From: Jann Horn <jannh@google.com>
To: Kees Cook <keescook@chromium.org>
Cc: Christian Brauner <brauner@kernel.org>,
Eric Biederman <ebiederm@xmission.com>,
Jorge Merlino <jorge.merlino@canonical.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Thomas Gleixner <tglx@linutronix.de>,
Andy Lutomirski <luto@kernel.org>,
Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
Andrew Morton <akpm@linux-foundation.org>,
linux-mm@kvack.org, linux-fsdevel@vger.kernel.org,
John Johansen <john.johansen@canonical.com>,
Paul Moore <paul@paul-moore.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
Stephen Smalley <stephen.smalley.work@gmail.com>,
Eric Paris <eparis@parisplace.org>,
Richard Haines <richard_c_haines@btinternet.com>,
Casey Schaufler <casey@schaufler-ca.com>,
Xin Long <lucien.xin@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Todd Kjos <tkjos@google.com>,
Ondrej Mosnacek <omosnace@redhat.com>,
Prashanth Prahlad <pprahlad@redhat.com>,
Micah Morton <mortonm@chromium.org>,
Fenghua Yu <fenghua.yu@intel.com>,
Andrei Vagin <avagin@gmail.com>,
linux-kernel@vger.kernel.org, apparmor@lists.ubuntu.com,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH 1/2] fs/exec: Explicitly unshare fs_struct on exec
Date: Thu, 6 Oct 2022 17:35:37 +0200 [thread overview]
Message-ID: <CAG48ez2h29CschY7GPiyg7eZT9B4UnBeKtS6AksyD8iDqs25Bg@mail.gmail.com> (raw)
In-Reply-To: <86CE201B-5632-4BB7-BCF6-7CB2C2895409@chromium.org>
On Thu, Oct 6, 2022 at 5:25 PM Kees Cook <keescook@chromium.org> wrote:
> On October 6, 2022 7:13:37 AM PDT, Jann Horn <jannh@google.com> wrote:
> >On Thu, Oct 6, 2022 at 11:05 AM Christian Brauner <brauner@kernel.org> wrote:
> >> On Thu, Oct 06, 2022 at 01:27:34AM -0700, Kees Cook wrote:
> >> > The check_unsafe_exec() counting of n_fs would not add up under a heavily
> >> > threaded process trying to perform a suid exec, causing the suid portion
> >> > to fail. This counting error appears to be unneeded, but to catch any
> >> > possible conditions, explicitly unshare fs_struct on exec, if it ends up
> >>
> >> Isn't this a potential uapi break? Afaict, before this change a call to
> >> clone{3}(CLONE_FS) followed by an exec in the child would have the
> >> parent and child share fs information. So if the child e.g., changes the
> >> working directory post exec it would also affect the parent. But after
> >> this change here this would no longer be true. So a child changing a
> >> workding directoro would not affect the parent anymore. IOW, an exec is
> >> accompanied by an unshare(CLONE_FS). Might still be worth trying ofc but
> >> it seems like a non-trivial uapi change but there might be few users
> >> that do clone{3}(CLONE_FS) followed by an exec.
> >
> >I believe the following code in Chromium explicitly relies on this
> >behavior, but I'm not sure whether this code is in active use anymore:
> >
> >https://source.chromium.org/chromium/chromium/src/+/main:sandbox/linux/suid/sandbox.c;l=101?q=CLONE_FS&sq=&ss=chromium
>
> Oh yes. I think I had tried to forget this existed. Ugh. Okay, so back to the drawing board, I guess. The counting will need to be fixed...
>
> It's possible we can move the counting after dethread -- it seems the early count was just to avoid setting flags after the point of no return, but it's not an error condition...
Random idea that I haven't thought about a lot:
One approach might be to not do it by counting, but instead have a
flag on the fs_struct that we set when someone does a clone() with
CLONE_FS but without CLONE_THREAD? Then we'd end up with the following
possible states for fs_struct:
- single-process, normal
- single-process, pending execve past check_unsafe_exec() (prevent
concurrent CLONE_FS)
- shared between processes
The slight difference from the old semantics would be that once you've
used CLONE_FS without CLONE_THREAD, you can never do setuid execve()
from your current process again (without calling unshare()), even if
the child disappears in the meantime. I think that might be an
acceptably small UAPI break.
next prev parent reply other threads:[~2022-10-06 15:36 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-06 8:27 [PATCH 0/2] " Kees Cook
2022-10-06 8:27 ` [PATCH 1/2] " Kees Cook
2022-10-06 9:05 ` Christian Brauner
2022-10-06 10:48 ` David Laight
2022-10-06 14:13 ` Jann Horn
2022-10-06 15:25 ` Kees Cook
2022-10-06 15:35 ` Jann Horn [this message]
2025-05-13 13:05 ` Mateusz Guzik
2025-05-13 15:29 ` Eric W. Biederman
2025-05-13 20:57 ` Kees Cook
2025-05-13 21:09 ` Jann Horn
2025-05-13 22:16 ` Eric W. Biederman
2025-05-14 0:03 ` Mateusz Guzik
2025-05-14 15:33 ` Eric W. Biederman
2025-05-14 15:42 ` Kees Cook
2025-05-15 16:48 ` Eric W. Biederman
2025-05-13 23:15 ` Kees Cook
2022-10-14 3:18 ` Andy Lutomirski
2022-10-14 3:54 ` Kees Cook
2022-10-14 15:35 ` Jann Horn
2022-10-18 7:09 ` Kees Cook
2022-10-18 11:19 ` Jann Horn
2022-10-14 22:03 ` David Laight
2022-11-28 17:49 ` Eric W. Biederman
2022-10-06 8:27 ` [PATCH 2/2] exec: Remove LSM_UNSAFE_SHARE Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAG48ez2h29CschY7GPiyg7eZT9B4UnBeKtS6AksyD8iDqs25Bg@mail.gmail.com \
--to=jannh@google.com \
--cc=akpm@linux-foundation.org \
--cc=apparmor@lists.ubuntu.com \
--cc=avagin@gmail.com \
--cc=bigeasy@linutronix.de \
--cc=brauner@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=davem@davemloft.net \
--cc=ebiederm@xmission.com \
--cc=eparis@parisplace.org \
--cc=fenghua.yu@intel.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=jorge.merlino@canonical.com \
--cc=keescook@chromium.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lucien.xin@gmail.com \
--cc=luto@kernel.org \
--cc=mortonm@chromium.org \
--cc=omosnace@redhat.com \
--cc=paul@paul-moore.com \
--cc=pprahlad@redhat.com \
--cc=richard_c_haines@btinternet.com \
--cc=selinux@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=stephen.smalley.work@gmail.com \
--cc=tglx@linutronix.de \
--cc=tkjos@google.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox