aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKees Cook <keescook@chromium.org>2018-03-09 14:30:20 -0500
committerJames Morris <james.morris@microsoft.com>2018-03-19 00:49:32 -0400
commit7bd698b3c04e61ee9e03d4c2a55003f75df14dca (patch)
treed15e529bab47370611aa871465662775f9798027
parent6b4f3d01052a479c7ebbe99d52a663558dc1be2a (diff)
exec: Set file unwritable before LSM check
The LSM check should happen after the file has been confirmed to be unchanging. Without this, we could have a race between the Time of Check (the call to security_kernel_read_file() which could read the file and make access policy decisions) and the Time of Use (starting with kernel_read_file()'s reading of the file contents). In theory, file contents could change between the two. Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com> Signed-off-by: James Morris <james.morris@microsoft.com>
-rw-r--r--fs/exec.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/fs/exec.c b/fs/exec.c
index 7eb8d21bcab9..a919a827d181 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -895,13 +895,13 @@ int kernel_read_file(struct file *file, void **buf, loff_t *size,
895 if (!S_ISREG(file_inode(file)->i_mode) || max_size < 0) 895 if (!S_ISREG(file_inode(file)->i_mode) || max_size < 0)
896 return -EINVAL; 896 return -EINVAL;
897 897
898 ret = security_kernel_read_file(file, id); 898 ret = deny_write_access(file);
899 if (ret) 899 if (ret)
900 return ret; 900 return ret;
901 901
902 ret = deny_write_access(file); 902 ret = security_kernel_read_file(file, id);
903 if (ret) 903 if (ret)
904 return ret; 904 goto out;
905 905
906 i_size = i_size_read(file_inode(file)); 906 i_size = i_size_read(file_inode(file));
907 if (max_size > 0 && i_size > max_size) { 907 if (max_size > 0 && i_size > max_size) {