[PATCH RFC v2 4/4] exec: only set the suid flag if the current proc isn't root

From: Wander Lairson Costa
Date: Tue Dec 28 2021 - 12:13:46 EST

Next message: Naresh Kamboju: "Re: [PATCH 4.4 00/17] 4.4.297-rc1 review"
Previous message: Mauro Carvalho Chehab: "Re: [RFC 01/32] Kconfig: introduce and depend on LEGACY_PCI"
In reply to: Wander Lairson Costa: "[PATCH RFC v2 3/4] coredump: mitigate privilege escalation of process coredump"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The goal of PF_SUID flag is to check if it is safe to coredump the
process. If the current process is already privileged, there is no
point in performing security checks because the name image is a
set-uid process.

Because of that, we don't set the suid flag if the forked process
already runs as root.

Signed-off-by: Wander Lairson Costa <wander@xxxxxxxxxx>
---
fs/exec.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/fs/exec.c b/fs/exec.c
index 81d6ab9a4f64..1a3458c6c9b7 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1310,7 +1310,11 @@ int begin_new_exec(struct linux_binprm * bprm)
me->flags &= ~(PF_RANDOMIZE | PF_FORKNOEXEC | PF_KTHREAD |
PF_NOFREEZE | PF_NO_SETAFFINITY);

- if (bprm->suid_bin)
+ /*
+ * We set the PF_SUID flags for security reasons. There is no
+ * point in setting it if the parent is root.
+ */
+ if (bprm->suid_bin && !capable(CAP_SYS_ADMIN))
me->flags |= PF_SUID;

flush_thread();
--
2.27.0

Next message: Naresh Kamboju: "Re: [PATCH 4.4 00/17] 4.4.297-rc1 review"
Previous message: Mauro Carvalho Chehab: "Re: [RFC 01/32] Kconfig: introduce and depend on LEGACY_PCI"
In reply to: Wander Lairson Costa: "[PATCH RFC v2 3/4] coredump: mitigate privilege escalation of process coredump"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]