From: "Eric W. Biederman" <ebiederm@xmission.com>
To: Jann Horn <jannh@google.com>
Cc: Kees Cook <kees@kernel.org>, Mateusz Guzik <mjguzik@gmail.com>,
Kees Cook <keescook@chromium.org>,
Christian Brauner <brauner@kernel.org>,
Jorge Merlino <jorge.merlino@canonical.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Thomas Gleixner <tglx@linutronix.de>,
Andy Lutomirski <luto@kernel.org>,
Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
Andrew Morton <akpm@linux-foundation.org>,
linux-mm@kvack.org, linux-fsdevel@vger.kernel.org,
John Johansen <john.johansen@canonical.com>,
Paul Moore <paul@paul-moore.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
Stephen Smalley <stephen.smalley.work@gmail.com>,
Eric Paris <eparis@parisplace.org>,
Richard Haines <richard_c_haines@btinternet.com>,
Casey Schaufler <casey@schaufler-ca.com>,
Xin Long <lucien.xin@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Todd Kjos <tkjos@google.com>,
Ondrej Mosnacek <omosnace@redhat.com>,
Prashanth Prahlad <pprahlad@redhat.com>,
Micah Morton <mortonm@chromium.org>,
Fenghua Yu <fenghua.yu@intel.com>,
Andrei Vagin <avagin@gmail.com>,
linux-kernel@vger.kernel.org, apparmor@lists.ubuntu.com,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org,
linux-hardening@vger.kernel.org, oleg@redhat.com
Subject: Re: [PATCH 1/2] fs/exec: Explicitly unshare fs_struct on exec
Date: Tue, 13 May 2025 17:16:49 -0500 [thread overview]
Message-ID: <871pss17hq.fsf@email.froward.int.ebiederm.org> (raw)
In-Reply-To: <CAG48ez0aP8LaGppy6Yon7xcFbQa1=CM-HXSZChvXYV2VJZ8y7g@mail.gmail.com> (Jann Horn's message of "Tue, 13 May 2025 23:09:48 +0200")
Jann Horn <jannh@google.com> writes:
> On Tue, May 13, 2025 at 10:57 PM Kees Cook <kees@kernel.org> wrote:
>> On May 13, 2025 6:05:45 AM PDT, Mateusz Guzik <mjguzik@gmail.com> wrote:
>> >Here is my proposal: *deny* exec of suid/sgid binaries if fs_struct is
>> >shared. This will have to be checked for after the execing proc becomes
>> >single-threaded ofc.
>>
>> Unfortunately the above Chrome helper is setuid and uses CLONE_FS.
>
> Chrome first launches a setuid helper, and then the setuid helper does
> CLONE_FS. Mateusz's proposal would not impact this usecase.
>
> Mateusz is proposing to block the case where a process first does
> CLONE_FS, and *then* one of the processes sharing the fs_struct does a
> setuid execve(). Linux already downgrades such an execve() to be
> non-setuid, which probably means anyone trying to do this will get
> hard-to-understand problems. Mateusz' proposal would just turn this
> hard-to-debug edgecase, which already doesn't really work, into a
> clean error; I think that is a nice improvement even just from the
> UAPI standpoint.
>
> If this change makes it possible to clean up the kernel code a bit, even better.
What has brought this to everyone's attention just now? This is
the second mention of this code path I have seen this week.
AKA: security/commoncap.c:cap_bprm_creds_from_file(...)
> ...
> /* Don't let someone trace a set[ug]id/setpcap binary with the revised
> * credentials unless they have the appropriate permit.
> *
> * In addition, if NO_NEW_PRIVS, then ensure we get no new privs.
> */
> is_setid = __is_setuid(new, old) || __is_setgid(new, old);
>
> if ((is_setid || __cap_gained(permitted, new, old)) &&
> ((bprm->unsafe & ~LSM_UNSAFE_PTRACE) ||
> !ptracer_capable(current, new->user_ns))) {
> /* downgrade; they get no more than they had, and maybe less */
> if (!ns_capable(new->user_ns, CAP_SETUID) ||
> (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) {
> new->euid = new->uid;
> new->egid = new->gid;
> }
> new->cap_permitted = cap_intersect(new->cap_permitted,
> old->cap_permitted);
> }
The actual downgrade is because a ptrace'd executable also takes
this path.
