1 files changed, 129 insertions, 121 deletions
diff --git a/fs/exec.c b/fs/exec.c
index 4e834f16d9da..9c33f542dc77 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -51,15 +51,12 @@
 #include <linux/audit.h>
 #include <linux/tracehook.h>
 #include <linux/kmod.h>
+#include <linux/fsnotify.h>
 #include <asm/uaccess.h>
 #include <asm/mmu_context.h>
 #include <asm/tlb.h>
+#include "internal.h"
-#ifdef __alpha__
-/* for /sbin/loader handling in search_binary_handler() */
-#include <linux/a.out.h>
-#endif
 int core_uses_pid;
 char core_pattern[CORENAME_MAX_SIZE] = "core";
@@ -126,7 +123,8 @@ asmlinkage long sys_uselib(const char __user * library)
        if (nd.path.mnt->mnt_flags & MNT_NOEXEC)
                goto exit;
-        error = vfs_permission(&nd, MAY_READ | MAY_EXEC | MAY_OPEN);
+        error = inode_permission(nd.path.dentry->d_inode,
+                                 MAY_READ | MAY_EXEC | MAY_OPEN);
        if (error)
                goto exit;
@@ -135,6 +133,8 @@ asmlinkage long sys_uselib(const char __user * library)
        if (IS_ERR(file))
                goto out;
+        fsnotify_open(file->f_path.dentry);
        error = -ENOEXEC;
        if(file->f_op) {
                struct linux_binfmt * fmt;
@@ -679,7 +679,7 @@ struct file *open_exec(const char *name)
        if (nd.path.mnt->mnt_flags & MNT_NOEXEC)
                goto out_path_put;
-        err = vfs_permission(&nd, MAY_EXEC | MAY_OPEN);
+        err = inode_permission(nd.path.dentry->d_inode, MAY_EXEC | MAY_OPEN);
        if (err)
                goto out_path_put;
@@ -687,6 +687,8 @@ struct file *open_exec(const char *name)
        if (IS_ERR(file))
                return file;
+        fsnotify_open(file->f_path.dentry);
        err = deny_write_access(file);
        if (err) {
                fput(file);
@@ -772,7 +774,6 @@ static int de_thread(struct task_struct *tsk)
        struct signal_struct *sig = tsk->signal;
        struct sighand_struct *oldsighand = tsk->sighand;
        spinlock_t *lock = &oldsighand->siglock;
-        struct task_struct *leader = NULL;
        int count;
        if (thread_group_empty(tsk))
@@ -810,7 +811,7 @@ static int de_thread(struct task_struct *tsk)
         * and to assume its PID:
         */
        if (!thread_group_leader(tsk)) {
-                leader = tsk->group_leader;
+                struct task_struct *leader = tsk->group_leader;
                sig->notify_count = -1; /* for exit_notify() */
                for (;;) {
@@ -862,8 +863,9 @@ static int de_thread(struct task_struct *tsk)
                BUG_ON(leader->exit_state != EXIT_ZOMBIE);
                leader->exit_state = EXIT_DEAD;
                write_unlock_irq(&tasklist_lock);
+                release_task(leader);
        }
        sig->group_exit_task = NULL;
@@ -872,8 +874,6 @@ static int de_thread(struct task_struct *tsk)
 no_thread_group:
        exit_itimers(sig);
        flush_itimer_signals();
-        if (leader)
-                release_task(leader);
        if (atomic_read(&oldsighand->count) != 1) {
                struct sighand_struct *newsighand;
@@ -980,7 +980,7 @@ int flush_old_exec(struct linux_binprm * bprm)
        /* This is the point of no return */
        current->sas_ss_sp = current->sas_ss_size = 0;
-        if (current->euid == current->uid && current->egid == current->gid)
+        if (current_euid() == current_uid() && current_egid() == current_gid())
                set_dumpable(current->mm, 1);
        else
                set_dumpable(current->mm, suid_dumpable);
@@ -1007,16 +1007,17 @@ int flush_old_exec(struct linux_binprm * bprm)
         */
        current->mm->task_size = TASK_SIZE;
-        if (bprm->e_uid != current->euid || bprm->e_gid != current->egid) {
+        /* install the new credentials */
-                suid_keys(current);
+        if (bprm->cred->uid != current_euid() ||
-                set_dumpable(current->mm, suid_dumpable);
+            bprm->cred->gid != current_egid()) {
                current->pdeath_signal = 0;
        } else if (file_permission(bprm->file, MAY_READ) ||
-                        (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) {
+                   bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP) {
-                suid_keys(current);
                set_dumpable(current->mm, suid_dumpable);
        }
+        current->personality &= ~bprm->per_clear;
        /* An exec changes our domain. We are no longer part of the thread
           group */
@@ -1033,13 +1034,50 @@ out:
 EXPORT_SYMBOL(flush_old_exec);
+/*
+ * install the new credentials for this executable
+ */
+void install_exec_creds(struct linux_binprm *bprm)
+{
+        security_bprm_committing_creds(bprm);
+        commit_creds(bprm->cred);
+        bprm->cred = NULL;
+        /* cred_exec_mutex must be held at least to this point to prevent
+         * ptrace_attach() from altering our determination of the task's
+         * credentials; any time after this it may be unlocked */
+        security_bprm_committed_creds(bprm);
+}
+EXPORT_SYMBOL(install_exec_creds);
+/*
+ * determine how safe it is to execute the proposed program
+ * - the caller must hold current->cred_exec_mutex to protect against
+ *   PTRACE_ATTACH
+ */
+void check_unsafe_exec(struct linux_binprm *bprm)
+{
+        struct task_struct *p = current;
+        bprm->unsafe = tracehook_unsafe_exec(p);
+        if (atomic_read(&p->fs->count) > 1 ||
+            atomic_read(&p->files->count) > 1 ||
+            atomic_read(&p->sighand->count) > 1)
+                bprm->unsafe |= LSM_UNSAFE_SHARE;
+}
 /* 
 * Fill the binprm structure from the inode. 
 * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes
+ *
+ * This may be called multiple times for binary chains (scripts for example).
 */
 int prepare_binprm(struct linux_binprm *bprm)
 {
-        int mode;
+        umode_t mode;
        struct inode * inode = bprm->file->f_path.dentry->d_inode;
        int retval;
@@ -1047,14 +1085,15 @@ int prepare_binprm(struct linux_binprm *bprm)
        if (bprm->file->f_op == NULL)
                return -EACCES;
-        bprm->e_uid = current->euid;
+        /* clear any previous set[ug]id data from a previous binary */
-        bprm->e_gid = current->egid;
+        bprm->cred->euid = current_euid();
+        bprm->cred->egid = current_egid();
-        if(!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)) {
+        if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)) {
                /* Set-uid? */
                if (mode & S_ISUID) {
-                        current->personality &= ~PER_CLEAR_ON_SETID;
+                        bprm->per_clear |= PER_CLEAR_ON_SETID;
-                        bprm->e_uid = inode->i_uid;
+                        bprm->cred->euid = inode->i_uid;
                }
                /* Set-gid? */
@@ -1064,52 +1103,23 @@ int prepare_binprm(struct linux_binprm *bprm)
                 * executable.
                 */
                if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
-                        current->personality &= ~PER_CLEAR_ON_SETID;
+                        bprm->per_clear |= PER_CLEAR_ON_SETID;
-                        bprm->e_gid = inode->i_gid;
+                        bprm->cred->egid = inode->i_gid;
                }
        }
        /* fill in binprm security blob */
-        retval = security_bprm_set(bprm);
+        retval = security_bprm_set_creds(bprm);
        if (retval)
                return retval;
+        bprm->cred_prepared = 1;
-        memset(bprm->buf,0,BINPRM_BUF_SIZE);
+        memset(bprm->buf, 0, BINPRM_BUF_SIZE);
-        return kernel_read(bprm->file,0,bprm->buf,BINPRM_BUF_SIZE);
+        return kernel_read(bprm->file, 0, bprm->buf, BINPRM_BUF_SIZE);
 }
 EXPORT_SYMBOL(prepare_binprm);
-static int unsafe_exec(struct task_struct *p)
-{
-        int unsafe = tracehook_unsafe_exec(p);
-        if (atomic_read(&p->fs->count) > 1 ||
-            atomic_read(&p->files->count) > 1 ||
-            atomic_read(&p->sighand->count) > 1)
-                unsafe |= LSM_UNSAFE_SHARE;
-        return unsafe;
-}
-void compute_creds(struct linux_binprm *bprm)
-{
-        int unsafe;
-        if (bprm->e_uid != current->uid) {
-                suid_keys(current);
-                current->pdeath_signal = 0;
-        }
-        exec_keys(current);
-        task_lock(current);
-        unsafe = unsafe_exec(current);
-        security_bprm_apply_creds(bprm, unsafe);
-        task_unlock(current);
-        security_bprm_post_apply_creds(bprm);
-}
-EXPORT_SYMBOL(compute_creds);
 /*
 * Arguments are '\0' separated strings found at the location bprm->p
 * points to; chop off the first by relocating brpm->p to right after
@@ -1159,43 +1169,10 @@ EXPORT_SYMBOL(remove_arg_zero);
 */
 int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
 {
+        unsigned int depth = bprm->recursion_depth;
        int try,retval;
        struct linux_binfmt *fmt;
-#ifdef __alpha__
-        /* handle /sbin/loader.. */
-        {
-            struct exec * eh = (struct exec *) bprm->buf;
-            if (!bprm->loader && eh->fh.f_magic == 0x183 &&
-                (eh->fh.f_flags & 0x3000) == 0x3000)
-            {
-                struct file * file;
-                unsigned long loader;
-                allow_write_access(bprm->file);
-                fput(bprm->file);
-                bprm->file = NULL;
-                loader = bprm->vma->vm_end - sizeof(void *);
-                file = open_exec("/sbin/loader");
-                retval = PTR_ERR(file);
-                if (IS_ERR(file))
-                        return retval;
-                /* Remember if the application is TASO.  */
-                bprm->taso = eh->ah.entry < 0x100000000UL;
-                bprm->file = file;
-                bprm->loader = loader;
-                retval = prepare_binprm(bprm);
-                if (retval<0)
-                        return retval;
-                /* should call search_binary_handler recursively here,
-                   but it does not matter */
-            }
-        }
-#endif
        retval = security_bprm_check(bprm);
        if (retval)
                return retval;
@@ -1219,8 +1196,15 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
                                continue;
                        read_unlock(&binfmt_lock);
                        retval = fn(bprm, regs);
+                        /*
+                         * Restore the depth counter to its starting value
+                         * in this call, so we don't have to rely on every
+                         * load_binary function to restore it on return.
+                         */
+                        bprm->recursion_depth = depth;
                        if (retval >= 0) {
-                                tracehook_report_exec(fmt, bprm, regs);
+                                if (depth == 0)
+                                        tracehook_report_exec(fmt, bprm, regs);
                                put_binfmt(fmt);
                                allow_write_access(bprm->file);
                                if (bprm->file)
@@ -1262,6 +1246,8 @@ EXPORT_SYMBOL(search_binary_handler);
 void free_bprm(struct linux_binprm *bprm)
 {
        free_arg_pages(bprm);
+        if (bprm->cred)
+                abort_creds(bprm->cred);
        kfree(bprm);
 }
@@ -1287,10 +1273,20 @@ int do_execve(char * filename,
        if (!bprm)
                goto out_files;
+        retval = mutex_lock_interruptible(&current->cred_exec_mutex);
+        if (retval < 0)
+                goto out_free;
+        retval = -ENOMEM;
+        bprm->cred = prepare_exec_creds();
+        if (!bprm->cred)
+                goto out_unlock;
+        check_unsafe_exec(bprm);
        file = open_exec(filename);
        retval = PTR_ERR(file);
        if (IS_ERR(file))
-                goto out_kfree;
+                goto out_unlock;
        sched_exec();
@@ -1304,14 +1300,10 @@ int do_execve(char * filename,
        bprm->argc = count(argv, MAX_ARG_STRINGS);
        if ((retval = bprm->argc) < 0)
-                goto out_mm;
+                goto out;
        bprm->envc = count(envp, MAX_ARG_STRINGS);
        if ((retval = bprm->envc) < 0)
-                goto out_mm;
-        retval = security_bprm_alloc(bprm);
-        if (retval)
                goto out;
        retval = prepare_binprm(bprm);
@@ -1333,21 +1325,18 @@ int do_execve(char * filename,
        current->flags &= ~PF_KTHREAD;
        retval = search_binary_handler(bprm,regs);
-        if (retval >= 0) {
+        if (retval < 0)
-                /* execve success */
+                goto out;
-                security_bprm_free(bprm);
-                acct_update_integrals(current);
-                free_bprm(bprm);
-                if (displaced)
-                        put_files_struct(displaced);
-                return retval;
-        }
-out:
+        /* execve succeeded */
-        if (bprm->security)
+        mutex_unlock(&current->cred_exec_mutex);
-                security_bprm_free(bprm);
+        acct_update_integrals(current);
+        free_bprm(bprm);
+        if (displaced)
+                put_files_struct(displaced);
+        return retval;
-out_mm:
+out:
        if (bprm->mm)
                mmput (bprm->mm);
@@ -1356,7 +1345,11 @@ out_file:
                allow_write_access(bprm->file);
                fput(bprm->file);
        }
-out_kfree:
+out_unlock:
+        mutex_unlock(&current->cred_exec_mutex);
+out_free:
        free_bprm(bprm);
 out_files:
@@ -1388,6 +1381,7 @@ EXPORT_SYMBOL(set_binfmt);
 */
 static int format_corename(char *corename, long signr)
 {
+        const struct cred *cred = current_cred();
        const char *pat_ptr = core_pattern;
        int ispipe = (*pat_ptr == '|');
        char *out_ptr = corename;
@@ -1424,7 +1418,7 @@ static int format_corename(char *corename, long signr)
                        /* uid */
                        case 'u':
                                rc = snprintf(out_ptr, out_end - out_ptr,
-                                              "%d", current->uid);
+                                              "%d", cred->uid);
                                if (rc > out_end - out_ptr)
                                        goto out;
                                out_ptr += rc;
@@ -1432,7 +1426,7 @@ static int format_corename(char *corename, long signr)
                        /* gid */
                        case 'g':
                                rc = snprintf(out_ptr, out_end - out_ptr,
-                                              "%d", current->gid);
+                                              "%d", cred->gid);
                                if (rc > out_end - out_ptr)
                                        goto out;
                                out_ptr += rc;
@@ -1708,8 +1702,9 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs)
        struct linux_binfmt * binfmt;
        struct inode * inode;
        struct file * file;
+        const struct cred *old_cred;
+        struct cred *cred;
        int retval = 0;
-        int fsuid = current->fsuid;
        int flag = 0;
        int ispipe = 0;
        unsigned long core_limit = current->signal->rlim[RLIMIT_CORE].rlim_cur;
@@ -1722,12 +1717,20 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs)
        binfmt = current->binfmt;
        if (!binfmt || !binfmt->core_dump)
                goto fail;
+        cred = prepare_creds();
+        if (!cred) {
+                retval = -ENOMEM;
+                goto fail;
+        }
        down_write(&mm->mmap_sem);
        /*
         * If another thread got here first, or we are not dumpable, bail out.
