From patchwork Sat Feb 3 10:52:54 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tetsuo Handa X-Patchwork-Id: 13544037 X-Patchwork-Delegate: paul@paul-moore.com Received: from www262.sakura.ne.jp (www262.sakura.ne.jp [202.181.97.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 812955D8E1; Sat, 3 Feb 2024 10:53:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=202.181.97.72 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706957608; cv=none; b=X3rif85nL3IVFtHRp87PVVxzs/gZs0CwOs93SWyzVibBMgOUV5g85UzN3sljMPvP5PA6Q1/modZ5+VOm+D2wVDMyL2bH7+tZIRoXEKIl8K3EAnCy9f0nhiexJ0YyCrZs5xzAMn9UyjpK2FhnppJHzwO5y2PJnZXDf0qylvZudtg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706957608; c=relaxed/simple; bh=mh230nw9C+CMlZ+KBHNN6+L7nuVm0C8xivOOp+Zjens=; h=Message-ID:Date:MIME-Version:Subject:From:To:Cc:References: In-Reply-To:Content-Type; b=dfkiCIAQHMdFFU+MpRNUYmvHgvwOSkBLgro9mGeETtt/8KnPvUpqWlTwKlLUT5/mzCGmlLyzFMIvx5VDoaNLt1+tDXdi5H6k/aLt3U9KidGLKmRoDnnqkmmrDEmG1FMY9P9N4fqRj1OijFLAXkoK9vHvs0CVvoGlElEY2IJ3HEw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=I-love.SAKURA.ne.jp; spf=pass smtp.mailfrom=I-love.SAKURA.ne.jp; arc=none smtp.client-ip=202.181.97.72 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=I-love.SAKURA.ne.jp Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=I-love.SAKURA.ne.jp Received: from fsav120.sakura.ne.jp (fsav120.sakura.ne.jp [27.133.134.247]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 413Aqsi8052538; Sat, 3 Feb 2024 19:52:55 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav120.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav120.sakura.ne.jp); Sat, 03 Feb 2024 19:52:54 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav120.sakura.ne.jp) Received: from [192.168.1.6] (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 413AqOqw052397 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Sat, 3 Feb 2024 19:52:54 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Message-ID: <999a4733-c554-43ca-a6e9-998c939fbeb8@I-love.SAKURA.ne.jp> Date: Sat, 3 Feb 2024 19:52:54 +0900 Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: [PATCH v2 1/3] LSM: add security_execve_abort() hook Content-Language: en-US From: Tetsuo Handa To: Linus Torvalds , Eric Biederman , Kees Cook , Alexander Viro , Christian Brauner , Jan Kara , Paul Moore , James Morris , "Serge E. Hallyn" Cc: linux-security-module , linux-fsdevel , LKML References: <8fafb8e1-b6be-4d08-945f-b464e3a396c8@I-love.SAKURA.ne.jp> In-Reply-To: <8fafb8e1-b6be-4d08-945f-b464e3a396c8@I-love.SAKURA.ne.jp> A regression caused by commit 978ffcbf00d8 ("execve: open the executable file before doing anything else") has been fixed by commit 4759ff71f23e ("exec: Check __FMODE_EXEC instead of in_execve for LSMs") and commit 3eab830189d9 ("uselib: remove use of __FMODE_EXEC"). While fixing this regression, Linus commented that we want to remove current->in_execve flag. The current->in_execve flag was introduced by commit f9ce1f1cda8b ("Add in_execve flag into task_struct.") when TOMOYO LSM was merged, and the reason was explained in commit f7433243770c ("LSM adapter functions."). In short, TOMOYO's design is not compatible with COW credential model introduced in Linux 2.6.29, and the current->in_execve flag was added for emulating security_bprm_free() hook which has been removed by introduction of COW credential model. security_task_alloc()/security_task_free() hooks have been removed by commit f1752eec6145 ("CRED: Detach the credentials from task_struct"), and these hooks have been revived by commit 1a2a4d06e1e9 ("security: create task_free security callback") and commit e4e55b47ed9a ("LSM: Revive security_task_alloc() hook and per "struct task_struct" security blob."). But security_bprm_free() hook did not revive until now. Now that Linus wants TOMOYO to stop carrying state across two independent execve() calls, and TOMOYO can stop carrying state if a