[PATCH RFC 4/4] exec: only set the suid flag if the current proc isn't root

From: Wander Lairson Costa
Date: Mon Dec 27 2021 - 17:38:12 EST

Next message: Cosmin Tanislav: "[PATCH v2 0/1] Add hwmon debugfs register access"
Previous message: Wander Lairson Costa: "[PATCH RFC 3/4] coredump: mitigate privilege escalation of process coredump"
In reply to: Wander Lairson Costa: "[PATCH RFC 3/4] coredump: mitigate privilege escalation of process coredump"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The goal of PF_SUID flag is to check if it is safe to coredump the
process. If the current process is already privileged, there is no
point in performing security checks because the name image is a
set-uid process.

Because of that, we don't set the suid flag if the forked process
already runs as root.

Signed-off-by: Wander Lairson Costa <wander@xxxxxxxxxx>
---
fs/exec.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/fs/exec.c b/fs/exec.c
index b4bd157a5282..d73b21b6298c 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1312,7 +1312,11 @@ int begin_new_exec(struct linux_binprm * bprm)
me->flags &= ~(PF_RANDOMIZE | PF_FORKNOEXEC | PF_KTHREAD |
PF_NOFREEZE | PF_NO_SETAFFINITY);

- if (bprm->suid_bin)
+ /*
+ * We set the PF_SUID flags for security reasons. There is no
+ * point in setting it if the parent is root.
+ */
+ if (bprm->suid_bin && !capable(CAP_SYS_ADMIN))
me->flags |= PF_SUID;

flush_thread();
--
2.27.0

Next message: Cosmin Tanislav: "[PATCH v2 0/1] Add hwmon debugfs register access"
Previous message: Wander Lairson Costa: "[PATCH RFC 3/4] coredump: mitigate privilege escalation of process coredump"
In reply to: Wander Lairson Costa: "[PATCH RFC 3/4] coredump: mitigate privilege escalation of process coredump"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]