         */
        if (mm->core_state || !get_dumpable(mm)) {
                up_write(&mm->mmap_sem);
+                put_cred(cred);
                goto fail;
        }
@@ -1738,12 +1741,16 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs)
         */
        if (get_dumpable(mm) == 2) {    /* Setuid core dump mode */
                flag = O_EXCL;          /* Stop rewrite attacks */
-                current->fsuid = 0;     /* Dump root private */
+                cred->fsuid = 0;        /* Dump root private */
        }
        retval = coredump_wait(exit_code, &core_state);
-        if (retval < 0)
+        if (retval < 0) {
+                put_cred(cred);
                goto fail;
+        }
+        old_cred = override_creds(cred);
        /*
         * Clear any false indication of pending signals that might
@@ -1815,7 +1822,7 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs)
         * Dont allow local users get cute and trick others to coredump
         * into their pre-created files:
         */
-        if (inode->i_uid != current->fsuid)
+        if (inode->i_uid != current_fsuid())
                goto close_fail;
        if (!file->f_op)
                goto close_fail;
@@ -1834,7 +1841,8 @@ fail_unlock:
        if (helper_argv)
                argv_free(helper_argv);
-        current->fsuid = fsuid;
+        revert_creds(old_cred);
+        put_cred(cred);
        coredump_finish(mm);
 fail:
        return retval;

diff --git a/fs/exec.c b/fs/exec.c index 4e834f16d9da..9c33f542dc77 100644 --- a/fs/exec.c +++ b/fs/exec.c
@@ -51,15 +51,12 @@
51	#include <linux/audit.h>	51	#include <linux/audit.h>
52	#include <linux/tracehook.h>	52	#include <linux/tracehook.h>
53	#include <linux/kmod.h>	53	#include <linux/kmod.h>
		54	#include <linux/fsnotify.h>
54		55
55	#include <asm/uaccess.h>	56	#include <asm/uaccess.h>
56	#include <asm/mmu_context.h>	57	#include <asm/mmu_context.h>
57	#include <asm/tlb.h>	58	#include <asm/tlb.h>
58		59	#include "internal.h"
59	#ifdef __alpha__
60	/* for /sbin/loader handling in search_binary_handler() */
61	#include <linux/a.out.h>
62	#endif
63		60
64	int core_uses_pid;	61	int core_uses_pid;
65	char core_pattern[CORENAME_MAX_SIZE] = "core";	62	char core_pattern[CORENAME_MAX_SIZE] = "core";
@@ -126,7 +123,8 @@ asmlinkage long sys_uselib(const char __user * library)
126	if (nd.path.mnt->mnt_flags & MNT_NOEXEC)	123	if (nd.path.mnt->mnt_flags & MNT_NOEXEC)
127	goto exit;	124	goto exit;
128		125
129	error = vfs_permission(&nd, MAY_READ \| MAY_EXEC \| MAY_OPEN);	126	error = inode_permission(nd.path.dentry->d_inode,
		127	MAY_READ \| MAY_EXEC \| MAY_OPEN);
130	if (error)	128	if (error)
131	goto exit;	129	goto exit;
132		130
@@ -135,6 +133,8 @@ asmlinkage long sys_uselib(const char __user * library)
135	if (IS_ERR(file))	133	if (IS_ERR(file))
136	goto out;	134	goto out;
137		135
		136	fsnotify_open(file->f_path.dentry);
		137
138	error = -ENOEXEC;	138	error = -ENOEXEC;
139	if(file->f_op) {	139	if(file->f_op) {
140	struct linux_binfmt * fmt;	140	struct linux_binfmt * fmt;
@@ -679,7 +679,7 @@ struct file open_exec(const char name)
679	if (nd.path.mnt->mnt_flags & MNT_NOEXEC)	679	if (nd.path.mnt->mnt_flags & MNT_NOEXEC)
680	goto out_path_put;	680	goto out_path_put;
681		681
682	err = vfs_permission(&nd, MAY_EXEC \| MAY_OPEN);	682	err = inode_permission(nd.path.dentry->d_inode, MAY_EXEC \| MAY_OPEN);
683	if (err)	683	if (err)
684	goto out_path_put;	684	goto out_path_put;
685		685
@@ -687,6 +687,8 @@ struct file open_exec(const char name)
687	if (IS_ERR(file))	687	if (IS_ERR(file))
688	return file;	688	return file;
689		689
		690	fsnotify_open(file->f_path.dentry);
		691
690	err = deny_write_access(file);	692	err = deny_write_access(file);
691	if (err) {	693	if (err) {
692	fput(file);	694	fput(file);
@@ -772,7 +774,6 @@ static int de_thread(struct task_struct *tsk)
772	struct signal_struct *sig = tsk->signal;	774	struct signal_struct *sig = tsk->signal;
773	struct sighand_struct *oldsighand = tsk->sighand;	775	struct sighand_struct *oldsighand = tsk->sighand;
774	spinlock_t *lock = &oldsighand->siglock;	776	spinlock_t *lock = &oldsighand->siglock;
775	struct task_struct *leader = NULL;
776	int count;	777	int count;
777		778
778	if (thread_group_empty(tsk))	779	if (thread_group_empty(tsk))
@@ -810,7 +811,7 @@ static int de_thread(struct task_struct *tsk)
810	* and to assume its PID:	811	* and to assume its PID:
811	*/	812	*/
