From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id C4B3AC0218D for ; Sun, 26 Jan 2025 14:49:15 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 53D6E2800FE; Sun, 26 Jan 2025 09:49:15 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 4ED972800FA; Sun, 26 Jan 2025 09:49:15 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 3B57A2800FE; Sun, 26 Jan 2025 09:49:15 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 1E6DC2800FA for ; Sun, 26 Jan 2025 09:49:15 -0500 (EST) Received: from smtpin27.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id C439CB07BC for ; Sun, 26 Jan 2025 14:49:14 +0000 (UTC) X-FDA: 83049885828.27.A334651 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by imf02.hostedemail.com (Postfix) with ESMTP id F178480009 for ; Sun, 26 Jan 2025 14:49:12 +0000 (UTC) Authentication-Results: imf02.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=ENg3tkJk; spf=pass (imf02.hostedemail.com: domain of sashal@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=sashal@kernel.org; dmarc=pass (policy=quarantine) header.from=kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1737902953; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=sHtyDwTTffRRlbCBcexqQzGI6CwqHcXITIQNUYLTbVg=; b=2fHCRCkVNY0calALApdBcaU/Q3fXVwtkjazQS2pRve9l3i8lQSZeng30F9xgolHWJyvTZs c0r+iVGRKvamiXllQFc0h8FnVPVT7NpjAvkE7bXYZ4Rdj2B5uSVj4XcPPcJnwPINLrGNLH Ie/iZ/8LHYIwtV0HrDIAZ+Zj2Hnsh34= ARC-Authentication-Results: i=1; imf02.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=ENg3tkJk; spf=pass (imf02.hostedemail.com: domain of sashal@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=sashal@kernel.org; dmarc=pass (policy=quarantine) header.from=kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1737902953; a=rsa-sha256; cv=none; b=h0mCthj1V4zOnCcloxrzFWHLA9nhtaRwwWGwXl4ZtoZZ0RsQFsaXzzVj9HhtMAx7dvdR3H VJHdlGnd5GHBpX2qX1Ge5/N9J1on4RYPf2LOaHlO4GzLVPCtWXwH29ze1nD7koyq3Wcutp rhg331CO5d0KKzFce8WtgKfz+NadheU= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by dfw.source.kernel.org (Postfix) with ESMTP id BE1155C5F20; Sun, 26 Jan 2025 14:48:31 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4B1D7C4CEE2; Sun, 26 Jan 2025 14:49:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1737902951; bh=zhtN49e0yQxVBN/iIZ28eZPRpCySibQixtPUROJQi0w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ENg3tkJkpvMbDswfjoWUb5MDsBW/k1K5QgBVxQOpGzOJewLzDAHzurQatbuWf/tB4 n1nTDE0mVrlcuaCvsEdKgicr+1EvJJ5ZHtJyO8iGi/GQtLoFLHArfhhL2VwhxDyGWK EuJneKKWU7BgJhG1j2B37N0K/gF8EcsjvX84Aetkb/jTRzZmMK+PaFxR1gnXvaDqwf jJJMy5FnW6/zjs/mCHHm1j4krlCFnrSKTcsd8ALMrh8K4DV5SyWH/2JTzTr1CMnGW7 WKQdRyuJ7vKNwRMNVRyoqvIV+H8yhPXZRDdl70bsuCqbpHxyIixWNetjoDQ2vfCeYo tXHT6RO6eMuJA== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Kees Cook , =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= , Tycho Andersen , Al Viro , Linus Torvalds , Aleksa Sarai , Sasha Levin , brauner@kernel.