summaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorKees Cook <keescook@chromium.org>2017-07-19 00:25:27 +0200
committerKees Cook <keescook@chromium.org>2017-08-01 21:03:08 +0200
commit46d98eb4e1d2bc225f661879e0e157a952107598 (patch)
tree39248131210a85f157d4414f3b99790c24454cab /include
parentsmack: Refactor to remove bprm_secureexec hook (diff)
downloadlinux-46d98eb4e1d2bc225f661879e0e157a952107598.tar.xz
linux-46d98eb4e1d2bc225f661879e0e157a952107598.zip
commoncap: Refactor to remove bprm_secureexec hook
The commoncap implementation of the bprm_secureexec hook is the only LSM that depends on the final call to its bprm_set_creds hook (since it may be called for multiple files, it ignores bprm->called_set_creds). As a result, it cannot safely _clear_ bprm->secureexec since other LSMs may have set it. Instead, remove the bprm_secureexec hook by introducing a new flag to bprm specific to commoncap: cap_elevated. This is similar to cap_effective, but that is used for a specific subset of elevated privileges, and exists solely to track state from bprm_set_creds to bprm_secureexec. As such, it will be removed in the next patch. Here, set the new bprm->cap_elevated flag when setuid/setgid has happened from bprm_fill_uid() or fscapabilities have been prepared. This temporarily moves the bprm_secureexec hook to a static inline. The helper will be removed in the next patch; this makes the step easier to review and bisect, since this does not introduce any changes to inputs nor outputs to the "elevated privileges" calculation. The new flag is merged with the bprm->secureexec flag in setup_new_exec() since this marks the end of any further prepare_binprm() calls. Cc: Andy Lutomirski <luto@kernel.org> Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Andy Lutomirski <luto@kernel.org> Acked-by: James Morris <james.l.morris@oracle.com> Acked-by: Serge Hallyn <serge@hallyn.com>
Diffstat (limited to 'include')
-rw-r--r--include/linux/binfmts.h7
-rw-r--r--include/linux/security.h3
2 files changed, 8 insertions, 2 deletions
diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h
index 16838ba7ee75..213c61fa3780 100644
--- a/include/linux/binfmts.h
+++ b/include/linux/binfmts.h
@@ -35,6 +35,13 @@ struct linux_binprm {
* false if not; except for init which inherits
* its parent's caps anyway */
/*
+ * True if most recent call to the commoncaps bprm_set_creds
+ * hook (due to multiple prepare_binprm() calls from the
+ * binfmt_script/misc handlers) resulted in elevated
+ * privileges.
+ */
+ cap_elevated:1,
+ /*
* Set by bprm_set_creds hook to indicate a privilege-gaining
* exec has happened. Used to sanitize execution environment
* and to set AT_SECURE auxv for glibc.
diff --git a/include/linux/security.h b/include/linux/security.h
index b6ea1dc9cc9d..f89832ccdf55 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -85,7 +85,6 @@ extern int cap_capset(struct cred *new, const struct cred *old,
const kernel_cap_t *inheritable,
const kernel_cap_t *permitted);
extern int cap_bprm_set_creds(struct linux_binprm *bprm);
-extern int cap_bprm_secureexec(struct linux_binprm *bprm);
extern int cap_inode_setxattr(struct dentry *dentry, const char *name,
const void *value, size_t size, int flags);
extern int cap_inode_removexattr(struct dentry *dentry, const char *name);
@@ -543,7 +542,7 @@ static inline void security_bprm_committed_creds(struct linux_binprm *bprm)
static inline int security_bprm_secureexec(struct linux_binprm *bprm)
{
- return cap_bprm_secureexec(bprm);
+ return 0;
}
static inline int security_sb_alloc(struct super_block *sb)