Re: [PATCH v5 4/6] seccomp: move no_new_privs into seccomp
On Thu, May 22, 2014 at 4:05 PM, Kees Cook wrote: > Since seccomp transitions between threads requires updates to the > no_new_privs flag to be atomic, changes must be atomic. This moves the nnp > flag into the seccomp field as a separate unsigned long for atomic access. > > Signed-off-by: Kees Cook Acked-by: Andy Lutomirski -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH v5 4/6] seccomp: move no_new_privs into seccomp
Since seccomp transitions between threads requires updates to the no_new_privs flag to be atomic, changes must be atomic. This moves the nnp flag into the seccomp field as a separate unsigned long for atomic access. Signed-off-by: Kees Cook --- fs/exec.c |4 ++-- include/linux/sched.h | 13 ++--- include/linux/seccomp.h|8 +++- kernel/seccomp.c |2 +- kernel/sys.c |4 ++-- security/apparmor/domain.c |4 ++-- 6 files changed, 24 insertions(+), 11 deletions(-) diff --git a/fs/exec.c b/fs/exec.c index 238b7aa26f68..614fcb993739 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1233,7 +1233,7 @@ static void check_unsafe_exec(struct linux_binprm *bprm) * This isn't strictly necessary, but it makes it harder for LSMs to * mess up. */ - if (current->no_new_privs) + if (task_no_new_privs(current)) bprm->unsafe |= LSM_UNSAFE_NO_NEW_PRIVS; t = p; @@ -1271,7 +1271,7 @@ int prepare_binprm(struct linux_binprm *bprm) bprm->cred->egid = current_egid(); if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) && - !current->no_new_privs && + !task_no_new_privs(current) && kuid_has_mapping(bprm->cred->user_ns, inode->i_uid) && kgid_has_mapping(bprm->cred->user_ns, inode->i_gid)) { /* Set-uid? */ diff --git a/include/linux/sched.h b/include/linux/sched.h index 71a6cb66a3f3..d2a72deba43b 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -1259,9 +1259,6 @@ struct task_struct { * execve */ unsigned in_iowait:1; - /* task may not gain privileges */ - unsigned no_new_privs:1; - /* Revert to default priority/policy when forking */ unsigned sched_reset_on_fork:1; unsigned sched_contributes_to_load:1; @@ -2480,6 +2477,16 @@ static inline void task_unlock(struct task_struct *p) spin_unlock(>alloc_lock); } +static inline bool task_no_new_privs(struct task_struct *p) +{ + return test_bit(SECCOMP_FLAG_NO_NEW_PRIVS, >seccomp.flags); +} + +static inline void task_set_no_new_privs(struct task_struct *p) +{ + set_bit(SECCOMP_FLAG_NO_NEW_PRIVS, >seccomp.flags); +} + #ifdef CONFIG_SECCOMP /* * Protects changes to ->seccomp diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h index c47be00e8ffb..ed86b298f3b2 100644 --- a/include/linux/seccomp.h +++ b/include/linux/seccomp.h @@ -3,6 +3,8 @@ #include +#define SECCOMP_FLAG_NO_NEW_PRIVS 0 /* task may not gain privs */ + #ifdef CONFIG_SECCOMP #include @@ -17,6 +19,7 @@ struct seccomp_filter; * @lock: held when making changes to avoid thread races. * @filter: must always point to a valid seccomp-filter or NULL as it is * accessed without locking during system call entry. + * @flags: flags under write lock * * @filter must only be accessed from the context of current as there * is no locking. @@ -25,6 +28,7 @@ struct seccomp { int mode; spinlock_t lock; struct seccomp_filter *filter; + unsigned long flags; }; extern int __secure_computing(int); @@ -53,7 +57,9 @@ static inline int seccomp_mode(struct seccomp *s) #include -struct seccomp { }; +struct seccomp { + unsigned long flags; +}; struct seccomp_filter { }; static inline int secure_computing(int this_syscall) { return 0; } diff --git a/kernel/seccomp.c b/kernel/seccomp.c index d200029728ca..e7238f5708d4 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -219,7 +219,7 @@ static struct seccomp_filter *seccomp_prepare_filter(struct sock_fprog *fprog) * This avoids scenarios where unprivileged tasks can affect the * behavior of privileged children. */ - if (!current->no_new_privs && + if (!task_no_new_privs(current) && security_capable_noaudit(current_cred(), current_user_ns(), CAP_SYS_ADMIN) != 0) return ERR_PTR(-EACCES); diff --git a/kernel/sys.c b/kernel/sys.c index fba0f29401ea..d3b4af60a411 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -1990,12 +1990,12 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3, if (arg2 != 1 || arg3 || arg4 || arg5) return -EINVAL; - current->no_new_privs = 1; + task_set_no_new_privs(current); break; case PR_GET_NO_NEW_PRIVS: if (arg2 || arg3 || arg4 || arg5) return -EINVAL; - return current->no_new_privs ? 1 : 0; + return task_no_new_privs(current) ? 1 : 0; case PR_GET_THP_DISABLE: if (arg2 || arg3 || arg4 || arg5) return -EINVAL; diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index
[PATCH v5 4/6] seccomp: move no_new_privs into seccomp
