Re: [PATCH 2/2] exec: Compute file based creds only once
On Fri, May 29, 2020 at 10:28:41PM -0500, Eric W. Biederman wrote: > The range-diff winds up being: > 1: c9258ef4879b ! 1: a7868323c263 exec: Add a per bprm->file version of > per_clear > @@ Commit message > > History Tree: > git://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git > Fixes: 1bb0fa189c6a ("[PATCH] NX: clean up legacy binary support") > +Reviewed-by: Kees Cook > Signed-off-by: "Eric W. Biederman" > > ## fs/exec.c ## > @@ include/linux/lsm_hooks.h >* transitions between security domains). >* The hook must set @bprm->active_secureexec to 1 if AT_SECURE > should be set to >* request libc enable secure mode. > -+ * The hook must set @bprm->pf_per_clear to the personality flags > that > -+ * should be cleared from current->personality. > ++ * The hook must add to @bprm->pf_per_clear any personality flags > that > ++ * should be cleared from current->personality. >* @bprm contains the linux_binprm structure. >* Return 0 if the hook is successful and permission is granted. >* @bprm_check_security: > 2: e6f20c69b96e ! 2: 56305aa9b6fa exec: Compute file based creds only once > @@ Commit message > secureity attribute and derive capabilities from the fact the > user had uid 0 has been added. > > +Reviewed-by: Kees Cook > Signed-off-by: "Eric W. Biederman" > > ## fs/binfmt_misc.c ## > @@ include/linux/lsm_hooks.h > + * between security domains). > + * The hook must set @bprm->secureexec to 1 if AT_SECURE should be > set to >* request libc enable secure mode. > -- * The hook must set @bprm->pf_per_clear to the personality flags > that > -+ * The hook must set @bprm->per_clear to the personality flags that > - * should be cleared from current->personality. > +- * The hook must add to @bprm->pf_per_clear any personality flags > that > ++ * The hook must add to @bprm->per_clear any personality flags that > + * should be cleared from current->personality. >* @bprm contains the linux_binprm structure. >* Return 0 if the hook is successful and permission is granted. Awesome; thanks! > > The cap_ambient_invariant_ok() test is needlessly repeated: it doesn't > > examine securebits, and nonroot_raised_pE appears to have no > > side-effects. > > > > One of those can be dropped, yes? > > That is what it looks like to me. Okay, cool. I was worried I was missing something in the mess of tiny helper calls. :) > I hope that when the dust clears the function can become a > straightforward implementation of the capability equations. > We will see. Yeah, this looks better and better every day! I'm glad you're able to dig through all of this. -- Kees Cook
Re: [PATCH 2/2] exec: Compute file based creds only once
Kees Cook writes: > On Fri, May 29, 2020 at 11:47:29AM -0500, Eric W. Biederman wrote: >> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h >> index cd3dd0afceb5..37bb3df751c6 100644 >> --- a/include/linux/lsm_hooks.h >> +++ b/include/linux/lsm_hooks.h >> @@ -44,18 +44,18 @@ >> * request libc enable secure mode. >> - * The hook must set @bprm->pf_per_clear to the personality flags that >> + * The hook must set @bprm->per_clear to the personality flags that > > Here and the other per_clear comment have language that doesn't quite > line up with how hooks should deal with the bits. They should not "set > it to" the personality flags they want clear, they need to "add the > bits" they want to see cleared. i.e I don't want something thinking > they're the only one touching per_clear, so they should never do: > bprm->per_clear = PER_CLEAR_ON_SETID; > but always: > bprm->per_clear |= PER_CLEAR_ON_SETID; > > How about: > > The hook must set @bprm->per_clear with any personality flag bits that Sounds good: The range-diff winds up being: 1: c9258ef4879b ! 1: a7868323c263 exec: Add a per bprm->file version of per_clear @@ Commit message History Tree: git://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git Fixes: 1bb0fa189c6a ("[PATCH] NX: clean up legacy binary support") +Reviewed-by: Kees Cook Signed-off-by: "Eric W. Biederman" ## fs/exec.c ## @@ include/linux/lsm_hooks.h *transitions between security domains). *The hook must set @bprm->active_secureexec to 1 if AT_SECURE should be set to *request libc enable secure mode. -+ *The hook must set @bprm->pf_per_clear to the personality flags that -+ *should be cleared from current->personality. ++ *The hook must add to @bprm->pf_per_clear any personality flags that ++ *should be cleared from current->personality. *@bprm contains the linux_binprm structure. *Return 0 if the hook is successful and permission is granted. * @bprm_check_security: 2: e6f20c69b96e ! 2: 56305aa9b6fa exec: Compute file based creds only once @@ Commit message secureity attribute and derive capabilities from the fact the user had uid 0 has been added. +Reviewed-by: Kees Cook Signed-off-by: "Eric W. Biederman" ## fs/binfmt_misc.c ## @@ include/linux/lsm_hooks.h + *between security domains). + *The hook must set @bprm->secureexec to 1 if AT_SECURE should be set to *request libc enable secure mode. -- *The hook must set @bprm->pf_per_clear to the personality flags that -+ *The hook must set @bprm->per_clear to the personality flags that - *should be cleared from current->personality. +- *The hook must add to @bprm->pf_per_clear any personality flags that ++ *The hook must add to @bprm->per_clear any personality flags that + *should be cleared from current->personality. *@bprm contains the linux_binprm structure. *Return 0 if the hook is successful and permission is granted. >> diff --git a/security/commoncap.c b/security/commoncap.c > > Not about this patch, but while looking through this file, I see: > > int cap_bprm_set_creds(struct linux_binprm *bprm) > { > ... > *capability manipulations* > > if (WARN_ON(!cap_ambient_invariant_ok(new))) > return -EPERM; > > if (nonroot_raised_pE(new, old, root_uid, has_fcap)) { > ret = audit_log_bprm_fcaps(bprm, new, old); > if (ret < 0) > return ret; > } > > new->securebits &= ~issecure_mask(SECURE_KEEP_CAPS); > > if (WARN_ON(!cap_ambient_invariant_ok(new))) > return -EPERM; > ... > } > > The cap_ambient_invariant_ok() test is needlessly repeated: it doesn't > examine securebits, and nonroot_raised_pE appears to have no > side-effects. > > One of those can be dropped, yes? That is what it looks like to me. I am hoping to take a deep dive into this function after I finish with bprm_fill_uid (the patches that were dropped). My brain bends on little details like is_setid not testing if the excutable was suid or sgid, but instead is testing something close but unrelated. I hope that when the dust clears the function can become a straightforward implementation of the capability equations. We will see. Eric
Re: [PATCH 2/2] exec: Compute file based creds only once
On Fri, May 29, 2020 at 11:47:29AM -0500, Eric W. Biederman wrote: > Move the computation of creds from prepare_binfmt into begin_new_exec > so that the creds need only be computed once. This is just code > reorganization no semantic changes of any kind are made. > > Moving the computation is safe. I have looked through the kernel and > verified none of the binfmts look at bprm->cred directly, and that > there are no helpers that look at bprm->cred indirectly. Which means > that it is not a problem to compute the bprm->cred later in the > execution flow as it is not used until it becomes current->cred. > > A new function bprm_creds_from_file is added to contain the work that > needs to be done. bprm_creds_from_file first computes which file > bprm->executable or most likely bprm->file that the bprm->creds > will be computed from. > > The funciton bprm_fill_uid is updated to receive the file instead of > accessing bprm->file. The now unnecessary work needed to reset the > bprm->cred->euid, and bprm->cred->egid is removed from brpm_fill_uid. > A small comment to document that bprm_fill_uid now only deals with the > work to handle suid and sgid files. The default case is already > heandled by prepare_exec_creds. > > The