I have seen it argued rather forcefully that continuing rather than
simply failing seems better in the ptrace case.
In general I think it can be said this policy is "safe". AKA we don't
let a shared fs struct confuse privileged applications. So nothing
to panic about.
It looks like most of the lsm's also test bprm->unsafe.
So I imagine someone could very carefully separate the non-ptrace case
from the ptrace case but *shrug*.
Perhaps:
if ((is_setid || __cap_gained(permitted, new_old)) &&
((bprm->unsafe & ~LSM_UNSAFE_PTRACE) ||
!ptracer_capable(current, new->user_ns))) {
+ if (!(bprm->unsafe & LSM_UNSAFE_PTRACE)) {
+ return -EPERM;
+ }
/* downgrade; they get no more than they had, and maybe less */
if (!ns_capable(new->user_ns, CAP_SETUID) ||
(bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) {
new->euid = new->uid;
new->egid = new->gid;
}
new->cap_permitted = cap_intersect(new->cap_permitted,
old->cap_permitted);
}
If that is what you want that doesn't look to scary. I don't think
it simplifies anything about fs->in_exec. As fs->in_exec is set when
the processing calling exec is the only process that owns the fs_struct.
With fs->in_exec just being a flag that doesn't allow another thread
to call fork and start sharing the fs_struct during exec.
*Shrug*
I don't see why anyone would care. It is just a very silly corner case.
Eric
next prev parent reply other threads:[~2025-05-13 22:17 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-06 8:27 [PATCH 0/2] " Kees Cook
2022-10-06 8:27 ` [PATCH 1/2] " Kees Cook
2022-10-06 9:05 ` Christian Brauner
2022-10-06 10:48 ` David Laight
2022-10-06 14:13 ` Jann Horn
2022-10-06 15:25 ` Kees Cook
2022-10-06 15:35 ` Jann Horn
2025-05-13 13:05 ` Mateusz Guzik
2025-05-13 15:29 ` Eric W. Biederman
2025-05-13 20:57 ` Kees Cook
2025-05-13 21:09 ` Jann Horn
2025-05-13 22:16 ` Eric W. Biederman [this message]
2025-05-14 0:03 ` Mateusz Guzik
2025-05-14 15:33 ` Eric W. Biederman
2025-05-14 15:42 ` Kees Cook
2025-05-15 16:48 ` Eric W. Biederman
2025-05-13 23:15 ` Kees Cook
2022-10-14 3:18 ` Andy Lutomirski
2022-10-14 3:54 ` Kees Cook
2022-10-14 15:35 ` Jann Horn
2022-10-18 7:09 ` Kees Cook
2022-10-18 11:19 ` Jann Horn
2022-10-14 22:03 ` David Laight
2022-11-28 17:49 ` Eric W. Biederman
2022-10-06 8:27 ` [PATCH 2/2] exec: Remove LSM_UNSAFE_SHARE Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=871pss17hq.fsf@email.froward.int.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=akpm@linux-foundation.org \
--cc=apparmor@lists.ubuntu.com \
--cc=avagin@gmail.com \
--cc=bigeasy@linutronix.de \
--cc=brauner@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=davem@davemloft.net \
--cc=eparis@parisplace.org \
--cc=fenghua.yu@intel.com \
--cc=jannh@google.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=jorge.merlino@canonical.com \
--cc=kees@kernel.org \
--cc=keescook@chromium.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lucien.xin@gmail.com \
--cc=luto@kernel.org \
--cc=mjguzik@gmail.com \
--cc=mortonm@chromium.org \
--cc=oleg@redhat.com \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=pprahlad@redhat.com \
--cc=richard_c_haines@btinternet.com \
--cc=selinux@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=stephen.smalley.work@gmail.com \
--cc=tglx@linutronix.de \
--cc=tkjos@google.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox