diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2009-02-06 21:52:55 -0500 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2009-02-06 21:52:55 -0500 |
commit | ccfef64621ef1e8c7726581b38eb8b98fd2a8afb (patch) | |
tree | 74d99dcecbd7adad1dcd5d61fac408855b43a267 /fs | |
parent | ae1a25da8448271a99745da03100d5299575a269 (diff) | |
parent | 0bf2f3aec5474da80a60e1baca629af87ecb67b6 (diff) |
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:
CRED: Fix SUID exec regression
Diffstat (limited to 'fs')
-rw-r--r-- | fs/compat.c | 2 | ||||
-rw-r--r-- | fs/exec.c | 28 | ||||
-rw-r--r-- | fs/internal.h | 2 |
3 files changed, 24 insertions, 8 deletions
diff --git a/fs/compat.c b/fs/compat.c index 65a070e705ab..d0145ca27572 100644 --- a/fs/compat.c +++ b/fs/compat.c | |||
@@ -1407,7 +1407,7 @@ int compat_do_execve(char * filename, | |||
1407 | bprm->cred = prepare_exec_creds(); | 1407 | bprm->cred = prepare_exec_creds(); |
1408 | if (!bprm->cred) | 1408 | if (!bprm->cred) |
1409 | goto out_unlock; | 1409 | goto out_unlock; |
1410 | check_unsafe_exec(bprm); | 1410 | check_unsafe_exec(bprm, current->files); |
1411 | 1411 | ||
1412 | file = open_exec(filename); | 1412 | file = open_exec(filename); |
1413 | retval = PTR_ERR(file); | 1413 | retval = PTR_ERR(file); |
@@ -1049,16 +1049,32 @@ EXPORT_SYMBOL(install_exec_creds); | |||
1049 | * - the caller must hold current->cred_exec_mutex to protect against | 1049 | * - the caller must hold current->cred_exec_mutex to protect against |
1050 | * PTRACE_ATTACH | 1050 | * PTRACE_ATTACH |
1051 | */ | 1051 | */ |
1052 | void check_unsafe_exec(struct linux_binprm *bprm) | 1052 | void check_unsafe_exec(struct linux_binprm *bprm, struct files_struct *files) |
1053 | { | 1053 | { |
1054 | struct task_struct *p = current; | 1054 | struct task_struct *p = current, *t; |
1055 | unsigned long flags; | ||
1056 | unsigned n_fs, n_files, n_sighand; | ||
1055 | 1057 | ||
1056 | bprm->unsafe = tracehook_unsafe_exec(p); | 1058 | bprm->unsafe = tracehook_unsafe_exec(p); |
1057 | 1059 | ||
1058 | if (atomic_read(&p->fs->count) > 1 || | 1060 | n_fs = 1; |
1059 | atomic_read(&p->files->count) > 1 || | 1061 | n_files = 1; |
1060 | atomic_read(&p->sighand->count) > 1) | 1062 | n_sighand = 1; |
1063 | lock_task_sighand(p, &flags); | ||
1064 | for (t = next_thread(p); t != p; t = next_thread(t)) { | ||
1065 | if (t->fs == p->fs) | ||
1066 | n_fs++; | ||
1067 | if (t->files == files) | ||
1068 | n_files++; | ||
1069 | n_sighand++; | ||
1070 | } | ||
1071 | |||
1072 | if (atomic_read(&p->fs->count) > n_fs || | ||
1073 | atomic_read(&p->files->count) > n_files || | ||
1074 | atomic_read(&p->sighand->count) > n_sighand) | ||
1061 | bprm->unsafe |= LSM_UNSAFE_SHARE; | 1075 | bprm->unsafe |= LSM_UNSAFE_SHARE; |
1076 | |||
1077 | unlock_task_sighand(p, &flags); | ||
1062 | } | 1078 | } |
1063 | 1079 | ||
1064 | /* | 1080 | /* |
@@ -1273,7 +1289,7 @@ int do_execve(char * filename, | |||
1273 | bprm->cred = prepare_exec_creds(); | 1289 | bprm->cred = prepare_exec_creds(); |
1274 | if (!bprm->cred) | 1290 | if (!bprm->cred) |
1275 | goto out_unlock; | 1291 | goto out_unlock; |
1276 | check_unsafe_exec(bprm); | 1292 | check_unsafe_exec(bprm, displaced); |
1277 | 1293 | ||
1278 | file = open_exec(filename); | 1294 | file = open_exec(filename); |
1279 | retval = PTR_ERR(file); | 1295 | retval = PTR_ERR(file); |
diff --git a/fs/internal.h b/fs/internal.h index 53af885f1732..0d8ac497b3d5 100644 --- a/fs/internal.h +++ b/fs/internal.h | |||
@@ -43,7 +43,7 @@ extern void __init chrdev_init(void); | |||
43 | /* | 43 | /* |
44 | * exec.c | 44 | * exec.c |
45 | */ | 45 | */ |
46 | extern void check_unsafe_exec(struct linux_binprm *); | 46 | extern void check_unsafe_exec(struct linux_binprm *, struct files_struct *); |
47 | 47 | ||
48 | /* | 48 | /* |
49 | * namespace.c | 49 | * namespace.c |