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org Subject: [PATCH AUTOSEL 6.6 2/5] exec: fix up /proc/pid/comm in the execveat(AT_EMPTY_PATH) case Date: Sun, 26 Jan 2025 09:49:03 -0500 Message-Id: <20250126144906.925468-2-sashal@kernel.org> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250126144906.925468-1-sashal@kernel.org> References: <20250126144906.925468-1-sashal@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 6.6.74 Content-Transfer-Encoding: 8bit X-Rspamd-Server: rspam02 X-Rspamd-Queue-Id: F178480009 X-Stat-Signature: 6ysj616xxignjykpef9k7iw3i37s1kit X-Rspam-User: X-HE-Tag: 1737902952-170744 X-HE-Meta: U2FsdGVkX18Em14LF5B1M2JulK8rKy1AbQlCPMiKBS3nMv0klb9IBwwndyZpbtweH54jiGPP7U/bfWeCk8qQ1GgWs//lEYdAYk8e+OdKldcKRW26A6GZJxAERV+EwoyNpVBdzSROB88zGbYBS6iBrpyq9ve5Rm7B+c0Zd3zUcwbl2oT+10l/5Fvbc+lki/mhPfxi2UrDq+uPbFKKAoLK9ttA0yjFGQ1HiXGQskniz2b9qgBwWnfxU0Gno0ojzQAH1F86NAgq2oQ8zI0I4pKkQI9vKClLaec0tMnh5m1VdeYU4lWsZ7OXzFN2OV8Hxe+6GF/mhWKWnFZrQBb/XXO+VJJQPsgR2DZn92hTUQJCFQb7w2rO8fl3DhCr+/jbbLuisvD1G+wlMyPDHxfZiGw0D3WXL2Crjs/vGk6lYBp8xcWScmSEMo68KAomHOX33zELQ9JwG7xS8VXt87gYqY6bT6ji80HTzvQ1xEL100BHNq5IxmQqwPg+IZKLAQPfv8JC41O/QO5cjzeiAH0nBkd7xlfKUqN4P4uC2tc9c7HqSC2BFJOnkYzTm4w9oWmrIvk5f+A7UWcIsuWkiJwfQA6Vh8hKq1aNJvcPuvQCYezty+QuUj2kfCByOXpXbA3uQZtxQTFZbGR+puEVG0FFER4ukbFIJt7amjdpIbckx1PuMpZpCYGKYZSaBF8bOi2hTYGCGHEidrJC2ab4CKV1WQi318bCldhS7vOsfH6bOGuXw2BWm6p2GpWSoyWx8FXMgHtUWnWaZL8UoPixpiwhxl4M/Xk0N6tR6TVHsCOXWdFuqiB2SYYk4iJAL91VbdB7pANfieFQbaoNK+EAMvcE8XtmB8dDHx6QrNsKw1YKt6+7zTdRqKVDWs+mGdw8kZBJ+qy3/jYWBrRZrtpu1aMw310M4lqQnS/LIxgiaod6HjuBzyqscrK3C/Ve4XCMTNHYcKSwcOJ7FtpxXvWzg+0AlvN bDTUIoXs 9eajmWB8iOWILbw6tHE7C3KT/rObK0XsrKGWEvOmup7PVc8P1BByyTGkVamVa8lDndGIF2ty4wHjvCfHLKEOsEgyFn1uy1E53J6JiqAhAMKhsGR0Pu1vekVfs6XjsOsMUKU4e9GgLuXDAKg0keLUniiaB15VzdI5Uqvfz0NykWtu7iU5b+3pceslu7b/DN2j62vfFm1fCys/RSP/6dg1j1J97KBquDoDXGxHs9CvMoHb7Ni228Myh/uwYOw1E3DMhFil9fOu2jCgfxl/JC9jOBEo7RVtQEmCOOYvxqr0dcFaD/0Eo5p1jpmkQQQItYvFRU9byDOCktz+Ng6vGmgqd4dO9VrXVBnXxFy8asoBP3D1jRo2y9Y1syvrdVN3/fdlpl9xcEKj6ZLiiokE/zLJLiWPoSK9bX8wtXDeADcr4b9EKvmCosyqIyvK5TyHlUmsAgWwErdpdgb5kg3BEpV2FWPexiyBo5H0K/AfsdZrX0sep4mrgxWKKz5LHQKAC1+48+R9mlp0vcmeRUePsjGAsEGdVGvxz6pt9t+QC X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Kees Cook [ Upstream commit 543841d1806029889c2f69f040e88b247aba8e22 ] Zbigniew mentioned at Linux Plumber's that systemd is interested in switching to execveat() for service execution, but can't, because the contents of /proc/pid/comm are the file descriptor which was used, instead of the path to the binary[1]. This makes the output of tools like top and ps useless, especially in a world where most fds are opened CLOEXEC so the number is truly meaningless. When the filename passed in is empty (e.g. with AT_EMPTY_PATH), use the dentry's filename for "comm" instead of using the useless numeral from the synthetic fdpath construction. This way the actual exec machinery is unchanged, but cosmetically the comm looks reasonable to admins investigating things. Instead of adding TASK_COMM_LEN more bytes to bprm, use one of the unused flag bits to indicate that we need to set "comm" from the dentry. Suggested-by: Zbigniew Jędrzejewski-Szmek Suggested-by: Tycho Andersen Suggested-by: Al Viro Suggested-by: Linus Torvalds Link: https://github.com/uapi-group/kernel-features#set-comm-field-before-exec [1] Reviewed-by: Aleksa Sarai Tested-by: Zbigniew Jędrzejewski-Szmek Signed-off-by: Kees Cook Signed-off-by: Sasha Levin --- fs/exec.c | 29 ++++++++++++++++++++++++++--- include/linux/binfmts.h | 4 +++- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/fs/exec.c b/fs/exec.c index 7776209d98c10..4a6255aa4ea7f 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1362,7 +1362,28 @@ int begin_new_exec(struct linux_binprm * bprm) set_dumpable(current->mm, SUID_DUMP_USER); perf_event_exec(); - __set_task_comm(me, kbasename(bprm->filename), true); + + /* + * If the original filename was empty, alloc_bprm() made up a path + * that will probably not be useful to admins running ps or similar. + * Let's fix it up to be something reasonable. + */ + if (bprm->comm_from_dentry) { + /* + * Hold RCU lock to keep the name from being freed behind our back. + * Use acquire semantics to make sure the terminating NUL from + * __d_alloc() is seen. + * + * Note, we're deliberately sloppy here. We don't need to care about + * detecting a concurrent rename and just want a terminated name. + */ + rcu_read_lock(); + __set_task_comm(me, smp_load_acquire(&bprm->file->f_path.dentry->d_name.name), + true); + rcu_read_unlock(); + } else { + __set_task_comm(me, kbasename(bprm->filename), true); + } /* An exec changes our domain. We are no longer part of the thread group */ @@ -1521,11 +1542,13 @@ static struct linux_binprm *alloc_bprm(int fd, struct filename *filename) if (fd == AT_FDCWD || filename->name[0] == '/') { bprm->filename = filename->name; } else { - if (filename->name[0] == '\0') + if (filename->name[0] == '\0') { bprm->fdpath = kasprintf(GFP_KERNEL, "/dev/fd/%d", fd); - else + bprm->comm_from_dentry = 1; + } else { bprm->fdpath = kasprintf(GFP_KERNEL, "/dev/fd/%d/%s", fd, filename->name); + } if (!bprm->fdpath) goto out_free; diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h index 8d51f69f9f5ef..af9056d78fadf 100644 --- a/include/linux/binfmts.h +++ b/include/linux/binfmts.h @@ -42,7 +42,9 @@ struct linux_binprm { * Set when errors can no longer be returned to the * original userspace. */ - point_of_no_return:1; + point_of_no_return:1, + /* Set when "comm" must come from the dentry. */ + comm_from_dentry:1; struct file *executable; /* Executable to pass to the interpreter */ struct file *interpreter; struct file *file; -- 2.39.5