From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4C9E4C3601E for ; Thu, 10 Apr 2025 17:24:19 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id D5A1928010C; Thu, 10 Apr 2025 13:24:17 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id CBB63280109; Thu, 10 Apr 2025 13:24:17 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B5E3928010C; Thu, 10 Apr 2025 13:24:17 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 9108B280109 for ; Thu, 10 Apr 2025 13:24:17 -0400 (EDT) Received: from smtpin29.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 6C9B0B7365 for ; Thu, 10 Apr 2025 17:24:17 +0000 (UTC) X-FDA: 83318807754.29.604FB40 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by imf24.hostedemail.com (Postfix) with ESMTP id 90779180003 for ; Thu, 10 Apr 2025 17:24:15 +0000 (UTC) Authentication-Results: imf24.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=st7Ba1Lu; spf=pass (imf24.hostedemail.com: domain of sergeh@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=sergeh@kernel.org; dmarc=pass (policy=quarantine) header.from=kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1744305855; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=N1dO6kFGk8cwrQ7pcfDZ1i85FV/4i5t3N0/nANlnHlk=; b=NCsHNn2d0RQUmIZ+YkxsOlueprkzC2GjI2XiCY2tkBNXnJOmF3hxXVJrxtTr3Et5NdwvcU 2ASoBuxDhtN5PM0Ew3Dx5anm1rjEKrRu8DnkpEc/BVu2CK/q+Yac+WyVdUG6HkU91YktlW 9EusjiCM9Qv9DEBkmgV6xK9OljXhiSM= ARC-Authentication-Results: i=1; imf24.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=st7Ba1Lu; spf=pass (imf24.hostedemail.com: domain of sergeh@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=sergeh@kernel.org; dmarc=pass (policy=quarantine) header.from=kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1744305855; a=rsa-sha256; cv=none; b=EsSxZR1d5SIKcW2/MlAg5x9gkqpCC0K6px2RtcP/P5GnRqeQER9gLikOADz4GKjZinsOEL KrX9uu1HA1tpFpWa9GUVhB8BeSZXmzMkHjU63qfwx1EjtEW2C62yPlMQ266TMVZ+JrSGw8 9EH17tOsa4rH2Kz2bKjZ18jVgIDf6OQ= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by dfw.source.kernel.org (Postfix) with ESMTP id 5188E5C61B8; Thu, 10 Apr 2025 17:21:57 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 29FAAC4CEEA; Thu, 10 Apr 2025 17:24:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1744305854; bh=LytjVK/uTAfK1ATja76akWBApQICg4D2IClyyAxnKiM=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=st7Ba1LuzVZa0v54c9Ukc2WUdpZnIkKxlfeukTkFvSwLPgVfrDsskz1HCRHKJQ0T7 uMSXiewUUu9WBVsQ/8Pjt22rGUmOdeb7hmG4uKGTYR2WX3JqwccflfNdC6oG0cu7XV cwlKJfsSwQSpZ7ywbAmDv5zWTvPU2SgrZnMjcaE/9DB5r9KZg+RSoTblyxRnjQv5iw 2N85PRGR6SkAy2O/Znz0ys7TnbfNo9rmHMm8bgR+lCv1lQYMj/yQf6LAr65+6mN8a2 NEg9CZAW62k7agS6GwhSs763Yw+J/F5oHCEu7MJr7KGZoscDny/YkmwI0KVN/V4rAA quhT8VvqDf9tg== Date: Thu, 10 Apr 2025 17:24:08 +0000 From: sergeh@kernel.org To: Roberto Sassu Cc: Alexander Viro , Christian Brauner , Kees Cook , Paul Moore , James Morris , "Serge E. Hallyn" , "Eric W. Biederman" , linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, linux-integrity@vger.kernel.org, zohar@linux.ibm.com Subject: Re: Credentials not fully initialized before bprm_check LSM