Re: [PATCH v2 2/8] exec: Move security_bprm_secureexec() earlier

From: Kees Cook
Date: Mon Jul 10 2017 - 12:06:41 EST

Next message: Shanker Donthineni: "Re: [PATCH v2] irqchip: gicv3-its: Use NUMA aware memory allocation for ITS tables"
Previous message: Vlastimil Babka: "Re: [RFC v1 1/2] mm/page_alloc: Prevent OOM killer from triggering if requested"
In reply to: Eric W. Biederman: "Re: [PATCH v2 2/8] exec: Move security_bprm_secureexec() earlier"
Next in thread: Kees Cook: "Re: [PATCH v2 2/8] exec: Move security_bprm_secureexec() earlier"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jul 10, 2017 at 1:57 AM, Eric W. Biederman
<ebiederm@xxxxxxxxxxxx> wrote:
> Kees Cook <keescook@xxxxxxxxxxxx> writes:
>
>> There are several places where exec needs to know if a privilege-gain has
>> happened. These should be using the results of security_bprm_secureexec()
>> but it is getting (needlessly) called very late.
>
> It is hard to tell at a glance but I believe this introduces a
> regression.
>
> cap_bprm_set_creds is currently called before cap_bprm_secureexec and
> it has a number of cases such as no_new_privs and ptrace that can result
> in some of the precomputed credential changes not happening.
>
> Without accounting for that I believe your cap_bprm_securexec now
> returns a postive value too early.

It's still before cap_bprm_secureexec. cap_brpm_set_creds() is in
prepare_binprm(), which is well before exec_binprm() and it's eventual
call to setup_new_exec().

-Kees

--
Kees Cook
Pixel Security

Next message: Shanker Donthineni: "Re: [PATCH v2] irqchip: gicv3-its: Use NUMA aware memory allocation for ITS tables"
Previous message: Vlastimil Babka: "Re: [RFC v1 1/2] mm/page_alloc: Prevent OOM killer from triggering if requested"
In reply to: Eric W. Biederman: "Re: [PATCH v2 2/8] exec: Move security_bprm_secureexec() earlier"
Next in thread: Kees Cook: "Re: [PATCH v2 2/8] exec: Move security_bprm_secureexec() earlier"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]