From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 81DADC3ABC9 for ; Tue, 13 May 2025 21:10:30 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id EEAB86B0093; Tue, 13 May 2025 17:10:28 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id E73426B0095; Tue, 13 May 2025 17:10:28 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id CC2D36B00A1; Tue, 13 May 2025 17:10:28 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id AAC576B0093 for ; Tue, 13 May 2025 17:10:28 -0400 (EDT) Received: from smtpin05.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id 066FF140C13 for ; Tue, 13 May 2025 21:10:29 +0000 (UTC) X-FDA: 83439128178.05.7D98B8C Received: from mail-ed1-f50.google.com (mail-ed1-f50.google.com [209.85.208.50]) by imf08.hostedemail.com (Postfix) with ESMTP id 0553716000A for ; Tue, 13 May 2025 21:10:26 +0000 (UTC) Authentication-Results: imf08.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=AlpbazH3; spf=pass (imf08.hostedemail.com: domain of jannh@google.com designates 209.85.208.50 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1747170627; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=82zEtRLhUQDpsLvYBWZVZquqMGMoaEvNl8BtBzmS4FE=; b=jvrSrnP1b5XKU7WeRsHx1FEezlrYB69ZQKstTQBSaAGMzxiv2YpJANLBgTpTVvA4WLzntj LSIBrWXjsLa0WeMpC7Q2WUzXk+xSs4co04K8boIi0QsE6DSLY7KNknHwUpEtQuh66SB0ZH usdBvA2SM0eUrCWpCQsZrrG4XzwW5a4= ARC-Authentication-Results: i=1; imf08.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=AlpbazH3; spf=pass (imf08.hostedemail.com: domain of jannh@google.com designates 209.85.208.50 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1747170627; a=rsa-sha256; cv=none; b=wWmFAPZa2Fg+AOVshVvL4ECrE3aySt91T+gLxyMU1xQ4MeZiOT1AFhMIGXMBAdHuH9IkAK AfcdWCzJJhh2urMRt9mxsmCSwJCxCw+gaUKBsY8046Pxg/XG25o3R+RTsMJsyMAylOMn5c 5DHtPiI1n7ho1DLeum8DYBTyPmqiT5I= Received: by mail-ed1-f50.google.com with SMTP id 4fb4d7f45d1cf-5fc4fc27983so838a12.1 for ; Tue, 13 May 2025 14:10:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1747170625; x=1747775425; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=82zEtRLhUQDpsLvYBWZVZquqMGMoaEvNl8BtBzmS4FE=; b=AlpbazH3Bv2tLaV3luBtbX53tgSKstzfMj8I+4xN6WqwPQMSzGs42yE3Bh5U4VgNEz uZkVE9A7HstXHeTZUChwxK7NGxWzalbF4o2fkL0WKW5Yo//Z5EoSmbiYABcK+CJCK6QQ ealYmHt3HQvjwGqxHPRI6P4nii4//dkht4G/WgaMO64O10sqpms7Qkw+XjSyVc0uQEGX tXhomuZ/HfYGkz3Z8JipJG4VjXTAJ7s65whcpxBoO9zPalkwzBLu/tmQuEElasj8NPA1 PWXeL5PxFr+8XVpGpsrtqE3ZXNUrlivKonZlJDTV6uo/3OXLitFvDHJrBznXTRFfG+Wz