function security_bprm_repopulate_creds is renamed > security_bprm_creds_from_file and now is explicitly passed the file > from which to compute the creds. The documentation of the > bprm_creds_from_file security hook is updated to explain when the hook > is called and what it needs to do. The file is passed from > cap_bprm_creds_from_file into get_file_caps so that the caps are > computed for the appropriate file. The now unnecessary work in > cap_bprm_creds_from_file to reset the ambient capabilites has been > removed. A small comment to document that the work of > cap_bprm_creds_from_file is to read capabilities from the files > secureity attribute and derive capabilities from the fact the > user had uid 0 has been added. > > Signed-off-by: "Eric W. Biederman" This all looks good to me. Small notes below... Reviewed-by: Kees Cook > diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h > index cd3dd0afceb5..37bb3df751c6 100644 > --- a/include/linux/lsm_hooks.h > +++ b/include/linux/lsm_hooks.h > @@ -44,18 +44,18 @@ > * request libc enable secure mode. > * @bprm contains the linux_binprm structure. > * Return 0 if the hook is successful and permission is granted. > - * @bprm_repopulate_creds: > - * Assuming that the relevant bits of @bprm->cred->security have been > - * previously set, examine @bprm->file and regenerate them. This is > - * so that the credentials derived from the interpreter the code is > - * actually going to run are used rather than credentials derived > - * from a script. This done because the interpreter binary needs to > - * reopen script, and may end up opening something completely different. > - * This hook may also optionally check permissions (e.g. for > - * transitions between security domains). > - * The hook must set @bprm->active_secureexec to 1 if AT_SECURE should be > set to > + * @bprm_creds_from_file: > + * If @file is setpcap, suid, sgid or otherwise marked to change > + * privilege upon exec, update @bprm->cred to reflect that change. > + * This is called after finding the binary that will be executed. > + * without an interpreter. This ensures that the credentials will not > + * be derived from a script that the binary will need to reopen, which > + * when reopend may end up being a completely different file. This > + * hook may also optionally check permissions (e.g. for transitions > + * between security domains). > + * The hook must set @bprm->secureexec to 1 if AT_SECURE should be set to > * request libc enable secure mode. > - * The hook must set @bprm->pf_per_clear to the personality flags that > + * The hook must set @bprm->per_clear to the personality flags that Here and the other per_clear comment have language that doesn't quite line up with how hooks should deal with the bits. They should not "set it to" the personality flags they want clear, they need to "add the bits" they want to see cleared. i.e I don't want something thinking they're the only one touching per_clear, so they should never do: bprm->per_clear = PER_CLEAR_ON_SETID; but always: bprm->per_clear |= PER_CLEAR_ON_SETID; How about: The hook must set @bprm->per_clear with any personality flag bits that > diff --git a/security/commoncap.c b/security/commoncap.c Not about this patch, but while looking through this file, I see: int cap_bprm_set_creds(struct linux_binprm *bprm) { ... *capability manipulations* if (WARN_ON(!cap_ambient_invariant_ok(new))) return -EPERM; if (nonroot_raised_pE(new, old, root_uid, has_fcap)) { ret = audit_log_bprm_fcaps(bprm, new, old); if (ret < 0)
[PATCH 2/2] exec: Compute file based creds only once
