From patchwork Thu Oct 6 08:27:33 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13000048 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5EE28C433FE for ; Thu, 6 Oct 2022 08:27:43 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id AC8A06B0071; Thu, 6 Oct 2022 04:27:42 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id A78736B0073; Thu, 6 Oct 2022 04:27:42 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 918CA6B0074; Thu, 6 Oct 2022 04:27:42 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 7F0D96B0071 for ; Thu, 6 Oct 2022 04:27:42 -0400 (EDT) Received: from smtpin23.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 4CC23C0D3A for ; Thu, 6 Oct 2022 08:27:42 +0000 (UTC) X-FDA: 79989845964.23.5B61E8D Received: from mail-pg1-f171.google.com (mail-pg1-f171.google.com [209.85.215.171]) by imf12.hostedemail.com (Postfix) with ESMTP id C1AFE4000E for ; Thu, 6 Oct 2022 08:27:41 +0000 (UTC) Received: by mail-pg1-f171.google.com with SMTP id 195so1288828pga.1 for ; Thu, 06 Oct 2022 01:27:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date; bh=YtNry7EbJtDtEtddA9DqqPAajzIvH2ExTf+f1d2BLeE=; b=m3LijaQHN2fYQ2T7ERgZYDL+BgBTB6ceIx6mWj4l3PzhhegxpcZYfw0oJpq7U5aVp+ ymLFLr4VKrZL1nDWxTEYN9WbYGJanBHvMdoknEBk1NqeBZm0YRTLCq1FzOsG/eN/Ivvc Zs1S1r5o12z/ZfBZ2oahpULeypLty4UAhN1eI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date; bh=YtNry7EbJtDtEtddA9DqqPAajzIvH2ExTf+f1d2BLeE=; b=UULM1DDyM04RXfpYXF8ORJL5KCXzDQ7gn+59WgwVQx0/ilHdXiaRHCj7eVWRwUFMD5 IIBWM+O4EvhbyEuKIBdYDzGtmFSrEvpxr7t9gBB1qRSxbNTlw/G4ZmIAlTE+qIte08mg KYCHZ88iISN9sTEOzACGPRlbNqOD6NvXK91il3VKuqcQG6DqdNSfB//WYuTIILVdc1i5 VafDWhTQUrBT2XIcTu8KMJcrkGgoO5tljLP1QflfXJbgChRavCfZvQS4jtidgQ/LGjD9 O77Ic4UUFYv3iWVxYZYcP/5lWDQmJ1eigbPUttdBzp30WvYGiq4TbUBgCxQ000Hc3HO5 wk/w== X-Gm-Message-State: ACrzQf3/5UOUN4Bkq4dk6URXKYZ1IQyxOFANf21EiDH6b8DtdKinhgRU 3Arqs6Cz87/rWtmSp6bOy0yztg== X-Google-Smtp-Source: AMsMyM4q9XFSyeeW5dDI6ls3ylAYRaVXWsGFe+w0sCZM05fMKSjTImuW/1lBuGiaytgnMKa0rdlF2w== X-Received: by 2002:a63:6581:0:b0:434:9482:c243 with SMTP id z123-20020a636581000000b004349482c243mr3499412pgb.448.1665044860443; Thu, 06 Oct 2022 01:27:40 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id j4-20020a170902da8400b0017eb2d62bbesm6014743plx.99.2022.10.06.01.27.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 06 Oct 2022 01:27:39 -0700 (PDT) From: Kees Cook To: Eric Biederman Cc: Kees Cook , Jorge Merlino , Al Viro , "Christian Brauner (Microsoft)" , Thomas Gleixner , Andy Lutomirski , Sebastian Andrzej Siewior , Andrew Morton , John Johansen , Paul Moore , James Morris , "Serge E. Hallyn" , Stephen Smalley , Eric Paris , Richard Haines , Casey Schaufler , Xin Long , "David S. Miller" , Todd Kjos , Ondrej Mosnacek , Prashanth Prahlad , Micah Morton , Fenghua Yu , Andrei Vagin , linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, apparmor@lists.ubuntu.com, linux-security-module@vger.kernel.org, selinux@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH 0/2] fs/exec: Explicitly unshare fs_struct on exec Date: Thu, 6 Oct 2022 01:27:33 -0700 Message-Id: <20221006082735.1321612-1-keescook@chromium.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1735; h=from:subject; bh=8JXgAWBrUCWySpKU2akeepLoIo1ngoevmTcyBBHjAt0=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBjPpF3qES4cYgipY9Yg66d58hnI1s34HzpasPEsrcs AdJZe+KJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCYz6RdwAKCRCJcvTf3G3AJvuPD/ sEFuqb2jJFVbuCOokYGoNQsjw0c9Jmc0XwKWYipIHX1SMMd2WkotpH8FIpOwZ4FyBWjaC7R1DvZeLq wpDvCMawMGqka4y/+7g515eraCONHoJNn0oj2fukbMyqECfinzpw5/d4oLtWkFvyiE4HCoYP/6kmKK 0R8NWKCoSDvGWq7Usrp1Ra1BUXvG1UZHbw7j4g9ItLOqgALdmExlSixoeozIYoogVyhKH0WKOVKYth 6CRkWQcZ/xYBwGsWX7qmIQbUWoTiCbt1fTDMB4IZf5Cn6zrxQL7XNaEUK5j1dcf9ZKTqux5G32e7Of 81YIltR3K2wnhH4qLNhRec5guNWZ3ILs2c6YZDh2TFkb9rGX4cajkAKcAV/vMrP3Kjr9vZKHBdRtPd rsnr6zOL9FYSWR+4i8yhrgvEsVDvenhdlfscGxtpeM7wExsxxiICpUQTRZxDvkLJhahLlKMWnxHm1y N2eVoeyvRe9j7JMCjfOqfKyKLHBZfoqFWmfSVi88JV/Gr797J1kRDlGaszfz7SxKiINHJQK1POiTOc Eic3WPt1/rLSOcANGevkuLKRQkzZ0waIkzKR/ddRrxXv/kszRk/EvoQpjPnt81zaCBe+7jXDXKm4N3 wH+iXTk/Lc17bTuykzisNHzRgsTueD8b0Epfk0nQ+rUUKSa20mimgCQla6rA== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1665044861; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=YtNry7EbJtDtEtddA9DqqPAajzIvH2ExTf+f1d2BLeE=; b=sTjfFkCLX5551cggXL0lSkyIJrTOM6jI5YL5Sgbk16w4Ihvw6qnLjAZFM1QWOUHR91tu90 UPvmEwKdi44QPSGi9QHhssIbrFcqelPNvmEI6JX0Ac974utekyJFQgA7qyq0OfIbRgxCy9 0lI7WRw83+dSg2TrCDnRZ+QFxJChALc= ARC-Authentication-Results: i=1; imf12.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=m3LijaQH; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf12.hostedemail.com: domain of keescook@chromium.org designates 209.85.215.171 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1665044861; a=rsa-sha256; cv=none; b=QzrC8d2LLVmI4j3I6c40xFdzrwu/TJFtaUop8yp4vBZKN153Oy3tWsYwDKRLOVbt8MZb2C IhYL+xf0d0vNoZZrry/BHxa4u7WJHsVOPh7fp+s9K6eFoLhQIWhe3OMLBpd5mf8MDFtFtr 2dwQHpJBxJdO0KhBejwPyRBhvWuI2ug= X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: C1AFE4000E X-Rspam-User: Authentication-Results: imf12.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=m3LijaQH; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf12.hostedemail.com: domain of keescook@chromium.org designates 209.85.215.171 as permitted sender) smtp.mailfrom=keescook@chromium.org X-Stat-Signature: zfninu8cn8fj6f9ibi7xhfw8oj7z9kad X-HE-Tag: 1665044861-780405 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Hi, These changes seek to address an issue reported[1] by Jorge Merlino where high-thread-count processes would sometimes fail to setuid during a setuid execve(). It looks to me like the solution is to explicitly do an unshare_fs(), which should almost always be a no-op. Current testing seems to indicate that only the swapper->init exec triggers this condition (and I'm unclear on whether that's expected or undesirable). This has only received very light testing so far, but I wanted to share it so other folks could look it over. Jorge, can you test with these patches? Your PoC triggered immediately for me on an unpatched kernel, and did not trigger on a patched one. I added this patch on top of the series to see if the code ever fired: Thanks! -Kees [1] https://lore.kernel.org/lkml/20220910211215.140270-1-jorge.merlino@canonical.com/ Kees Cook (2): fs/exec: Explicitly unshare fs_struct on exec exec: Remove LSM_UNSAFE_SHARE fs/exec.c | 26 ++++------------ fs/fs_struct.c | 1 - include/linux/fdtable.h | 1 + include/linux/fs_struct.h | 1 - include/linux/security.h | 5 ++- kernel/fork.c | 62 ++++++++++++++++++++++++++------------ security/apparmor/domain.c | 5 --- security/selinux/hooks.c | 10 ------ 8 files changed, 51 insertions(+), 60 deletions(-) diff --git a/kernel/fork.c b/kernel/fork.c index 53b7248f7a4b..3c197d9d8daa 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -3113,6 +3113,7 @@ int unshare_fs(void) if (error || !new_fs) return error; + pr_notice("UNSHARE of \"%s\" [%d]\n", current->comm, current->pid); unshare_fs_finalize(&new_fs); if (new_fs)