Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.18.21 2025-06-23T15:38:39+00:00 2025-06-23T15:38:39+00:00 Eric W. Biederman ebiederm@xmission.com 2025-05-20T22:13:03+00:00 urn:sha1:337490f0007f910968f828e46501db3091b1a4f8 Max Kellerman recently experienced a problem[1] when calling exec with differing uid and euid's and he triggered the logic that is supposed to only handle setuid executables. When exec isn't changing anything in struct cred it doesn't make sense to go into the code that is there to handle the case when the credentials change. When looking into the history of the code I discovered that this issue was not present in Linux-2.4.0-test12 and was introduced in Linux-2.4.0-prerelease when the logic for handling this case was moved from prepare_binprm to compute_creds in fs/exec.c. The bug introdused was to comparing euid in the new credentials with uid instead of euid in the old credentials, when testing if setuid had changed the euid. Since triggering the keep ptrace limping along case for setuid executables makes no sense when it was not a setuid exec revert back to the logic present in Linux-2.4.0-test12. This removes the confusingly named and subtlety incorrect helpers is_setuid and is_setgid, that helped this bug to persist. The varaiable is_setid is renamed to id_changed (it's Linux-2.4.0-test12) as the old name describes what matters rather than it's cause. The code removed in Linux-2.4.0-prerelease was: - /* Set-uid? */ - if (mode & S_ISUID) { - bprm->e_uid = inode->i_uid; - if (bprm->e_uid != current->euid) - id_change = 1; - } - - /* Set-gid? */ - /* - * If setgid is set but no group execute bit then this - * is a candidate for mandatory locking, not a setgid - * executable. - */ - if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) { - bprm->e_gid = inode->i_gid; - if (!in_group_p(bprm->e_gid)) - id_change = 1; Linux-2.4.0-prerelease added the current logic as: + if (bprm->e_uid != current->uid || bprm->e_gid != current->gid || + !cap_issubset(new_permitted, current->cap_permitted)) { + current->dumpable = 0; + + lock_kernel(); + if (must_not_trace_exec(current) + || atomic_read(&current->fs->count) > 1 + || atomic_read(&current->files->count) > 1 + || atomic_read(&current->sig->count) > 1) { + if(!capable(CAP_SETUID)) { + bprm->e_uid = current->uid; + bprm->e_gid = current->gid; + } + if(!capable(CAP_SETPCAP)) { + new_permitted = cap_intersect(new_permitted, + current->cap_permitted); + } + } + do_unlock = 1; + } I have condenced the logic from Linux-2.4.0-test12 to just: id_changed = !uid_eq(new->euid, old->euid) || !in_group_p(new->egid); This change is userspace visible, but I don't expect anyone to care. For the bug that is being fixed to trigger bprm->unsafe has to be set. The variable bprm->unsafe is set when ptracing an executable, when sharing a working directory, or when no_new_privs is set. Properly testing for cases that are safe even in those conditions and doing nothing special should not affect anyone. Especially if they were previously ok with their credentials getting munged To minimize behavioural changes the code continues to set secureexec when euid != uid or when egid != gid. [1] https://lkml.kernel.org/r/20250306082615.174777-1-max.kellermann@ionos.com Reported-by: Max Kellermann <max.kellermann@ionos.com> Fixes: 64444d3d0d7f ("Linux version 2.4.0-prerelease") v1: https://lkml.kernel.org/r/878qmxsuy8.fsf@email.froward.int.ebiederm.org Reviewed-by: Serge Hallyn <serge@hallyn.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com> Reviewed-by: Jann Horn <jannh@google.com> Acked-by: Kees Cook <kees@kernel.org> 2025-03-08T04:03:09+00:00 Dr. David Alan Gilbert linux@treblig.org 2024-12-19T17:28:59+00:00 urn:sha1:4ae89b1fe7c2e37a8f2ea39765e4c40c9d42a101 The vanilla has_capability() function has been unused since 2018's commit dcb569cf6ac9 ("Smack: ptrace capability use fixes") Remove it. Fixup a comment in security/commoncap.c that referenced it. Signed-off-by: Dr. David Alan Gilbert <linux@treblig.org> Reviewed-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Serge Hallyn <sergeh@kernel.org> 2025-01-23T16:00:16+00:00 Linus Torvalds torvalds@linux-foundation.org 2025-01-23T16:00:16+00:00 urn:sha1:754916d4a2b970bc1b5104d552b5d16ab54954c0 