diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2017-09-07 23:35:29 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2017-09-07 23:35:29 -0400 |
| commit | 828f4257d1d33aed0f9ef82982dcb8ace8b7fe86 (patch) | |
| tree | ce9e1fc4eaae2c66e8a5bba25579c32c229352b4 /security/selinux/hooks.c | |
| parent | 44ccba3f7b230af1bd7ebe173cbf5803df1df486 (diff) | |
| parent | fe8993b3a05cbba6318a54e0f85901aaea6fc244 (diff) | |
Merge tag 'secureexec-v4.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
Pull secureexec update from Kees Cook:
"This series has the ultimate goal of providing a sane stack rlimit
when running set*id processes.
To do this, the bprm_secureexec LSM hook is collapsed into the
bprm_set_creds hook so the secureexec-ness of an exec can be
determined early enough to make decisions about rlimits and the
resulting memory layouts. Other logic acting on the secureexec-ness of
an exec is similarly consolidated. Capabilities needed some special
handling, but the refactoring removed other special handling, so that
was a wash"
* tag 'secureexec-v4.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
exec: Consolidate pdeath_signal clearing
exec: Use sane stack rlimit under secureexec
exec: Consolidate dumpability logic
smack: Remove redundant pdeath_signal clearing
exec: Use secureexec for clearing pdeath_signal
exec: Use secureexec for setting dumpability
LSM: drop bprm_secureexec hook
commoncap: Move cap_elevated calculation into bprm_set_creds
commoncap: Refactor to remove bprm_secureexec hook
smack: Refactor to remove bprm_secureexec hook
selinux: Refactor to remove bprm_secureexec hook
apparmor: Refactor to remove bprm_secureexec hook
binfmt: Introduce secureexec flag
exec: Correct comments about "point of no return"
exec: Rename bprm->cred_prepared to called_set_creds
Diffstat (limited to 'security/selinux/hooks.c')
| -rw-r--r-- | security/selinux/hooks.c | 26 |
1 files changed, 6 insertions, 20 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 2f2e1338cd3d..ad3b0f53ede0 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -2356,7 +2356,7 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) | |||
| 2356 | 2356 | ||
| 2357 | /* SELinux context only depends on initial program or script and not | 2357 | /* SELinux context only depends on initial program or script and not |
| 2358 | * the script interpreter */ | 2358 | * the script interpreter */ |
| 2359 | if (bprm->cred_prepared) | 2359 | if (bprm->called_set_creds) |
| 2360 | return 0; | 2360 | return 0; |
| 2361 | 2361 | ||
| 2362 | old_tsec = current_security(); | 2362 | old_tsec = current_security(); |
| @@ -2442,30 +2442,17 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) | |||
| 2442 | 2442 | ||
| 2443 | /* Clear any possibly unsafe personality bits on exec: */ | 2443 | /* Clear any possibly unsafe personality bits on exec: */ |
| 2444 | bprm->per_clear |= PER_CLEAR_ON_SETID; | 2444 | bprm->per_clear |= PER_CLEAR_ON_SETID; |
| 2445 | } | ||
| 2446 | |||
| 2447 | return 0; | ||
| 2448 | } | ||
| 2449 | |||
| 2450 | static int selinux_bprm_secureexec(struct linux_binprm *bprm) | ||
| 2451 | { | ||
| 2452 | const struct task_security_struct *tsec = current_security(); | ||
| 2453 | u32 sid, osid; | ||
| 2454 | int atsecure = 0; | ||
| 2455 | |||
| 2456 | sid = tsec->sid; | ||
| 2457 | osid = tsec->osid; | ||
| 2458 | 2445 | ||
| 2459 | if (osid != sid) { | ||
| 2460 | /* Enable secure mode for SIDs transitions unless | 2446 | /* Enable secure mode for SIDs transitions unless |
| 2461 | the noatsecure permission is granted between | 2447 | the noatsecure permission is granted between |
| 2462 | the two SIDs, i.e. ahp returns 0. */ | 2448 | the two SIDs, i.e. ahp returns 0. */ |
| 2463 | atsecure = avc_has_perm(osid, sid, | 2449 | rc = avc_has_perm(old_tsec->sid, new_tsec->sid, |
| 2464 | SECCLASS_PROCESS, | 2450 | SECCLASS_PROCESS, PROCESS__NOATSECURE, |
| 2465 | PROCESS__NOATSECURE, NULL); | 2451 | NULL); |
| 2452 | bprm->secureexec |= !!rc; | ||
| 2466 | } | 2453 | } |
| 2467 | 2454 | ||
| 2468 | return !!atsecure; | 2455 | return 0; |
| 2469 | } | 2456 | } |
| 2470 | 2457 | ||
| 2471 | static int match_file(const void *p, struct file *file, unsigned fd) | 2458 | static int match_file(const void *p, struct file *file, unsigned fd) |
| @@ -6266,7 +6253,6 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = { | |||
| 6266 | LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds), | 6253 | LSM_HOOK_INIT(bprm_set_creds, selinux_bprm_set_creds), |
| 6267 | LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), | 6254 | LSM_HOOK_INIT(bprm_committing_creds, selinux_bprm_committing_creds), |
| 6268 | LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), | 6255 | LSM_HOOK_INIT(bprm_committed_creds, selinux_bprm_committed_creds), |
| 6269 | LSM_HOOK_INIT(bprm_secureexec, selinux_bprm_secureexec), | ||
| 6270 | 6256 | ||
| 6271 | LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), | 6257 | LSM_HOOK_INIT(sb_alloc_security, selinux_sb_alloc_security), |
| 6272 | LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security), | 6258 | LSM_HOOK_INIT(sb_free_security, selinux_sb_free_security), |