812	if (!thread_group_leader(tsk)) {	813	if (!thread_group_leader(tsk)) {
813	leader = tsk->group_leader;	814	struct task_struct *leader = tsk->group_leader;
814		815
815	sig->notify_count = -1; /* for exit_notify() */	816	sig->notify_count = -1; /* for exit_notify() */
816	for (;;) {	817	for (;;) {
@@ -862,8 +863,9 @@ static int de_thread(struct task_struct *tsk)
862		863
863	BUG_ON(leader->exit_state != EXIT_ZOMBIE);	864	BUG_ON(leader->exit_state != EXIT_ZOMBIE);
864	leader->exit_state = EXIT_DEAD;	865	leader->exit_state = EXIT_DEAD;
865
866	write_unlock_irq(&tasklist_lock);	866	write_unlock_irq(&tasklist_lock);
		867
		868	release_task(leader);
867	}	869	}
868		870
869	sig->group_exit_task = NULL;	871	sig->group_exit_task = NULL;
@@ -872,8 +874,6 @@ static int de_thread(struct task_struct *tsk)
872	no_thread_group:	874	no_thread_group:
873	exit_itimers(sig);	875	exit_itimers(sig);
874	flush_itimer_signals();	876	flush_itimer_signals();
875	if (leader)
876	release_task(leader);
877		877
878	if (atomic_read(&oldsighand->count) != 1) {	878	if (atomic_read(&oldsighand->count) != 1) {
879	struct sighand_struct *newsighand;	879	struct sighand_struct *newsighand;
@@ -980,7 +980,7 @@ int flush_old_exec(struct linux_binprm * bprm)
980	/* This is the point of no return */	980	/* This is the point of no return */
981	current->sas_ss_sp = current->sas_ss_size = 0;	981	current->sas_ss_sp = current->sas_ss_size = 0;
982		982
983	if (current->euid == current->uid && current->egid == current->gid)	983	if (current_euid() == current_uid() && current_egid() == current_gid())
984	set_dumpable(current->mm, 1);	984	set_dumpable(current->mm, 1);
985	else	985	else
986	set_dumpable(current->mm, suid_dumpable);	986	set_dumpable(current->mm, suid_dumpable);
@@ -1007,16 +1007,17 @@ int flush_old_exec(struct linux_binprm * bprm)
1007	*/	1007	*/
1008	current->mm->task_size = TASK_SIZE;	1008	current->mm->task_size = TASK_SIZE;
1009		1009
1010	if (bprm->e_uid != current->euid \|\| bprm->e_gid != current->egid) {	1010	/* install the new credentials */
1011	suid_keys(current);	1011	if (bprm->cred->uid != current_euid() \|\|
1012	set_dumpable(current->mm, suid_dumpable);	1012	bprm->cred->gid != current_egid()) {
1013	current->pdeath_signal = 0;	1013	current->pdeath_signal = 0;
1014	} else if (file_permission(bprm->file, MAY_READ) \|\|	1014	} else if (file_permission(bprm->file, MAY_READ) \|\|
1015	(bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) {	1015	bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP) {
1016	suid_keys(current);
1017	set_dumpable(current->mm, suid_dumpable);	1016	set_dumpable(current->mm, suid_dumpable);
1018	}	1017	}
1019		1018
		1019	current->personality &= ~bprm->per_clear;
		1020
1020	/* An exec changes our domain. We are no longer part of the thread	1021	/* An exec changes our domain. We are no longer part of the thread
1021	group */	1022	group */
1022		1023
@@ -1033,13 +1034,50 @@ out:
1033		1034
1034	EXPORT_SYMBOL(flush_old_exec);	1035	EXPORT_SYMBOL(flush_old_exec);
1035		1036
		1037	/*
		1038	* install the new credentials for this executable
		1039	*/
		1040	void install_exec_creds(struct linux_binprm *bprm)
		1041	{
		1042	security_bprm_committing_creds(bprm);
		1043
		1044	commit_creds(bprm->cred);
		1045	bprm->cred = NULL;
		1046
		1047	/* cred_exec_mutex must be held at least to this point to prevent
		1048	* ptrace_attach() from altering our determination of the task's
		1049	* credentials; any time after this it may be unlocked */
		1050
		1051	security_bprm_committed_creds(bprm);
		1052	}
		1053	EXPORT_SYMBOL(install_exec_creds);
		1054
		1055	/*
		1056	* determine how safe it is to execute the proposed program
		1057	* - the caller must hold current->cred_exec_mutex to protect against
		1058	* PTRACE_ATTACH
		1059	*/
		1060	void check_unsafe_exec(struct linux_binprm *bprm)
		1061	{
		1062	struct task_struct *p = current;
		1063
		1064	bprm->unsafe = tracehook_unsafe_exec(p);
		1065
		1066	if (atomic_read(&p->fs->count) > 1 \|\|
		1067	atomic_read(&p->files->count) > 1 \|\|
		1068	atomic_read(&p->sighand->count) > 1)
		1069	bprm->unsafe \|= LSM_UNSAFE_SHARE;
		1070	}
		1071
1036	/*	1072	/*
1037	* Fill the binprm structure from the inode.	1073	* Fill the binprm structure from the inode.
1038	* Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes	1074	* Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes
		1075	*
		1076	* This may be called multiple times for binary chains (scripts for example).
1039	*/	1077	*/
1040	int prepare_binprm(struct linux_binprm *bprm)	1078	int prepare_binprm(struct linux_binprm *bprm)
1041	{	1079	{
1042	int mode;	1080	umode_t mode;
1043	struct inode * inode = bprm->file->f_path.dentry->d_inode;	1081	struct inode * inode = bprm->file->f_path.dentry->d_inode;
1044	int retval;	1082	int retval;
1045		1083
@@ -1047,14 +1085,15 @@ int prepare_binprm(struct linux_binprm *bprm)
1047	if (bprm->file->f_op == NULL)	1085	if (bprm->file->f_op == NULL)
1048	return -EACCES;	1086	return -EACCES;
1049		1087
1050	bprm->e_uid = current->euid;	1088	/* clear any previous set[ug]id data from a previous binary */
1051	bprm->e_gid = current->egid;	1089	bprm->cred->euid = current_euid();
		1090	bprm->cred->egid = current_egid();
1052		1091
1053	if(!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)) {	1092	if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)) {
1054	/* Set-uid? */	1093	/* Set-uid? */
1055	if (mode & S_ISUID) {	1094	if (mode & S_ISUID) {
1056	current->personality &= ~PER_CLEAR_ON_SETID;	1095	bprm->per_clear \|= PER_CLEAR_ON_SETID;
1057	bprm->e_uid = inode->i_uid;	1096	bprm->cred->euid = inode->i_uid;
1058	}	1097	}
1059		1098
1060	/* Set-gid? */	1099	/* Set-gid? */
@@ -1064,52 +1103,23 @@ int prepare_binprm(struct linux_binprm *bprm)
1064	* executable.	1103	* executable.
1065	*/	1104	*/
1066	if ((mode & (S_ISGID \| S_IXGRP)) == (S_ISGID \| S_IXGRP)) {	1105	if ((mode & (S_ISGID \| S_IXGRP)) == (S_ISGID \| S_IXGRP)) {
1067	current->personality &= ~PER_CLEAR_ON_SETID;	1106	bprm->per_clear \|= PER_CLEAR_ON_SETID;
1068	bprm->e_gid = inode->i_gid;	1107	bprm->cred->egid = inode->i_gid;
1069	}	1108	}
1070	}	1109	}
1071		1110
1072	/* fill in binprm security blob */	1111	/* fill in binprm security blob */
1073	retval = security_bprm_set(bprm);	1112	retval = security_bprm_set_creds(bprm);
1074	if (retval)	1113	if (retval)
1075	return retval;	1114	return retval;
		1115	bprm->cred_prepared = 1;
1076		1116
1077	memset(bprm->buf,0,BINPRM_BUF_SIZE);	1117	memset(bprm->buf, 0, BINPRM_BUF_SIZE);
1078	return kernel_read(bprm->file,0,bprm->buf,BINPRM_BUF_SIZE);	1118	return kernel_read(bprm->file, 0, bprm->buf, BINPRM_BUF_SIZE);
1079	}	1119	}
1080		1120
1081	EXPORT_SYMBOL(prepare_binprm);	1121	EXPORT_SYMBOL(prepare_binprm);
1082		1122
1083	static int unsafe_exec(struct task_struct *p)
1084	{
1085	int unsafe = tracehook_unsafe_exec(p);
1086
1087	if (atomic_read(&p->fs->count) > 1 \|\|
1088	atomic_read(&p->files->count) > 1 \|\|
1089	atomic_read(&p->sighand->count) > 1)
1090	unsafe \|= LSM_UNSAFE_SHARE;
1091
1092	return unsafe;
1093	}
1094
1095	void compute_creds(struct linux_binprm *bprm)
1096	{
1097	int unsafe;
1098
1099	if (bprm->e_uid != current->uid) {
1100	suid_keys(current);
1101	current->pdeath_signal = 0;
1102	}
1103	exec_keys(current);
1104
1105	task_lock(current);
1106	unsafe = unsafe_exec(current);
1107	security_bprm_apply_creds(bprm, unsafe);
1108	task_unlock(current);
1109	security_bprm_post_apply_creds(bprm);
1110	}
1111	EXPORT_SYMBOL(compute_creds);
1112
1113	/*	1123	/*
1114	* Arguments are '\0' separated strings found at the location bprm->p	1124	* Arguments are '\0' separated strings found at the location bprm->p
1115	* points to; chop off the first by relocating brpm->p to right after	1125	* points to; chop off the first by relocating brpm->p to right after
@@ -1159,43 +1169,10 @@ EXPORT_SYMBOL(remove_arg_zero);
1159	*/	1169	*/
1160	int search_binary_handler(struct linux_binprm bprm,struct pt_regs regs)	1170	int search_binary_handler(struct linux_binprm bprm,struct pt_regs regs)
1161	{	1171	{
		1172	unsigned int depth = bprm->recursion_depth;
1162	int try,retval;	1173	int try,retval;
1163	struct linux_binfmt *fmt;	1174	struct linux_binfmt *fmt;
1164	#ifdef __alpha__
1165	/* handle /sbin/loader.. */
1166	{
1167	struct exec * eh = (struct exec *) bprm->buf;
1168		1175
1169	if (!bprm->loader && eh->fh.f_magic == 0x183 &&
1170	(eh->fh.f_flags & 0x3000) == 0x3000)
1171	{
1172	struct file * file;
1173	unsigned long loader;
1174
1175	allow_write_access(bprm->file);
1176	fput(bprm->file);
1177	bprm->file = NULL;
1178
1179	loader = bprm->vma->vm_end - sizeof(void *);
1180
1181	file = open_exec("/sbin/loader");
1182	retval = PTR_ERR(file);
1183	if (IS_ERR(file))
1184	return retval;
1185
1186	/* Remember if the application is TASO. */
1187	bprm->taso = eh->ah.entry < 0x100000000UL;
1188
1189	bprm->file = file;
1190	bprm->loader = loader;
1191	retval = prepare_binprm(bprm);
1192	if (retval<0)
1193	return retval;
1194	/* should call search_binary_handler recursively here,
1195	but it does not matter */
1196	}
1197	}
1198	#endif
1199	retval = security_bprm_check(bprm);	1176	retval = security_bprm_check(bprm);
1200	if (retval)	1177	if (retval)
1201	return retval;	1178	return retval;
@@ -1219,8 +1196,15 @@ int search_binary_handler(struct linux_binprm bprm,struct pt_regs regs)
1219	continue;	1196	continue;
1220	read_unlock(&binfmt_lock);	1197	read_unlock(&binfmt_lock);
1221	retval = fn(bprm, regs);	1198	retval = fn(bprm, regs);
		1199	/*
		1200	* Restore the depth counter to its starting value
		1201	* in this call, so we don't have to rely on every
		1202	* load_binary function to restore it on return.