hook for restoring previous state upon failed execve() call were provided, this patch revives the hook. Since security_bprm_committing_creds() and security_bprm_committed_creds() hooks are called when an execve() request succeeded, we don't need to call security_bprm_free() hook when an execve() request succeeded. Therefore, this patch adds security_execve_abort() hook which is called only when an execve() request failed after successful prepare_bprm_creds() call. Signed-off-by: Tetsuo Handa Reviewed-by: Kees Cook --- fs/exec.c | 1 + include/linux/lsm_hook_defs.h | 1 + include/linux/security.h | 5 +++++ security/security.c | 11 +++++++++++ 4 files changed, 18 insertions(+) diff --git a/fs/exec.c b/fs/exec.c index af4fbb61cd53..d6d35a06fd08 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1521,6 +1521,7 @@ static void free_bprm(struct linux_binprm *bprm) if (bprm->cred) { mutex_unlock(¤t->signal->cred_guard_mutex); abort_creds(bprm->cred); + security_execve_abort(); } do_close_execat(bprm->file); if (bprm->executable) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 76458b6d53da..fd100ab71a33 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -54,6 +54,7 @@ LSM_HOOK(int, 0, bprm_creds_from_file, struct linux_binprm *bprm, const struct f LSM_HOOK(int, 0, bprm_check_security, struct linux_binprm *bprm) LSM_HOOK(void, LSM_RET_VOID, bprm_committing_creds, const struct linux_binprm *bprm) LSM_HOOK(void, LSM_RET_VOID, bprm_committed_creds, const struct linux_binprm *bprm) +LSM_HOOK(void, LSM_RET_VOID, execve_abort, void) LSM_HOOK(int, 0, fs_context_submount, struct fs_context *fc, struct super_block *reference) LSM_HOOK(int, 0, fs_context_dup, struct fs_context *fc, struct fs_context *src_sc) diff --git a/include/linux/security.h b/include/linux/security.h index d0eb20f90b26..31532b30c4f0 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -299,6 +299,7 @@ int security_bprm_creds_from_file(struct linux_binprm *bprm, const struct file * int security_bprm_check(struct linux_binprm *bprm); void security_bprm_committing_creds(const struct linux_binprm *bprm); void security_bprm_committed_creds(const struct linux_binprm *bprm); +void security_execve_abort(void); int security_fs_context_submount(struct fs_context *fc, struct super_block *reference); int security_fs_context_dup(struct fs_context *fc, struct fs_context *src_fc); int security_fs_context_parse_param(struct fs_context *fc, struct fs_parameter *param); @@ -648,6 +649,10 @@ static inline void security_bprm_committed_creds(const struct linux_binprm *bprm { } +static inline void security_execve_abort(void) +{ +} + static inline int security_fs_context_submount(struct fs_context *fc, struct super_block *reference) { diff --git a/security/security.c b/security/security.c index 3aaad75c9ce8..10adc4d3c5e0 100644 --- a/security/security.c +++ b/security/security.c @@ -1223,6 +1223,17 @@ void security_bprm_committed_creds(const struct linux_binprm *bprm) call_void_hook(bprm_committed_creds, bprm); } +/** + * security_execve_abort() - Notify that exec() has failed + * + * This hook is for undoing changes which cannot be discarded by + * abort_creds(). + */ +void security_execve_abort(void) +{ + call_void_hook(execve_abort); +} + /** * security_fs_context_submount() - Initialise fc->security * @fc: new filesystem context From patchwork Sat Feb 3 10:53:17 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tetsuo Handa X-Patchwork-Id: 13544038 X-Patchwork-Delegate: paul@paul-moore.com Received: from www262.sakura.ne.jp (www262.sakura.ne.jp [202.181.97.