Re: [PATCH v2 1/2] exec: add a flag for "reasonable" execveat() comm

2024-10-01 Thread Tycho Andersen
On Mon, Sep 30, 2024 at 03:10:29PM -0500, Eric W. Biederman wrote:
> "Eric W. Biederman"  writes:
> 
> > Kees Cook  writes:
> 
> >> I'm not super comfortable doing this regardless of bprm->fdpath; that
> >> seems like too many cases getting changed. Can we just leave it as
> >> depending on bprm->fdpath?
> 
> I was recommending that because I did not expect that there was any
> widespread usage of aliasing of binary names using symlinks.
> 
> I realized today that on debian there are many aliases
> of binaries created with the /etc/alternatives mechanism.
> So there is much wider exposure to problems than I would have
> supposed.
> 
> So I remove any objections to making the new code conditional on bprm->fdpath.

Yep, and it looks like Alpine distributes busybox with symlinks
instead of hard links. I will respin with a fixed subject line shortly.

Thanks,

Tycho



Re: [PATCH v2 1/2] exec: add a flag for "reasonable" execveat() comm

2024-09-30 Thread Eric W. Biederman
"Eric W. Biederman"  writes:

> Kees Cook  writes:

>> I'm not super comfortable doing this regardless of bprm->fdpath; that
>> seems like too many cases getting changed. Can we just leave it as
>> depending on bprm->fdpath?

I was recommending that because I did not expect that there was any
widespread usage of aliasing of binary names using symlinks.

I realized today that on debian there are many aliases
of binaries created with the /etc/alternatives mechanism.
So there is much wider exposure to problems than I would have
supposed.

So I remove any objections to making the new code conditional on bprm->fdpath.

Eric




Re: [PATCH v2 1/2] exec: add a flag for "reasonable" execveat() comm

2024-09-28 Thread Kees Cook
On Fri, Sep 27, 2024 at 10:45:58AM -0500, Eric W. Biederman wrote:
> Tycho Andersen  writes:
> 
> > From: Tycho Andersen 
> >
> > Zbigniew mentioned at Linux Plumber's that systemd is interested in
> > switching to execveat() for service execution, but can't, because the
> > contents of /proc/pid/comm are the file descriptor which was used,
> > instead of the path to the binary. This makes the output of tools like
> > top and ps useless, especially in a world where most fds are opened
> > CLOEXEC so the number is truly meaningless.
> >
> > Change exec path to fix up /proc/pid/comm in the case where we have
> > allocated one of these synthetic paths in bprm_init(). This way the actual
> > exec machinery is unchanged, but cosmetically the comm looks reasonable to
> > admins investigating things.
> 
> Perhaps change the subject to match the code.
> 
> > Signed-off-by: Tycho Andersen 
> > Suggested-by: Zbigniew Jędrzejewski-Szmek 
> > CC: Aleksa Sarai 
> > Link: 
> > https://github.com/uapi-group/kernel-features#set-comm-field-before-exec
> > ---
> > v2: * drop the flag, everyone :)
> > * change the rendered value to f_path.dentry->d_name.name instead of
> >   argv[0], Eric
> > ---
> >  fs/exec.c | 13 -
> >  1 file changed, 12 insertions(+), 1 deletion(-)
> >
> > diff --git a/fs/exec.c b/fs/exec.c
> > index dad402d55681..9520359a8dcc 100644
> > --- a/fs/exec.c
> > +++ b/fs/exec.c
> > @@ -1416,7 +1416,18 @@ int begin_new_exec(struct linux_binprm * bprm)
> > set_dumpable(current->mm, SUID_DUMP_USER);
> >  
> > perf_event_exec();
> > -   __set_task_comm(me, kbasename(bprm->filename), true);
> > +
> > +   /*
> > +* If fdpath was set, execveat() made up a path that will
> > +* probably not be useful to admins running ps or similar.
> > +* Let's fix it up to be something reasonable.
> > +*/
> > +   if (bprm->fdpath) {
> > +   BUILD_BUG_ON(TASK_COMM_LEN > DNAME_INLINE_LEN);
> > +   __set_task_comm(me, bprm->file->f_path.dentry->d_name.name, 
> > true);
> 
> We can just do this regardless of bprm->fdpath.
> 
> It will be a change of behavior on when executing symlinks and possibly
> mount points but I don't think we care.  If we do then we can add make
> it conditional with "if (bprm->fdpath)"
> 
> At the very least using the above version unconditionally ought to flush
> out any bugs.

I'm not super comfortable doing this regardless of bprm->fdpath; that
seems like too many cases getting changed. Can we just leave it as
depending on bprm->fdpath?

Also, is d_name.name always going to be set? e.g. what about memfd, etc?

-- 
Kees Cook



Re: [PATCH v2 1/2] exec: add a flag for "reasonable" execveat() comm

2024-09-27 Thread Eric W. Biederman
Tycho Andersen  writes:

> From: Tycho Andersen 
>
> Zbigniew mentioned at Linux Plumber's that systemd is interested in
> switching to execveat() for service execution, but can't, because the
> contents of /proc/pid/comm are the file descriptor which was used,
> instead of the path to the binary. This makes the output of tools like
> top and ps useless, especially in a world where most fds are opened
> CLOEXEC so the number is truly meaningless.
>
> Change exec path to fix up /proc/pid/comm in the case where we have
> allocated one of these synthetic paths in bprm_init(). This way the actual
> exec machinery is unchanged, but cosmetically the comm looks reasonable to
> admins investigating things.

Perhaps change the subject to match the code.

> Signed-off-by: Tycho Andersen 
> Suggested-by: Zbigniew Jędrzejewski-Szmek 
> CC: Aleksa Sarai 
> Link: https://github.com/uapi-group/kernel-features#set-comm-field-before-exec
> ---
> v2: * drop the flag, everyone :)
> * change the rendered value to f_path.dentry->d_name.name instead of
>   argv[0], Eric
> ---
>  fs/exec.c | 13 -
>  1 file changed, 12 insertions(+), 1 deletion(-)
>
> diff --git a/fs/exec.c b/fs/exec.c
> index dad402d55681..9520359a8dcc 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -1416,7 +1416,18 @@ int begin_new_exec(struct linux_binprm * bprm)
>   set_dumpable(current->mm, SUID_DUMP_USER);
>  
>   perf_event_exec();
> - __set_task_comm(me, kbasename(bprm->filename), true);
> +
> + /*
> +  * If fdpath was set, execveat() made up a path that will
> +  * probably not be useful to admins running ps or similar.
> +  * Let's fix it up to be something reasonable.
> +  */
> + if (bprm->fdpath) {
> + BUILD_BUG_ON(TASK_COMM_LEN > DNAME_INLINE_LEN);
> + __set_task_comm(me, bprm->file->f_path.dentry->d_name.name, 
> true);

We can just do this regardless of bprm->fdpath.

It will be a change of behavior on when executing symlinks and possibly
mount points but I don't think we care.  If we do then we can add make
it conditional with "if (bprm->fdpath)"

At the very least using the above version unconditionally ought to flush
out any bugs.

It should be 99% application invisible as all an application can see
is argv0.  So it is only ps and friends where the comm value is visible.

Eric