HD5A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747170625; x=1747775425; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=82zEtRLhUQDpsLvYBWZVZquqMGMoaEvNl8BtBzmS4FE=; b=iaPboGa5kERxnsOjzWBzEvmIV0pdKks56nmvSui58A+GbQBmqFV/EzQzGBC+EOHNuR 9Z+vzgT3OXG8xnQ4OjjbZDYoBqEMvfB4hg9Tu7z9SfmSINWk9UaNOdPY8kdFXXjYbVpb fsKm5yN6CztpPxyszsn4tTuhSfqLLlyn2RE++glDdjxe+KiT9jDkwZKkv4GC475JtqwN BDwyuapiQM2gIFiaom7wiZ6N6pRmTum2M4+B15MCmvJDZAZN6A0UWmuI3iCE2s6kEv9T 5ukR52ChAdGECw42sOyafp9/Em+ZxKFDFU3umHM0f24PlJTKUSofAl8nfoLSbJFpTB0t 6Ohw== X-Forwarded-Encrypted: i=1; AJvYcCWXizLpqRj+KnyXbZwMT7htRV98DuwiV5/H+Enj7Akr7ICKwuSVnAepKnPlkS9aKARTjdZFp02EDw==@kvack.org X-Gm-Message-State: AOJu0YwIG9zks9VONr/JtspRsCDbOVOa7E3/mFjl1Ef4PVD5FzCSXv4B 2cZW4Zk0lMRzp1F+uLv7ovepLQOyBWwhJXagzfFnBxyit51X/K6vXZp4fLXrOqwzOEugomjEf0Q lvwR+WZTjWcn/2eWVcUDPeH8nsxyFhoprjVOy4UdX X-Gm-Gg: ASbGnctBMjlNmKoJbWrT9YVG4D1GuZRDeSIpJUMGCn7GrCAXE3lM4xaZYTC8VwVi48m 7JcHL3JuX2hiGtSkyH4KiPFHSoBdHNqC2k4207b8/3DCqOvZXGsdPCb6tRCJ6Z83zY5Yc9OvEJy 5lp5OCFjWq04If30VE01rPjJhNqsXeevhOsNNKWgQz8vCyJmOwa8UJBHEWGkeK X-Google-Smtp-Source: AGHT+IFFvoW0vaiQwXwOuLU8KHoNjqrz7yUskjzEQxJboJ77uRfEnj6qF+F1/xO6hcdFFQqM32ILfLKZ8071TJJxbuw= X-Received: by 2002:a50:ed16:0:b0:5fd:6065:7bbc with SMTP id 4fb4d7f45d1cf-5ff97e27b24mr28177a12.0.1747170624943; Tue, 13 May 2025 14:10:24 -0700 (PDT) MIME-Version: 1.0 References: <20221006082735.1321612-1-keescook@chromium.org> <20221006082735.1321612-2-keescook@chromium.org> <20221006090506.paqjf537cox7lqrq@wittgenstein> <86CE201B-5632-4BB7-BCF6-7CB2C2895409@chromium.org> In-Reply-To: From: Jann Horn Date: Tue, 13 May 2025 23:09:48 +0200 X-Gm-Features: AX0GCFvSGCrl8jRaWXokLgXy6n507r0H59ZuhYg2-C-s2mYQog1RTVhArK8PEPE Message-ID: Subject: Re: [PATCH 1/2] fs/exec: Explicitly unshare fs_struct on exec To: Kees Cook Cc: Mateusz Guzik , Kees Cook , Christian Brauner , Eric Biederman , Jorge Merlino , Alexander Viro , Thomas Gleixner , Andy Lutomirski , Sebastian Andrzej Siewior , Andrew Morton , linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, John Johansen , Paul Moore , James Morris , "Serge E. Hallyn" , Stephen Smalley , Eric Paris , Richard Haines , Casey Schaufler , Xin Long , "David S. Miller" , Todd Kjos , Ondrej Mosnacek , Prashanth Prahlad , Micah Morton , Fenghua Yu , Andrei Vagin , linux-kernel@vger.kernel.org, apparmor@lists.ubuntu.com, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, linux-hardening@vger.kernel.org, oleg@redhat.