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A211D5DF32; Sat, 3 Feb 2024 10:53:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=202.181.97.72 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706957622; cv=none; b=p7lT6xOcHihbtjLXyU0OvFkpwHkeMy5lokkv6QC6uHJ+A3GROr+yr0dRZOGCWo2fLvk0oIsMPcUG4CEIOjdEPbrDvERNLHN5F6zS6WmBndN7Xi6JX2ipDOhJ+1VMQT9w8mARdPTPVOqipTH+br28UQSbcCw/isuyL3sby4e1PcI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706957622; c=relaxed/simple; bh=8vqCj4OOBOrarMSM5zpD/UThJa847S4p6+egpVHsUbg=; h=Message-ID:Date:MIME-Version:Subject:From:To:Cc:References: In-Reply-To:Content-Type; b=tGHukq/WiLRf0CK56O5OlotMR6NA6/bbfDVomDHlzeZFy8yQKJzn8HiKcZVocd9xd161NfICqvkD1SZ4yzzun9cR+FveBuP5/tZh1NQJ3vucycUEl/j6xdG2oHB1YOmDi+eKot60eDHYEdLVyERCT1AMMLzgvKXyGq9dOFuIH+Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=I-love.SAKURA.ne.jp; spf=pass smtp.mailfrom=I-love.SAKURA.ne.jp; arc=none smtp.client-ip=202.181.97.72 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=I-love.SAKURA.ne.jp Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=I-love.SAKURA.ne.jp Received: from fsav413.sakura.ne.jp (fsav413.sakura.ne.jp [133.242.250.112]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 413ArIfe052647; Sat, 3 Feb 2024 19:53:18 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav413.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav413.sakura.ne.jp); Sat, 03 Feb 2024 19:53:18 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav413.sakura.ne.jp) Received: from [192.168.1.6] (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 413AqOqx052397 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Sat, 3 Feb 2024 19:53:17 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Message-ID: <2a901d27-dba5-4ff4-9e47-373c54965253@I-love.SAKURA.ne.jp> Date: Sat, 3 Feb 2024 19:53:17 +0900 Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: [PATCH v2 2/3] tomoyo: replace current->in_execve flag with security_execve_abort() hook Content-Language: en-US From: Tetsuo Handa To: Linus Torvalds , Eric Biederman , Kees Cook , Alexander Viro , Christian Brauner , Jan Kara , Paul Moore , James Morris , "Serge E. Hallyn" Cc: linux-security-module , linux-fsdevel , LKML References: <8fafb8e1-b6be-4d08-945f-b464e3a396c8@I-love.SAKURA.ne.jp> In-Reply-To: <8fafb8e1-b6be-4d08-945f-b464e3a396c8@I-love.SAKURA.ne.jp> TOMOYO was using current->in_execve flag in order to restore previous state when previous execve() request failed. Since security_execve_abort() hook was added, switch to use it. Signed-off-by: Tetsuo Handa Reviewed-by: Kees Cook --- security/tomoyo/tomoyo.c | 22 ++++++---------------- 1 file changed, 6 insertions(+), 16 deletions(-) diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index 04a92c3d65d4..9da11aaffeb9 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -18,34 +18,24 @@ struct tomoyo_domain_info *tomoyo_domain(void) { struct tomoyo_task *s = tomoyo_task(current); - if (s->old_domain_info && !current->in_execve) { - atomic_dec(&s->old_domain_info->users); - s->old_domain_info = NULL; - } return s->domain_info; } /** - * tomoyo_cred_prepare - Target for security_prepare_creds(). - * - * @new: Pointer to "struct cred". - * @old: Pointer to "struct cred". - * @gfp: Memory allocation flags. + * tomoyo_execve_abort - Target for security_execve_abort(). * - * Returns 0. + * @bprm: void */ -static int tomoyo_cred_prepare(struct cred *new, const struct cred *old, - gfp_t gfp) +static void tomoyo_execve_abort(void) { - /* Restore old_domain_info saved by previous execve() request. */ + /* Restore old_domain_info saved by execve() request. */ struct tomoyo_task *s = tomoyo_task(current); - if (s->old_domain_info && !current->in_execve) { + if (s->old_domain_info) { atomic_dec(&s->domain_info->users); s->domain_info = s->old_domain_info; s->old_domain_info = NULL; } - return 0; } /** @@ -554,8 +544,8 @@ static const struct lsm_id tomoyo_lsmid = { * registering TOMOYO. */ static struct security_hook_list tomoyo_hooks[] __ro_after_init = { - LSM_HOOK_INIT(cred_prepare, tomoyo_cred_prepare), LSM_HOOK_INIT(bprm_committed_creds, tomoyo_bprm_committed_creds), + LSM_HOOK_INIT(execve_abort, tomoyo_execve_abort), LSM_HOOK_INIT(task_alloc, tomoyo_task_alloc), LSM_HOOK_INIT(task_free, tomoyo_task_free), #ifndef CONFIG_SECURITY_TOMOYO_OMIT_USERSPACE_LOADER From patchwork Sat Feb 3 10:53:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tetsuo Handa X-Patchwork-Id: 13544039 X-Patchwork-Delegate: paul@paul-moore.com Received: from www262.sakura.ne.jp (www262.sakura.ne.jp [202.181.97.