Move the computation of creds from prepare_binfmt into begin_new_exec so that the creds need only be computed once. This is just code reorganization no semantic changes of any kind are made. Moving the computation is safe. I have looked through the kernel and verified none of the binfmts look at bprm->cred directly, and that there are no helpers that look at bprm->cred indirectly. Which means that it is not a problem to compute the bprm->cred later in the execution flow as it is not used until it becomes current->cred. A new function bprm_creds_from_file is added to contain the work that needs to be done. bprm_creds_from_file first computes which file bprm->executable or most likely bprm->file that the bprm->creds will be computed from. The funciton bprm_fill_uid is updated to receive the file instead of accessing bprm->file. The now unnecessary work needed to reset the bprm->cred->euid, and bprm->cred->egid is removed from brpm_fill_uid. A small comment to document that bprm_fill_uid now only deals with the work to handle suid and sgid files. The default case is already heandled by prepare_exec_creds. The function security_bprm_repopulate_creds is renamed security_bprm_creds_from_file and now is explicitly passed the file from which to compute the creds. The documentation of the bprm_creds_from_file security hook is updated to explain when the hook is called and what it needs to do. The file is passed from cap_bprm_creds_from_file into get_file_caps so that the caps are computed for the appropriate file. The now unnecessary work in cap_bprm_creds_from_file to reset the ambient capabilites has been removed. A small comment to document that the work of cap_bprm_creds_from_file is to read capabilities from the files secureity attribute and derive capabilities from the fact the user had uid 0 has been added. Signed-off-by: "Eric W. Biederman" --- fs/binfmt_misc.c | 2 +- fs/exec.c | 63 +++ include/linux/binfmts.h | 14 ++-- include/linux/lsm_hook_defs.h | 2 +- include/linux/lsm_hooks.h | 22 ++-- include/linux/security.h | 9 ++--- security/commoncap.c | 24 +++-- security/security.c | 4 +-- 8 files changed, 61 insertions(+), 79 deletions(-) diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c index 53968ea07b57..bc5506619b7e 100644 --- a/fs/binfmt_misc.c +++ b/fs/binfmt_misc.c @@ -192,7 +192,7 @@ static int load_misc_binary(struct linux_binprm *bprm) bprm->interpreter = interp_file; if (fmt->flags & MISC_FMT_CREDENTIALS) - bprm->preserve_creds = 1; + bprm->execfd_creds = 1; retval = 0; ret: diff --git a/fs/exec.c b/fs/exec.c index 0f793536e393..e8599236290d 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -72,6 +72,8 @@ #include +static int bprm_creds_from_file(struct linux_binprm *bprm); + int suid_dumpable = 0; static LIST_HEAD(formats); @@ -1304,6 +1306,11 @@ int begin_new_exec(struct linux_binprm * bprm) struct task_struct *me = current; int retval; + /* Once we are committed compute the creds */ + retval = bprm_creds_from_file(bprm); + if (retval) + return retval; + /* * Ensure all future errors are fatal. */ @@ -1354,7 +1361,6 @@ int begin_new_exec(struct linux_binprm * bprm) me->flags &= ~(PF_RANDOMIZE | PF_FORKNOEXEC | PF_KTHREAD | PF_NOFREEZE | PF_NO_SETAFFINITY); flush_thread(); - bprm->per_clear |= bprm->pf_per_clear; me->personality &= ~bprm->per_clear; /* @@ -1365,13 +1371,6 @@ int begin_new_exec(struct linux_binprm * bprm) */ do_close_on_exec(me->files); - /* -* Once here, prepare_binrpm() will not be called any more, so -* the final state of setuid/setgid/fscaps can be merged into the -* secureexec flag. -*/ - bprm->secureexec |= bprm->active_secureexec; - if (bprm->secureexec) { /* Make sure parent cannot signal privileged process. */ me->pdeath_signal = 0; @@ -1587,29 +1586,21 @@ static void check_unsafe_exec(struct linux_binprm *bprm) spin_unlock(>fs->lock); } -static void bprm_fill_uid(struct linux_binprm *bprm) +static void bprm_fill_uid(struct linux_binprm *bprm, struct file *file) { + /* Handle suid and sgid on files */ struct inode *inode; unsigned int mode; kuid_t uid; kgid_t gid; - /* -* Since this can be called multiple times (via prepare_binprm), -* we must clear any previous work done when setting set[ug]id -* bits from any earlier bprm->file uses (for example when run -* first for a setuid script then again for its interpreter). -*/ - bprm->cred->euid = current_euid(); - bprm->cred->egid = current_egid(); - - if