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspam-User: X-Rspamd-Queue-Id: 0553716000A X-Rspamd-Server: rspam09 X-Stat-Signature: 353mgk8m4ndmbfidardet3tje59dz6aa X-HE-Tag: 1747170626-820418 X-HE-Meta: U2FsdGVkX18tbze2TyoquZSthKlntYJIXDMRbwIzUswGHMTw1a7KmpCdVLdpGOY/GezKVSzI1BtwrtZZ7ojsSQABkNO9poE/dfPeUMiEoNpJF9+7UcoxPt9zy5GclLWAkWy3nVmcVk48JltdlYKNxIfvvrQwnG5+ZXmt6CybggNP/8gnIwakn7dMmm4W1JIjIww34ygsZhXrnT7Qm1Hoi8Ya64MI8AJA+0gExPG8jh0sJ6CzIdz7Q5vW8CgJ1SnMoDQRDxDWEpl+Nqamojry+2uY4iDifRqlbOfa3567v1KdxtOMg+JA4/nW2hY0CQfM9NwKOyP1ngqXFCZPp06k7nDPk4fZ5wNcDRlllsLOjjQj/OuGPpe8dudtGGWgMFAJGAjfp6vxdsDPhpqJsRPB5vkSH6K5jvpNDQEgBQyTH2cnKRvJ0+M+Vtmmdy48EI/80ecU6LBsmgXwdt/FHph23Sb/mu9OnaF8ezyueiplKDTiyyO5qxgoEELs/izvrSBo815rnCRfKtJRbeCp9WDNBg++V45xS7E/ZX3l7B8wV4HG9BWZP+lWq185X1XARRNxb3L/3b7cdaU2m1Ivn4GXo79wCkaPWYi2RmryEJs794V8FqAuopxro2FzamhfM3AX4HoQGMsvbBFrbVOAka/6Nudtq7NCsijf1WeMB8YSEeCTrStycFhzJYgBOOJOpkf0I3S1pznCp3VVdywb9CTVxlH30cMOJk+53wHieyAL2/QFuFv3AS/Iox7tAcn9/M2J+AerBVdEo9L9SceC84GvmjoSFX7ErkR1wqhB05raNZvmVvE6O3PeAEdUy4OmDXvWzFIKpFsojXgHYf/7E3lU5JXbjvjw6hwsRcKsZ6Gv5Hv+wt7xQ0j2r6cOZVE2gu2TwibsMf1HXa5fDr7B8GThD8t43JLCLE7GMIh4mc3J2n+tG/4JesSYGsaDOtvzeSeEvHtlyBqX0NK9lLQ/eEX s+eGsloP OdWBFSjyEhUPWTH33slEAFXcRHWfZDXLwAPInj/9ixFV3ZtGn7ggi4fQE+eh1wTgywNQO19OyyWiGJ2/mNyX3hQW1giwk+CIzK92aE8N4HyjEhgaChBExvH5il1lEZtFQsCElIEf1qZKfPd8wrG5U62eWY5E6sLrC+4RIBsj5wEyOU/eYYxGUE3BIkmocIg60IacDb+z9ZywfW7TEYAa22ztQbk7YOYnFulwCjMtA4nxlYv00Ou89NxsdlpgYeNxKSNGgCQQT+Btj7LzXdeEsGRAemOYHuECXBa944JDjJV/vFPj46VMfsJJp84ZF0OEPEZs84s7zjiRmrpCSVu4ktbIyPQ58svPRiS/gEhrlie3bYSg= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Tue, May 13, 2025 at 10:57=E2=80=AFPM Kees Cook wrote: > On May 13, 2025 6:05:45 AM PDT, Mateusz Guzik wrote: > >Here is my proposal: *deny* exec of suid/sgid binaries if fs_struct is > >shared. This will have to be checked for after the execing proc becomes > >single-threaded ofc. > > Unfortunately the above Chrome helper is setuid and uses CLONE_FS. Chrome first launches a setuid helper, and then the setuid helper does CLONE_FS. Mateusz's proposal would not impact this usecase. Mateusz is proposing to block the case where a process first does CLONE_FS, and *then* one of the processes sharing the fs_struct does a setuid execve(). Linux already downgrades such an execve() to be non-setuid, which probably means anyone trying to do this will get hard-to-understand problems. Mateusz' proposal would just turn this hard-to-debug edgecase, which already doesn't really work, into a clean error; I think that is a nice improvement even just from the UAPI standpoint. If this change makes it possible to clean up the kernel code a bit, even be= tter.