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CCEBF482FF; Sat, 3 Feb 2024 10:54:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=202.181.97.72 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706957645; cv=none; b=X9gh7kl8ATI+1tyyBkFkm8c+/hu9IXw7cfH2/6v9ih6c3Ymu+SGfYco/mBu2ntzh6n5mMY6oYkv9twZ79BI/ZdD75rGDxvD5r+xCyZetam/icgNZUeX6/cnRbLtPYuka5A0SvjAH2EdmMTZTmt8RKRRESH+9aq+46o39bdadB2E= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706957645; c=relaxed/simple; bh=F+69FTeIjzSdatJi0VG2CjE/hSQPwZ6HCaeuaIWBHzw=; h=Message-ID:Date:MIME-Version:Subject:From:To:Cc:References: In-Reply-To:Content-Type; b=ANW0UvDLbWFxqo8uZAAYCKtkmlZkTZ05dJbyugP3uDD/hxs0XP77Pkk/FYHC9sMtpAVHim60Wc6cYX0xVTxwsHCK16Whhtb7WQwF6Nyp0mX6YwMLFRGsTBN6fH1gXcWOEa1/SgtY27dwhl80kwVk77Y3DrEzmVTLHRt14IXVuG8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=I-love.SAKURA.ne.jp; spf=pass smtp.mailfrom=I-love.SAKURA.ne.jp; arc=none smtp.client-ip=202.181.97.72 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=I-love.SAKURA.ne.jp Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=I-love.SAKURA.ne.jp Received: from fsav311.sakura.ne.jp (fsav311.sakura.ne.jp [153.120.85.142]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 413Arep7052729; Sat, 3 Feb 2024 19:53:40 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav311.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav311.sakura.ne.jp); Sat, 03 Feb 2024 19:53:40 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav311.sakura.ne.jp) Received: from [192.168.1.6] (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 413AqOr0052397 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Sat, 3 Feb 2024 19:53:39 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Message-ID: Date: Sat, 3 Feb 2024 19:53:39 +0900 Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: [PATCH v2 3/3] fs/exec: remove current->in_execve flag Content-Language: en-US From: Tetsuo Handa To: Linus Torvalds , Eric Biederman , Kees Cook , Alexander Viro , Christian Brauner , Jan Kara , Paul Moore , James Morris , "Serge E. Hallyn" Cc: linux-security-module , linux-fsdevel , LKML References: <8fafb8e1-b6be-4d08-945f-b464e3a396c8@I-love.SAKURA.ne.jp> In-Reply-To: <8fafb8e1-b6be-4d08-945f-b464e3a396c8@I-love.SAKURA.ne.jp> Addition of security_execve_abort() hook made it possible to remove this flag. Signed-off-by: Tetsuo Handa Reviewed-by: Kees Cook --- fs/exec.c | 3 --- include/linux/sched.h | 3 --- 2 files changed, 6 deletions(-) diff --git a/fs/exec.c b/fs/exec.c index d6d35a06fd08..c197573b2940 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1865,7 +1865,6 @@ static int bprm_execve(struct linux_binprm *bprm) * where setuid-ness is evaluated. */ check_unsafe_exec(bprm); - current->in_execve = 1; sched_mm_cid_before_execve(current); sched_exec(); @@ -1882,7 +1881,6 @@ static int bprm_execve(struct linux_binprm *bprm) sched_mm_cid_after_execve(current); /* execve succeeded */ current->fs->in_exec = 0; - current->in_execve = 0; rseq_execve(current); user_events_execve(current); acct_update_integrals(current); @@ -1901,7 +1899,6 @@ static int bprm_execve(struct linux_binprm *bprm) sched_mm_cid_after_execve(current); current->fs->in_exec = 0; - current->in_execve = 0; return retval; } diff --git a/include/linux/sched.h b/include/linux/sched.h index ffe8f618ab86..66ada87249b1 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -919,9 +919,6 @@ struct task_struct { #ifdef CONFIG_RT_MUTEXES unsigned sched_rt_mutex:1; #endif - - /* Bit to tell TOMOYO we're in execve(): */ - unsigned in_execve:1; unsigned in_iowait:1; #ifndef TIF_RESTORE_SIGMASK unsigned restore_sigmask:1;