hook Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 90779180003 X-Rspam-User: X-Rspamd-Server: rspam02 X-Stat-Signature: o9a5bp1rk8bc6cf4iqfuukfmpb8w9rqy X-HE-Tag: 1744305855-193265 X-HE-Meta: U2FsdGVkX18fyik2+84ehb9i4gX2Brb8lQnPSaCX0yl9WZE7iD5CXl3szummsrjTdLN5qpzFi4bbRruXgm+uUkzQ6/GY0cYbr048Z5PNLOfv1pskgxzZDtod/0tN7hGPblGPBLq1mXvvMNNGJmAI3csQIXWSc9rp0Euf4bEoKhaybpJkHBtL1cd5UKtOVtpvh7TYnuP6jLgHT3jRXgEMW3n9gWH5wOdER9h/paiQf8dLp3VQNm5s0jB6Tlm1iRa+Ywd2Nod5UHZ6JKjOZYwF2+EYPPL/Mq2r7iKynmHldtMD6SRWrMnEHvJOeN7gv3qnhS+hkAKX1WJhfqoFmWaid4IX7K+WYInDEco909zH0yD6IE66wdIx7iPrY2E9yR0son3KAljpFdhNVz1qF3mp6XRcTGz9lRFtb+SDyJVUxbTrbHoPk8U1lfM+3QrOBUzEkOL97kkhQMLSwL7IGADcWdTQFTjgKepRIV1CwdMtbSbeCQqLAL5j9nikQAUBDmbDgVfAT/rLug2R+NNIrePgICd8aiGv0brblL8ROKNp/AeU9kOzYWKJXfXv8N9vGVvK2aJydRxh5gmVPkmyMMmwYvgt5w7Mq5Nf4lKllsMr6cGEYpDGrnn6Td5BbsIx0OQtiyMs9mlh1wWWGu0lwnP2c7APwKX+Jvb9q7Ljb6fWJ11hpA2+nQtLOjzTYhjZpi5BWrF73oTYgmxqJnVaEsSnbe0j5QBSjUWgPSQrglXgqy+AboS+YSYl4w43dzVzQcz6JighcQ8bDhfBvu5l6KzFwAp5nINIiKo9a6Mkuka/sSn/EyAKE9JnZmzE6RsO76111Xjq6aQJUHj5wqXGfRbpxXSp+klSk41z0h67kANrpW+sFNKthFaeE7msgXQ7wi2v2yFAeFNog0a6Fti+19aJKfcXsXLMJKHL15P2/vrKz3ZGhkEzFPHSXFuk9x6TLAXNb0ysk3a9nYz38C1mw6r 2d+SRDRq GF67QUguEak6dHfJPzj6Zo16864AelhGR2UK3GPCAkah3O+TJ3UrtjxGnFedINUlBx2ZxtD2yu7lDyI0XUpvMePDfY/BVAUq8hhOipgS17UiloZFJhUcEZcJ+/uk4kx3F8ivM/VIQkQqqJ7ZcDIW2xT2JeuRWziG2tGcUm9xWe/Mqwe/eD7WToOg7pW9TFXsKm98/vFWL8Lhl+gKd8aqzByQxsm7OBvtkNw7Hh+KmWElms6P6Newo/0wM3fgNb5P0UwH4QDIb3KyVP2H/+q+pAwIt45iPAkEVW269Uk5CWAR2Ye0= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Thu, Apr 10, 2025 at 01:47:07PM +0200, Roberto Sassu wrote: > Hi everyone > > recently I discovered a problem in the implementation of our IMA > bprm_check hook, in particular when the policy is matched against the > bprm credentials (to be committed later during execve(). > > Before commit 56305aa9b6fab ("exec: Compute file based creds only > once"), bprm_fill_uid() was called in prepare_binprm() and filled the > euid/egid before calling security_bprm_check(), which in turns calls > IMA. > > After that commit, bprm_fill_uid() was moved to begin_new_exec(), which > is when the last interpreter is found. > > The consequence is that IMA still sees the not yet ready credentials > and an IMA rule like: > > measure func=CREDS_CHECK euid=0 "IMA still sees" at which point exactly? Do I understand right that the problem is that ima's version of security_bprm_creds_for_exec() needs to run after bprm_creds_from_file()? Given that Eric's commit message said that no bprm handlers use the uid, it seems it should be safe to just move that? > will not be matched for sudo-like applications. > > It does work however with SELinux, because it computes the transition > before IMA in the bprm_creds_for_exec hook. > > Since IMA needs to be involved for each execution in the chain of > interpreters, we cannot move to the bprm_creds_from_file hook. > > How do we solve this problem? The commit mentioned that it is an > optimization, so probably would not be too hard to partially revert it > (and keeping what is good). > > Thanks > > Roberto >