From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 198A8C433F5 for ; Thu, 6 Oct 2022 15:25:08 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 940D96B0072; Thu, 6 Oct 2022 11:25:07 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 8EF2D8E0002; Thu, 6 Oct 2022 11:25:07 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 768898E0001; Thu, 6 Oct 2022 11:25:07 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 636BF6B0072 for ; Thu, 6 Oct 2022 11:25:07 -0400 (EDT) Received: from smtpin17.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 38C361C61FB for ; Thu, 6 Oct 2022 15:25:07 +0000 (UTC) X-FDA: 79990897854.17.610F578 Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com [209.85.210.180]) by imf06.hostedemail.com (Postfix) with ESMTP id A33D618000F for ; Thu, 6 Oct 2022 15:25:06 +0000 (UTC) Received: by mail-pf1-f180.google.com with SMTP id y8so2311938pfp.13 for ; Thu, 06 Oct 2022 08:25:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:message-id:references :in-reply-to:user-agent:subject:cc:to:from:date:from:to:cc:subject :date; bh=OtDkks39cgYVeSHQm8gd1cyY+JEJiwboAG4vuizNOOQ=; b=bwYKBKdRbKMXUGR+1Ba8s3APih/vqE4MzepUDPFpZZHmlwMDQPXFSRTr6JI2afx1mB 5cCbkbKmfA/SsPQewwxLX0n1fuUOpqCqwDg8icP+4MjefbAGmbzfdCmtuHboewFG1cgf 2Xuw32nN44/m5B/9jthRwgcr/98+HiByIIItU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:references :in-reply-to:user-agent:subject:cc:to:from:date:x-gm-message-state :from:to:cc:subject:date; bh=OtDkks39cgYVeSHQm8gd1cyY+JEJiwboAG4vuizNOOQ=; b=H3yKQdRBAPdl7DQ1yPYZoAElccdnnpvMmIjvPh2B2UD/JYRKjkFNa+VUJhwUqUDUzS U4M4mPUxl+7E02nx3c+rQvDsx2c0jk+L/QtTxgS5pQAxv02rHy0TvqjuSUhsiQpdcBEH Z0sz+E3IqdQ6oz1l6SoSJWwGMJyPp4MvRbkOGYiC+nADujx3bQSdBs3NRnqPlP1X/DSg VxI4cfaZTYt3JZBG5oTHV3z7ZgwMSIvQ/1JGfvtjk5p839G+sS14ntg08ca5KrVrk3Fs 3lQiHtMDAErTHJz2M8w0c9VSHNW2+WgO73qN3wvj82Bcawav68DnmxF128IM/uX9sEEb GuRA== X-Gm-Message-State: ACrzQf3pgeWFfLfhZTW1IklcSjqSQoAG0OIuQzIO3ATmR/Qyylyj2IYy iyKigy9KyBQkwDntSy9WXIFxRw== X-Google-Smtp-Source: AMsMyM5z1VQ/jYK2JD6/gNJiBdecIUmzcUy8MsflqoW0L8g/0cewBDfu6RFeroKPJlKOEYkHIn4RBA== X-Received: by 2002:a05:6a00:22c9:b0:561:8635:7b35 with SMTP id f9-20020a056a0022c900b0056186357b35mr334380pfj.3.1665069905412; Thu, 06 Oct 2022 08:25:05 -0700 (PDT) Received: from [127.0.0.1] (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id 73-20020a63054c000000b0042fe1914e26sm2006066pgf.37.2022.10.06.08.25.04 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 06 Oct 2022 08:25:04 -0700 (PDT) Date: Thu, 06 Oct 2022 08:25:01 -0700 From: Kees Cook To: Jann Horn , Christian Brauner CC: Eric Biederman , Jorge Merlino , Alexander Viro , Thomas Gleixner , Andy Lutomirski , Sebastian Andrzej Siewior , Andrew Morton , linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, John Johansen , Paul Moore , James Morris , "Serge E. Hallyn" , Stephen Smalley , Eric Paris , Richard Haines , Casey Schaufler , Xin Long , "David S. Miller" , Todd Kjos , Ondrej Mosnacek , Prashanth Prahlad , Micah Morton , Fenghua Yu , Andrei Vagin , linux-kernel@vger.kernel.org, apparmor@lists.ubuntu.com, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH 1/2] fs/exec: Explicitly unshare fs_struct on exec User-Agent: K-9 Mail for Android In-Reply-To: References: <20221006082735.1321612-1-keescook@chromium.org> <20221006082735.1321612-2-keescook@chromium.org> <20221006090506.paqjf537cox7lqrq@wittgenstein> Message-ID: <86CE201B-5632-4BB7-BCF6-7CB2C2895409@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1665069906; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=OtDkks39cgYVeSHQm8gd1cyY+JEJiwboAG4vuizNOOQ=; b=b81SVAyIw6+Hb8sGmj5H2PDJLQm17Fhkssy36NtuYto1F0wztMLPNe8sOzNTZ1p46Dvbji tkD79mZqSSfFYO07KEeGbE/rNVtGkbr3ANqL/tX8kQuSFVePZVM+emJeP4iS1W8WXoNE7m Gx1uTSzbFvS9qqE9Sk7stLi/eesABdc= ARC-Authentication-Results: i=1; imf06.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=bwYKBKdR; spf=pass (imf06.hostedemail.com: domain of keescook@chromium.org designates 209.85.210.180 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1665069906; a=rsa-sha256; cv=none; b=jce3d/f2oOL7VBdsRSM1gE0KtkUqRL9RDM1921D1mRE9ELkkIc2kmGl6CrJ1ngi5w8sFQp TK2RJ3CbhohLSlslkLp/CG7l4Su3pOUEc8iJIPB1bY0B5JHbGwzhXdNvP8PhIriznSatww 16zbhXL+GLpnFVZcdw3iPh+mdemw8/U= X-Rspam-User: Authentication-Results: imf06.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=bwYKBKdR; spf=pass (imf06.hostedemail.com: domain of keescook@chromium.org designates 209.85.210.180 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org X-Stat-Signature: a3xybr8rerdxaor9sw3qo64i9otxo89h X-Rspamd-Queue-Id: A33D618000F X-Rspamd-Server: rspam02 X-HE-Tag: 1665069906-717414 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On October 6, 2022 7:13:37 AM PDT, Jann Horn wrote: >On Thu, Oct 6, 2022 at 11:05 AM Christian Brauner = wrote: >> On Thu, Oct 06, 2022 at 01:27:34AM -0700, Kees Cook wrote: >> > The check_unsafe_exec() counting of n_fs would not add up under a hea= vily >> > threaded process trying to perform a suid exec, causing the suid port= ion >> > to fail=2E This counting error appears to be unneeded, but to catch a= ny >> > possible conditions, explicitly unshare fs_struct on exec, if it ends= up >> >> Isn't this a potential uapi break? Afaict, before this change a call to >> clone{3}(CLONE_FS) followed by an exec in the child would have the >> parent and child share fs information=2E So if the child e=2Eg=2E, chan= ges the >> working directory post exec it would also affect the parent=2E But afte= r >> this change here this would no longer be true=2E So a child changing a >> workding directoro would not affect the parent anymore=2E IOW, an exec = is >> accompanied by an unshare(CLONE_FS)=2E Might still be worth trying ofc = but >> it seems like a non-trivial uapi change but there might be few users >> that do clone{3}(CLONE_FS) followed by an exec=2E > >I believe the following code in Chromium explicitly relies on this >behavior, but I'm not sure whether this code is in active use anymore: > >https://source=2Echromium=2Eorg/chromium/chromium/src/+/main:sandbox/linu= x/suid/sandbox=2Ec;l=3D101?q=3DCLONE_FS&sq=3D&ss=3Dchromium Oh yes=2E I think I had tried to forget this existed=2E Ugh=2E Okay, so ba= ck to the drawing board, I guess=2E The counting will need to be fixed=2E= =2E=2E It's possible we can move the counting after dethread -- it seems the earl= y count was just to avoid setting flags after the point of no return, but i= t's not an error condition=2E=2E=2E --=20 Kees Cook