_uid(struct linux_binprm *bprm)
return;
if (mode & S_ISUID) {
- bprm->per_clear = 1;
+ bprm->active_per_clear = 1;
bprm->cred->euid = uid;
}
if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
- bprm->per_clear = 1;
+ bprm->active_per_clear = 1;
bprm->cred->egid = gid;
}
}
@@ -1655,6 +1655,7 @@ static int prepare_binprm(struct linux_binprm *bprm)
/* Recompute parts of bprm->cred based on bprm->file */
bprm->active_secureexec = 0;
+ bprm->active_per_clear = 0;
bprm_fill_uid(bprm);
retval = security_bprm_repopulate_creds(bprm);
if (retval)
diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h
index e7959a6a895a..89231a689957 100644
--- a/include/linux/binfmts.h
+++ b/include/linux/binfmts.h
@@ -26,6 +26,9 @@ struct linux_binprm {
unsigned long p; /* current top of mem */
unsigned long argmin; /* rlimit marker for copy_strings() */
unsigned int
+ /* Does bprm->file warrant clearing personality bits? */
+ active_per_clear:1,
+
/* Should unsafe personality bits be cleared? */
per_clear:1,
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 0ca68ad53592..62e60e55cb99 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -57,7 +57,7 @@
* transitions between security domains).
* The hook must set @bprm->active_secureexec to 1 if AT_SECURE should be
set to
* request libc enable secure mode.
- * The hook must set @bprm->per_clear to 1 if the dangerous personality
+ * The hook must set @bprm->active_per_clear to 1 if the dangerous
personality
* bits must be cleared from current->personality.
* @bprm contains the linux_binprm structure.
* Return 0 if the hook is successful and permission is granted.
diff --git a/security/commoncap.c b/security/commoncap.c
index 48b556046483..0b72d7bf23e1 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -826,7 +826,7 @@ int cap_bprm_repopulate_creds(struct linux_binprm *bprm)
/* if we have fs caps, clear dangerous personality flags */
if (__cap_gained(permitted, new, old))
- bprm->per_clear = 1;
+ bprm->active_per_clear = 1;
/* Don't let someone trace a set[ug]id/setpcap binary with the revised
* credentials unless they have the appropriate permit.
--
2.25.0
