exec: Add a per bprm->file version of per_clear

There is a small bug in the code that recomputes parts of bprm->cred
for every bprm->file.  The code never recomputes the part of
clear_dangerous_personality_flags it is responsible for.

Which means that in practice if someone creates a sgid script
the interpreter will not be able to use any of:
	READ_IMPLIES_EXEC
	ADDR_NO_RANDOMIZE
	ADDR_COMPAT_LAYOUT
	MMAP_PAGE_ZERO.

This accentially clearing of personality flags probably does
not matter in practice because no one has complained
but it does make the code more difficult to understand.

Further remaining bug compatible prevents the recomputation from being
removed and replaced by simply computing bprm->cred once from the
final bprm->file.

Making this change removes the last behavior difference between
computing bprm->creds from the final file and recomputing
bprm->cred several times.  Which allows this behavior change
to be justified for it's own reasons, and for any but hunts
looking into why the behavior changed to wind up here instead
of in the code that will follow that computes bprm->cred
from the final bprm->file.

This small logic bug appears to have existed since the code
started clearing dangerous personality bits.

History Tree: git://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
Fixes: 1bb0fa189c6a ("[PATCH] NX: clean up legacy binary support")
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>

diff --git a/fs/exec.c b/fs/exec.c
index c3c879a55d65496923392039053954de43573265..0f793536e39340b25d23eca64120c7b0e43e7ad4 100644 (file)
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1354,6 +1354,7 @@ int begin_new_exec(struct linux_binprm * bprm)
        me->flags &= ~(PF_RANDOMIZE | PF_FORKNOEXEC | PF_KTHREAD |
                                        PF_NOFREEZE | PF_NO_SETAFFINITY);
        flush_thread();
+       bprm->per_clear |= bprm->pf_per_clear;
        me->personality &= ~bprm->per_clear;
 
        /*
@@ -1628,12 +1629,12 @@ static void bprm_fill_uid(struct linux_binprm *bprm)
                return;
 
        if (mode & S_ISUID) {
-               bprm->per_clear |= PER_CLEAR_ON_SETID;
+               bprm->pf_per_clear |= PER_CLEAR_ON_SETID;
                bprm->cred->euid = uid;
        }
 
        if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
-               bprm->per_clear |= PER_CLEAR_ON_SETID;
+               bprm->pf_per_clear |= PER_CLEAR_ON_SETID;
                bprm->cred->egid = gid;
        }
 }
@@ -1654,6 +1655,7 @@ static int prepare_binprm(struct linux_binprm *bprm)
 
                /* Recompute parts of bprm->cred based on bprm->file */
                bprm->active_secureexec = 0;
+               bprm->pf_per_clear = 0;
                bprm_fill_uid(bprm);
                retval = security_bprm_repopulate_creds(bprm);
                if (retval)

diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h
index 7fc05929c967a0c82411ec8083ff0687ae69378b..50025ead0b7285f3c6980e6ecd2fe78f8a55e3fe 100644 (file)
--- a/include/linux/binfmts.h
+++ b/include/linux/binfmts.h
@@ -55,6 +55,11 @@ struct linux_binprm {
        struct file * file;
        struct cred *cred;      /* new credentials */
        int unsafe;             /* how unsafe this exec is (mask of LSM_UNSAFE_*) */
+       /*
+        * bits to clear in current->personality
+        * recalculated for each bprm->file.
+        */
+       unsigned int pf_per_clear;
        unsigned int per_clear; /* bits to clear in current->personality */
        int argc, envc;
        const char * filename;  /* Name of binary as seen by procps */

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index d618ecc4d6608578087535b4199f6c0f141024f5..f68076d440f3b84b7cbd32e1d17753368b174bb6 100644 (file)
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -55,6 +55,8 @@
  *     transitions between security domains).
  *     The hook must set @bprm->active_secureexec to 1 if AT_SECURE should be set to
  *     request libc enable secure mode.
+ *     The hook must add to @bprm->pf_per_clear any personality flags that
+ *     should be cleared from current->personality.
  *     @bprm contains the linux_binprm structure.
  *     Return 0 if the hook is successful and permission is granted.
  * @bprm_check_security:

diff --git a/security/commoncap.c b/security/commoncap.c
index 77b04cb6feac70a03abc1e93df05540423d51336..6de72d22dc6c510a86d2dc452173ff0912a67936 100644 (file)
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -826,7 +826,7 @@ int cap_bprm_repopulate_creds(struct linux_binprm *bprm)
 
        /* if we have fs caps, clear dangerous personality flags */
        if (__cap_gained(permitted, new, old))
-               bprm->per_clear |= PER_CLEAR_ON_SETID;
+               bprm->pf_per_clear |= PER_CLEAR_ON_SETID;
 
        /* Don't let someone trace a set[ug]id/setpcap binary with the revised
         * credentials unless they have the appropriate permit.