From patchwork Sat Nov 30 04:54:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13889113 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9E2D7D735EE for ; Sat, 30 Nov 2024 04:54:49 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 03F3D6B0088; Fri, 29 Nov 2024 23:54:49 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id F0A5C6B0089; Fri, 29 Nov 2024 23:54:48 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id DAAE36B008C; Fri, 29 Nov 2024 23:54:48 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id B2A5C6B0088 for ; Fri, 29 Nov 2024 23:54:48 -0500 (EST) Received: from smtpin29.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id 3A926A11A6 for ; Sat, 30 Nov 2024 04:54:48 +0000 (UTC) X-FDA: 82841546172.29.A771D8E Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by imf05.hostedemail.com (Postfix) with ESMTP id 52D35100005 for ; Sat, 30 Nov 2024 04:54:29 +0000 (UTC) Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=qQi4IFxS; dmarc=pass (policy=quarantine) header.from=kernel.org; spf=pass (imf05.hostedemail.com: domain of kees@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=kees@kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1732942478; a=rsa-sha256; cv=none; b=afHlZVuc/ipzJcWV7HZe0QGUeSPhl48h+slcwEcI6kZK9n0+JFh8qDW7LhJKuzhOeAKl4D /WdJBOsxgcs9dJRuYHEZCGj1G0jKCTbH3o2iudeaFGUK1KrMK8YiNMmRlxzznV3v24CXnQ LcdvjNgOqEWlK0TSIL00hd35J47rqIc= ARC-Authentication-Results: i=1; imf05.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=qQi4IFxS; dmarc=pass (policy=quarantine) header.from=kernel.org; spf=pass (imf05.hostedemail.com: domain of kees@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=kees@kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1732942478; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=Yh89GL4Er7Lj1VyHcfRAvaOAoCc5fyYUM73P1QluU8A=; b=Y3Z3tlEfR0Me032NMBEHIAtHKYM6R4t0itwwJ8PN+sX7pVb5O5sH5ui8XJMEl9Ut4Tbwb8 5nO+iYW463IJg38j4x5w8KvyZtXV9gs66KbbD8ioEgRi0W2cxGWAVTO0F3EtGzxPW3HC7m 7WI+rnWMPeveCAyhoREJ4Gz93+blYcg= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by dfw.source.kernel.org (Postfix) with ESMTP id 4D0BF5C3A41; Sat, 30 Nov 2024 04:54:02 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1FEACC4CECC; Sat, 30 Nov 2024 04:54:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1732942485; bh=aCxakwcfVdMumx7XBGW2MeqYuhOvg/sHlb8AzZkdy88=; h=From:To:Cc:Subject:Date:From; b=qQi4IFxSpj84eyvJB1SO2yvWP13PTANMBvLiZ8PelEdeF0NJA/CnqT9wCNaoTl6TG +eam9CteJ8HTHK4gfLZ9DT3wSRjuaPQB4AkyM2rFnRj8HhIq36bRO5YYKyZs7SbZlK 8hWH12oGk68lOJUzT+twvWyRBKUvEUv7aB89yuK8hOllLAK8CTkZKzXR0pu7OxXN22 9EgQ32j5UsJhl9a7hdAIcuFnS9A/gJOHwVTMAd5FLrWBWml4Ehaa/AznyNKB/SsLoL keIU/dNb/zNS+K9cdGSO0zVKBGVFPOYb6YaTMt310S1pHsIaPe0aFShYtXXGr3/205 d7y2BW5TZlvRw== From: Kees Cook To: Al Viro Cc: Kees Cook , =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= , Tycho Andersen , Linus Torvalds , Aleksa Sarai , Eric Biederman , Christian Brauner , Jan Kara , linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH] exec: fix up /proc/pid/comm in the execveat(AT_EMPTY_PATH) case Date: Fri, 29 Nov 2024 20:54:38 -0800 Message-Id: <20241130045437.work.390-kees@kernel.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=3936; i=kees@kernel.org; h=from:subject:message-id; bh=aCxakwcfVdMumx7XBGW2MeqYuhOvg/sHlb8AzZkdy88=; b=owGbwMvMwCVmps19z/KJym7G02pJDOles/qCNukktoSGha36rGrq0yfNW1Y3ecvlxP4dzbqBG 0yePmbqKGVhEONikBVTZAmyc49z8XjbHu4+VxFmDisTyBAGLk4BmEi6KcNfQd7rTNpXnFf+U1hx NKfaXCSDd2tu59bq7bGdSzS+yFscYPhnNNl6pZK6wlGfA3mLUxYanj+xLFJ9z5sP8aUvw0urPUS YAQ== X-Developer-Key: i=kees@kernel.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-Stat-Signature: truscewhw1bzxaxajmijmqgjqz3ucahw X-Rspam-User: X-Rspamd-Queue-Id: 52D35100005 X-Rspamd-Server: rspam08 X-HE-Tag: 1732942469-820154 X-HE-Meta: U2FsdGVkX1+dp36P1r7faVyaGGvBEb5mHRMiKLM06LqvKeXkD6EXfzqRl9ITKT7ZpLC2Z7uVcQifzdlX+6TjM4O7hiWBWBCXicN4qJYxOpdSZGqo2WhW+Z1ha9+f1BVvyywMzhdpyhIrsK7F1g8qjgPv/OPEXKIKjqALocFSZgw3IPLBiNUnX1al+Cx0Gz3B2pa+kfSf3uDDC4lL5/ODI7ZRpGxfZxc/tbfispBMbiKZ5YDBcvXXClRQQTnrD1nznvxacYWA1pS9sO4Kzq0sYExxsMicaMwR5UY5GQaEdI2I/SGf720XQgVqWslbnM3jW5RN8PGzG8SaHsow+snkLTm6FG5LbWyTRh7aAzHQxqAAu44e/qI1Qlb0P1VRxWt/xkoxdlPmgRDTwpglFW2ARvK+ErkxV+J9Bu8d1T3rPUtmChIDHkBE2pzB+sQMrZ096+sZb6+AU50W3jqRn9dq/uwHj8AmDG/5ENRoVPbt9bRuB4RyVr38qRlXH2Y6PrAOnPinFfbSuigOYtdKcKEYNRfqpSDFDFuSi97mwx+m5LbWBApi7oa31guRwPLyUgV4rushizsRze56eFpsTUD1vh/2ijEgRZVmHD0Kx0obNWP1p8M7JzEhU1zMVRHgV9tlosG86Qt8AsIY6BkuGIP6rwj4URA3YYK5E4KxJolCjIsLo/5+fZZtd9GP/mW8tOjdeIadb7xXElKVhQ0JV40PCT4/5Z9NNXey9LvFc0a/sc3CWOOkgJ8aqym8zY+NtJj7AlcKJsMoZXXCKSaBWdUcNMTwNb1o98lr6J7ClEyG2AiDz4fNao6Wv0aSp2DPLsdBPeIKDjqrf9Zp29Ruo5tMiq4WUIl4lQYZzd1onnMc2VDYK2hb0SPgrNPNbW/niARmEJIqQdYQfCi1VCQSQTYnon5rEkIsLvlBG0iDgNcn73OYw806T2qPjni/Tn8RH9nGi9PEiMQn535lGTnk1XD TTcdhYmq lE4YCFnXnBAjvMSK/LrXjuOXa5/qTuu1AMEhPCr6xeZDAO+NceFPzpQnVpSEc08VmNRaCaH+/s/8/yjcpoW9fLF7O4hug4u5mqsHD1JhOVXWTfqLAjgkrbotWYf7jg/hXk5K0tJ+rCVrTuZbKLsrj9wk9ihSqfJCi/uo0otlgDJDfq9ECmTjuq+y5ZHOMjmR4d4CdcOHhOHqZZI19bi1Z1dBYGoKbRQoT5Bewlm6XA7O63qKGNKXVmt1nrgEEw+w7m2wQBG85Ww1xMPbQpPLXekF6uoSvrr5e0/xF2y7mYkRqPEOUgTRVPdeBuE/pdPesEPmsvcxj+w4/6NmDvV4hKUVWpovSZyf6UMbt/Cl+48H+3aWhB5xi2Dx/Hhl1/TabtsxX8yTNZg9qFy3Ztev+xoujYI4TxlfEMqXZ9340D351oyVyQzysYrZvZydmozf7/9z/fHsK8FAntIGAw1NI2JxensLsrUTe2KQAxxmKYmle5ghnyAzRPHMCxs3gkk2DCPb03sqaFnvPj3QlX5CO65EmoW4XeV1HvrpRUzdI/KmrYNN/cWMleWGcdDIW0qmEoVrrqJdgHN1ZW28bV7HS6FbGFhzp8InrztfTNKMqmLF7lWNntcI3SrGsVNR62T75X8XVgzGRg4J4IQ6zjAzeIFs9uw== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Zbigniew mentioned at Linux Plumber's that systemd is interested in switching to execveat() for service execution, but can't, because the contents of /proc/pid/comm are the file descriptor which was used, instead of the path to the binary. This makes the output of tools like top and ps useless, especially in a world where most fds are opened CLOEXEC so the number is truly meaningless. When the filename passed in is empty (e.g. with AT_EMPTY_PATH), use the dentry's filename