Since seccomp transitions between threads requires updates to the no_new_privs flag to be atomic, changes must be atomic. This moves the nnp flag into the seccomp field as a separate unsigned long for atomic access. Signed-off-by: Kees Cook keesc...@chromium.org --- fs/exec.c |4 ++-- include/linux/sched.h | 13 ++--- include/linux/seccomp.h|8 +++- kernel/seccomp.c |2 +- kernel/sys.c |4 ++-- security/apparmor/domain.c |4 ++-- 6 files changed, 24 insertions(+), 11 deletions(-) diff --git a/fs/exec.c b/fs/exec.c index 238b7aa26f68..614fcb993739 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1233,7 +1233,7 @@ static void check_unsafe_exec(struct linux_binprm *bprm) * This isn't strictly necessary, but it makes it harder for LSMs to * mess up. */ - if (current-no_new_privs) + if (task_no_new_privs(current)) bprm-unsafe |= LSM_UNSAFE_NO_NEW_PRIVS; t = p; @@ -1271,7 +1271,7 @@ int prepare_binprm(struct linux_binprm *bprm) bprm-cred-egid = current_egid(); if (!(bprm-file-f_path.mnt-mnt_flags MNT_NOSUID) - !current-no_new_privs + !task_no_new_privs(current) kuid_has_mapping(bprm-cred-user_ns, inode-i_uid) kgid_has_mapping(bprm-cred-user_ns, inode-i_gid)) { /* Set-uid? */ diff --git a/include/linux/sched.h b/include/linux/sched.h index 71a6cb66a3f3..d2a72deba43b 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -1259,9 +1259,6 @@ struct task_struct { * execve */ unsigned in_iowait:1; - /* task may not gain privileges */ - unsigned no_new_privs:1; - /* Revert to default priority/policy when forking */ unsigned sched_reset_on_fork:1; unsigned sched_contributes_to_load:1; @@ -2480,6 +2477,16 @@ static inline void task_unlock(struct task_struct *p) spin_unlock(p-alloc_lock); } +static inline bool task_no_new_privs(struct task_struct *p) +{ + return test_bit(SECCOMP_FLAG_NO_NEW_PRIVS, p-seccomp.flags); +} + +static inline void task_set_no_new_privs(struct task_struct *p) +{ + set_bit(SECCOMP_FLAG_NO_NEW_PRIVS, p-seccomp.flags); +} + #ifdef CONFIG_SECCOMP /* * Protects changes to -seccomp diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h index c47be00e8ffb..ed86b298f3b2 100644 --- a/include/linux/seccomp.h +++ b/include/linux/seccomp.h @@ -3,6 +3,8 @@ #include uapi/linux/seccomp.h +#define SECCOMP_FLAG_NO_NEW_PRIVS 0 /* task may not gain privs */ + #ifdef CONFIG_SECCOMP #include linux/thread_info.h @@ -17,6 +19,7 @@ struct seccomp_filter; * @lock: held when making changes to avoid thread races. * @filter: must always point to a valid seccomp-filter or NULL as it is * accessed without locking during system call entry. + * @flags: flags under write lock * * @filter must only be accessed from the context of current as there * is no locking. @@ -25,6 +28,7 @@ struct seccomp { int mode; spinlock_t lock; struct seccomp_filter *filter; + unsigned long flags; }; extern int __secure_computing(int); @@ -53,7 +57,9 @@ static inline int seccomp_mode(struct seccomp *s) #include linux/errno.h -struct seccomp { }; +struct seccomp { + unsigned long flags; +}; struct seccomp_filter { }; static inline int secure_computing(int this_syscall) { return 0; } diff --git a/kernel/seccomp.c b/kernel/seccomp.c index d200029728ca..e7238f5708d4 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -219,7 +219,7 @@ static struct seccomp_filter *seccomp_prepare_filter(struct sock_fprog *fprog) * This avoids scenarios where unprivileged tasks can affect the * behavior of privileged children. */ - if (!current-no_new_privs + if (!task_no_new_privs(current) security_capable_noaudit(current_cred(), current_user_ns(), CAP_SYS_ADMIN) != 0) return ERR_PTR(-EACCES); diff --git a/kernel/sys.c b/kernel/sys.c index fba0f29401ea..d3b4af60a411 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -1990,12 +1990,12 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3, if (arg2 != 1 || arg3 || arg4 || arg5) return -EINVAL; - current-no_new_privs = 1; + task_set_no_new_privs(current); break; case PR_GET_NO_NEW_PRIVS: if (arg2 || arg3 || arg4 || arg5) return -EINVAL; - return current-no_new_privs ? 1 : 0; + return task_no_new_privs(current) ? 1 : 0; case PR_GET_THP_DISABLE: if (arg2 || arg3 || arg4 || arg5) return -EINVAL; diff --git a/security/apparmor/domain.c
Re: [PATCH v5 4/6] seccomp: move no_new_privs into seccomp
On Thu, May 22, 2014 at 4:05 PM, Kees Cook keesc...@chromium.org wrote: Since seccomp transitions between threads requires updates to the no_new_privs flag to be atomic, changes must be atomic. This moves the nnp flag into the seccomp field as a separate unsigned long for atomic access. Signed-off-by: Kees Cook keesc...@chromium.org Acked-by: Andy Lutomirski l...@amacapital.net -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/