		1203	*/
		1204	bprm->recursion_depth = depth;
1222	if (retval >= 0) {	1205	if (retval >= 0) {
1223	tracehook_report_exec(fmt, bprm, regs);	1206	if (depth == 0)
		1207	tracehook_report_exec(fmt, bprm, regs);
1224	put_binfmt(fmt);	1208	put_binfmt(fmt);
1225	allow_write_access(bprm->file);	1209	allow_write_access(bprm->file);
1226	if (bprm->file)	1210	if (bprm->file)
@@ -1262,6 +1246,8 @@ EXPORT_SYMBOL(search_binary_handler);
1262	void free_bprm(struct linux_binprm *bprm)	1246	void free_bprm(struct linux_binprm *bprm)
1263	{	1247	{
1264	free_arg_pages(bprm);	1248	free_arg_pages(bprm);
		1249	if (bprm->cred)
		1250	abort_creds(bprm->cred);
1265	kfree(bprm);	1251	kfree(bprm);
1266	}	1252	}
1267		1253
@@ -1287,10 +1273,20 @@ int do_execve(char * filename,
1287	if (!bprm)	1273	if (!bprm)
1288	goto out_files;	1274	goto out_files;
1289		1275
		1276	retval = mutex_lock_interruptible(&current->cred_exec_mutex);
		1277	if (retval < 0)
		1278	goto out_free;
		1279
		1280	retval = -ENOMEM;
		1281	bprm->cred = prepare_exec_creds();
		1282	if (!bprm->cred)
		1283	goto out_unlock;
		1284	check_unsafe_exec(bprm);
		1285
1290	file = open_exec(filename);	1286	file = open_exec(filename);
1291	retval = PTR_ERR(file);	1287	retval = PTR_ERR(file);
1292	if (IS_ERR(file))	1288	if (IS_ERR(file))
1293	goto out_kfree;	1289	goto out_unlock;
1294		1290
1295	sched_exec();	1291	sched_exec();
1296		1292
@@ -1304,14 +1300,10 @@ int do_execve(char * filename,
1304		1300
1305	bprm->argc = count(argv, MAX_ARG_STRINGS);	1301	bprm->argc = count(argv, MAX_ARG_STRINGS);
1306	if ((retval = bprm->argc) < 0)	1302	if ((retval = bprm->argc) < 0)
1307	goto out_mm;	1303	goto out;
1308		1304
1309	bprm->envc = count(envp, MAX_ARG_STRINGS);	1305	bprm->envc = count(envp, MAX_ARG_STRINGS);
1310	if ((retval = bprm->envc) < 0)	1306	if ((retval = bprm->envc) < 0)
1311	goto out_mm;
1312
1313	retval = security_bprm_alloc(bprm);
1314	if (retval)
1315	goto out;	1307	goto out;
1316		1308
1317	retval = prepare_binprm(bprm);	1309	retval = prepare_binprm(bprm);
@@ -1333,21 +1325,18 @@ int do_execve(char * filename,
1333		1325
1334	current->flags &= ~PF_KTHREAD;	1326	current->flags &= ~PF_KTHREAD;
1335	retval = search_binary_handler(bprm,regs);	1327	retval = search_binary_handler(bprm,regs);
1336	if (retval >= 0) {	1328	if (retval < 0)
1337	/* execve success */	1329	goto out;
1338	security_bprm_free(bprm);
1339	acct_update_integrals(current);
1340	free_bprm(bprm);
1341	if (displaced)
1342	put_files_struct(displaced);
1343	return retval;
1344	}
1345		1330
1346	out:	1331	/* execve succeeded */
1347	if (bprm->security)	1332	mutex_unlock(&current->cred_exec_mutex);
1348	security_bprm_free(bprm);	1333	acct_update_integrals(current);
		1334	free_bprm(bprm);
		1335	if (displaced)
		1336	put_files_struct(displaced);
		1337	return retval;
1349		1338
1350	out_mm:	1339	out:
1351	if (bprm->mm)	1340	if (bprm->mm)
1352	mmput (bprm->mm);	1341	mmput (bprm->mm);
1353		1342
@@ -1356,7 +1345,11 @@ out_file:
1356	allow_write_access(bprm->file);	1345	allow_write_access(bprm->file);
1357	fput(bprm->file);	1346	fput(bprm->file);
1358	}	1347	}
1359	out_kfree:	1348
		1349	out_unlock:
		1350	mutex_unlock(&current->cred_exec_mutex);
		1351
		1352	out_free:
1360	free_bprm(bprm);	1353	free_bprm(bprm);
1361		1354
1362	out_files:	1355	out_files:
@@ -1388,6 +1381,7 @@ EXPORT_SYMBOL(set_binfmt);
1388	*/	1381	*/
1389	static int format_corename(char *corename, long signr)	1382	static int format_corename(char *corename, long signr)
1390	{	1383	{
		1384	const struct cred *cred = current_cred();
1391	const char *pat_ptr = core_pattern;	1385	const char *pat_ptr = core_pattern;
1392	int ispipe = (*pat_ptr == '\|');	1386	int ispipe = (*pat_ptr == '\|');
1393	char *out_ptr = corename;	1387	char *out_ptr = corename;
@@ -1424,7 +1418,7 @@ static int format_corename(char *corename, long signr)
1424	/* uid */	1418	/* uid */
1425	case 'u':	1419	case 'u':
1426	rc = snprintf(out_ptr, out_end - out_ptr,	1420	rc = snprintf(out_ptr, out_end - out_ptr,
1427	"%d", current->uid);	1421	"%d", cred->uid);
1428	if (rc > out_end - out_ptr)	1422	if (rc > out_end - out_ptr)
1429	goto out;	1423	goto out;
1430	out_ptr += rc;	1424	out_ptr += rc;
@@ -1432,7 +1426,7 @@ static int format_corename(char *corename, long signr)
1432	/* gid */	1426	/* gid */
1433	case 'g':	1427	case 'g':
1434	rc = snprintf(out_ptr, out_end - out_ptr,	1428	rc = snprintf(out_ptr, out_end - out_ptr,
1435	"%d", current->gid);	1429	"%d", cred->gid);
1436	if (rc > out_end - out_ptr)	1430	if (rc > out_end - out_ptr)
1437	goto out;	1431	goto out;
1438	out_ptr += rc;	1432	out_ptr += rc;
@@ -1708,8 +1702,9 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs)
1708	struct linux_binfmt * binfmt;	1702	struct linux_binfmt * binfmt;
1709	struct inode * inode;	1703	struct inode * inode;
1710	struct file * file;	1704	struct file * file;
		1705	const struct cred *old_cred;
		1706	struct cred *cred;
1711	int retval = 0;	1707	int retval = 0;
1712	int fsuid = current->fsuid;
1713	int flag = 0;	1708	int flag = 0;
1714	int ispipe = 0;	1709	int ispipe = 0;
1715	unsigned long core_limit = current->signal->rlim[RLIMIT_CORE].rlim_cur;	1710	unsigned long core_limit = current->signal->rlim[RLIMIT_CORE].rlim_cur;
@@ -1722,12 +1717,20 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs)
1722	binfmt = current->binfmt;	1717	binfmt = current->binfmt;
1723	if (!binfmt \|\| !binfmt->core_dump)	1718	if (!binfmt \|\| !binfmt->core_dump)
1724	goto fail;	1719	goto fail;
		1720
		1721	cred = prepare_creds();
		1722	if (!cred) {
		1723	retval = -ENOMEM;
		1724	goto fail;
		1725	}
		1726
1725	down_write(&mm->mmap_sem);	1727	down_write(&mm->mmap_sem);
1726	/*	1728	/*
1727	* If another thread got here first, or we are not dumpable, bail out.	1729	* If another thread got here first, or we are not dumpable, bail out.
1728	*/	1730	*/
1729	if (mm->core_state \|\| !get_dumpable(mm)) {	1731	if (mm->core_state \|\| !get_dumpable(mm)) {
1730	up_write(&mm->mmap_sem);	1732	up_write(&mm->mmap_sem);
		1733	put_cred(cred);
1731	goto fail;	1734	goto fail;
1732	}	1735	}
1733		1736
@@ -1738,12 +1741,16 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs)
1738	*/	1741	*/
1739	if (get_dumpable(mm) == 2) { /* Setuid core dump mode */	1742	if (get_dumpable(mm) == 2) { /* Setuid core dump mode */
1740	flag = O_EXCL; /* Stop rewrite attacks */	1743	flag = O_EXCL; /* Stop rewrite attacks */
1741	current->fsuid = 0; /* Dump root private */	1744	cred->fsuid = 0; /* Dump root private */
1742	}	1745	}
1743		1746
1744	retval = coredump_wait(exit_code, &core_state);	1747	retval = coredump_wait(exit_code, &core_state);
1745	if (retval < 0)	1748	if (retval < 0) {
		1749	put_cred(cred);
1746	goto fail;	1750	goto fail;
		1751	}
		1752
		1753	old_cred = override_creds(cred);
1747		1754
1748	/*	1755	/*
1749	* Clear any false indication of pending signals that might	1756	* Clear any false indication of pending signals that might
@@ -1815,7 +1822,7 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs)
1815	* Dont allow local users get cute and trick others to coredump	1822	* Dont allow local users get cute and trick others to coredump
1816	* into their pre-created files:	1823	* into their pre-created files:
1817	*/	1824	*/
1818	if (inode->i_uid != current->fsuid)	1825	if (inode->i_uid != current_fsuid())
1819	goto close_fail;	1826	goto close_fail;
1820	if (!file->f_op)	1827	if (!file->f_op)
1821	goto close_fail;	1828	goto close_fail;
@@ -1834,7 +1841,8 @@ fail_unlock:
1834	if (helper_argv)	1841	if (helper_argv)
1835	argv_free(helper_argv);	1842	argv_free(helper_argv);
1836		1843
1837	current->fsuid = fsuid;	1844	revert_creds(old_cred);
		1845	put_cred(cred);
1838	coredump_finish(mm);	1846	coredump_finish(mm);
1839	fail:	1847	fail:
1840	return retval;	1848	return retval;