for "comm" instead of using the useless numeral from the synthetic fdpath construction. This way the actual exec machinery is unchanged, but cosmetically the comm looks reasonable to admins investigating things. Instead of adding TASK_COMM_LEN more bytes to bprm, use one of the unused flag bits to indicate that we need to set "comm" from the dentry. Suggested-by: Zbigniew Jędrzejewski-Szmek Suggested-by: Tycho Andersen Suggested-by: Al Viro Suggested-by: Linus Torvalds CC: Aleksa Sarai Link: https://github.com/uapi-group/kernel-features#set-comm-field-before-exec Signed-off-by: Kees Cook Reviewed-by: Aleksa Sarai --- Cc: Al Viro Cc: Linus Torvalds Cc: Eric Biederman Cc: Alexander Viro Cc: Christian Brauner Cc: Jan Kara Cc: linux-mm@kvack.org Cc: linux-fsdevel@vger.kernel.org Here's what I've put together from the various suggestions. I didn't want to needlessly grow bprm, so I just added a flag instead. Otherwise, this is very similar to what Linus and Al suggested. --- fs/exec.c | 22 +++++++++++++++++++--- include/linux/binfmts.h | 4 +++- 2 files changed, 22 insertions(+), 4 deletions(-) diff --git a/fs/exec.c b/fs/exec.c index 5f16500ac325..d897d60ca5c2 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1347,7 +1347,21 @@ int begin_new_exec(struct linux_binprm * bprm) set_dumpable(current->mm, SUID_DUMP_USER); perf_event_exec(); - __set_task_comm(me, kbasename(bprm->filename), true); + + /* + * If the original filename was empty, alloc_bprm() made up a path + * that will probably not be useful to admins running ps or similar. + * Let's fix it up to be something reasonable. + */ + if (bprm->comm_from_dentry) { + rcu_read_lock(); + /* The dentry name won't change while we hold the rcu read lock. */ + __set_task_comm(me, smp_load_acquire(&bprm->file->f_path.dentry->d_name.name), + true); + rcu_read_unlock(); + } else { + __set_task_comm(me, kbasename(bprm->filename), true); + } /* An exec changes our domain. We are no longer part of the thread group */ @@ -1521,11 +1535,13 @@ static struct linux_binprm *alloc_bprm(int fd, struct filename *filename, int fl if (fd == AT_FDCWD || filename->name[0] == '/') { bprm->filename = filename->name; } else { - if (filename->name[0] == '\0') + if (filename->name[0] == '\0') { bprm->fdpath = kasprintf(GFP_KERNEL, "/dev/fd/%d", fd); - else + bprm->comm_from_dentry = 1; + } else { bprm->fdpath = kasprintf(GFP_KERNEL, "/dev/fd/%d/%s", fd, filename->name); + } if (!bprm->fdpath) goto out_free; diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h index e6c00e860951..3305c849abd6 100644 --- a/include/linux/binfmts.h +++ b/include/linux/binfmts.h @@ -42,7 +42,9 @@ struct linux_binprm { * Set when errors can no longer be returned to the * original userspace. */ - point_of_no_return:1; + point_of_no_return:1, + /* Set when "comm" must come from the dentry. */ + comm_from_dentry:1; struct file *executable; /* Executable to pass to the interpreter */ struct file *interpreter; struct file *file;