exec: Allow load_misc_binary to call prepare_binprm unconditionally

Add a flag preserve_creds that binfmt_misc can set to prevent credentials from being updated. This allows binfmt_misc to always call prepare_binprm. Allowing the credential computation logic to be consolidated. Not replacing the credentials with the interpreters credentials is safe because because an open file descriptor to the executable is passed to the interpreter. As the interpreter does not need to reopen the executable it is guaranteed to see the same file that exec sees. Ref: c407c033de84 ("[PATCH] binfmt_misc: improve calculation of interpreter's credentials") Link: https://lkml.kernel.org/r/87imgszrwo.fsf_-_@x220.int.ebiederm.orgAcked-by: N Linus Torvalds <torvalds@linux-foundation.org> Reviewed-by: N Kees Cook <keescook@chromium.org> Signed-off-by: N "Eric W. Biederman" <ebiederm@xmission.com>

exec: Allow load_misc_binary to call prepare_binprm unconditionally
Add a flag preserve_creds that binfmt_misc can set to prevent credentials from being updated. This allows binfmt_misc to always call prepare_binprm. Allowing the credential computation logic to be consolidated. Not replacing the credentials with the interpreters credentials is safe because because an open file descriptor to the executable is passed to the interpreter. As the interpreter does not need to reopen the executable it is guaranteed to see the same file that exec sees. Ref: c407c033de84 ("[PATCH] binfmt_misc: improve calculation of interpreter's credentials") Link: https://lkml.kernel.org/r/87imgszrwo.fsf_-_@x220.int.ebiederm.orgAcked-by: N Linus Torvalds <torvalds@linux-foundation.org> Reviewed-by: N Kees Cook <keescook@chromium.org> Signed-off-by: N "Eric W. Biederman" <ebiederm@xmission.com>
a16b3357 · Eric W. Biederman · 112b7147 · a16b3357 · a16b3357 · a16b3357
隐藏空白更改
内联并排

Showing with 17 addition and 19 deletion

fs/binfmt_misc.c fs/binfmt_misc.c +3 -12

fs/exec.c fs/exec.c +12 -7

include/linux/binfmts.h include/linux/binfmts.h +2 -0

未找到文件。
--- a/fs/binfmt_misc.c
+++ b/fs/binfmt_misc.c
@@ -218,19 +218,10 @@ static int load_misc_binary(struct linux_binprm *bprm)
 		goto error;
 	bprm->file = interp_file;
-	if (fmt->flags & MISC_FMT_CREDENTIALS) {
+	if (fmt->flags & MISC_FMT_CREDENTIALS)
-		loff_t pos = 0;
+		bprm->preserve_creds = 1;
-		/*
-		 * No need to call prepare_binprm(), it's already been
-		 * done.  bprm->buf is stale, update from interp_file.
-		 */
-		memset(bprm->buf, 0, BINPRM_BUF_SIZE);
-		retval = kernel_read(bprm->file, bprm->buf, BINPRM_BUF_SIZE,
-				&pos);
-	} else
-		retval = prepare_binprm(bprm);
+	retval = prepare_binprm(bprm);
 	if (retval < 0)
 		goto error;

--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1631,15 +1631,20 @@ static void bprm_fill_uid(struct linux_binprm *bprm)
 */
 int prepare_binprm(struct linux_binprm *bprm)
 {
-	int retval;
 	loff_t pos = 0;
-	/* Recompute parts of bprm->cred based on bprm->file */
+	/* Can the interpreter get to the executable without races? */
-	bprm->active_secureexec = 0;
+	if (!bprm->preserve_creds) {
-	bprm_fill_uid(bprm);
+		int retval;
-	retval = security_bprm_repopulate_creds(bprm);
-	if (retval)
+		/* Recompute parts of bprm->cred based on bprm->file */
-		return retval;
+		bprm->active_secureexec = 0;
+		bprm_fill_uid(bprm);
+		retval = security_bprm_repopulate_creds(bprm);
+		if (retval)
+			return retval;
+	}
+	bprm->preserve_creds = 0;
 	memset(bprm->buf, 0, BINPRM_BUF_SIZE);
 	return kernel_read(bprm->file, bprm->buf, BINPRM_BUF_SIZE, &pos);

--- a/include/linux/binfmts.h
+++ b/include/linux/binfmts.h
@@ -26,6 +26,8 @@ struct linux_binprm {
 	unsigned long p; /* current top of mem */
 	unsigned long argmin; /* rlimit marker for copy_strings() */
 	unsigned int
+		/* It is safe to use the creds of a script (see binfmt_misc) */
+		preserve_creds:1,
 		/*
 		 * True if most recent call to security_bprm_set_creds
 		 * resulted in elevated privileges.