Pull capabilities updates from Serge Hallyn: - remove the cap_mmap_file() hook, as it simply returned the default return value and so doesn't need to exist (Paul Moore) - add a trace event for cap_capable() (Jordan Rome) * tag 'caps-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/sergeh/linux: security: add trace event for cap_capable capabilities: remove cap_mmap_file() 2024-12-19T01:00:29+00:00 Mickaël Salaün mic@digikod.net 2024-12-12T17:42:17+00:00 urn:sha1:a0623b2a1d595341971c189b90a6b06f42cd209d The new SECBIT_EXEC_RESTRICT_FILE, SECBIT_EXEC_DENY_INTERACTIVE, and their *_LOCKED counterparts are designed to be set by processes setting up an execution environment, such as a user session, a container, or a security sandbox. Unlike other securebits, these ones can be set by unprivileged processes. Like seccomp filters or Landlock domains, the securebits are inherited across processes. When SECBIT_EXEC_RESTRICT_FILE is set, programs interpreting code should control executable resources according to execveat(2) + AT_EXECVE_CHECK (see previous commit). When SECBIT_EXEC_DENY_INTERACTIVE is set, a process should deny execution of user interactive commands (which excludes executable regular files). Being able to configure each of these securebits enables system administrators or owner of image containers to gradually validate the related changes and to identify potential issues (e.g. with interpreter or audit logs). It should be noted that unlike other security bits, the SECBIT_EXEC_RESTRICT_FILE and SECBIT_EXEC_DENY_INTERACTIVE bits are dedicated to user space willing to restrict itself. Because of that, they only make sense in the context of a trusted environment (e.g. sandbox, container, user session, full system) where the process changing its behavior (according to these bits) and all its parent processes are trusted. Otherwise, any parent process could just execute its own malicious code (interpreting a script or not), or even enforce a seccomp filter to mask these bits. Such a secure environment can be achieved with an appropriate access control (e.g. mount's noexec option, file access rights, LSM policy) and an enlighten ld.so checking that libraries are allowed for execution e.g., to protect against illegitimate use of LD_PRELOAD. Ptrace restrictions according to these securebits would not make sense because of the processes' trust assumption. Scripts may need some changes to deal with untrusted data (e.g. stdin, environment variables), but that is outside the scope of the kernel. See chromeOS's documentation about script execution control and the related threat model: https://www.chromium.org/chromium-os/developer-library/guides/security/noexec-shell-scripts/ Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Christian Brauner <brauner@kernel.org> Cc: Kees Cook <keescook@chromium.org> Cc: Paul Moore <paul@paul-moore.com> Reviewed-by: Serge Hallyn <serge@hallyn.com> Reviewed-by: Jeff Xu <jeffxu@chromium.org> Tested-by: Jeff Xu <jeffxu@chromium.org> Signed-off-by: Mickaël Salaün <mic@digikod.net> Link: https://lore.kernel.org/r/20241212174223.389435-3-mic@digikod.net Signed-off-by: Kees Cook <kees@kernel.org> 2024-12-05T02:59:21+00:00 Jordan Rome linux@jordanrome.com 2024-12-04T15:59:11+00:00 urn:sha1:d48da4d5ed7b4a022a4e54f210575baac71f58af In cases where we want a stable way to observe/trace cap_capable (e.g. protection from inlining and API updates) add a tracepoint that passes: - The credentials used - The user namespace of the resource being accessed - The user namespace in which the credential provides the capability to access the targeted resource - The capability to check for - The return value of the check Signed-off-by: Jordan Rome <linux@jordanrome.com> Acked-by: Andrii Nakryiko <andrii@kernel.org> Reviewed-by: Paul Moore <paul@paul-moore.com> Reviewed-by: Serge Hallyn <serge@hallyn.com> Link: https://lore.kernel.org/r/20241204155911.1817092-1-linux@jordanrome.com Signed-off-by: Serge Hallyn <sergeh@kernel.org> 2024-12-05T02:56:28+00:00 Paul Moore paul@paul-moore.com 2024-09-25T19:20:19+00:00 urn:sha1:3f4f1f8a1ab75314ff5cc14f9ed134bc038926bd The cap_mmap_file() LSM callback returns the default value for the security_mmap_file() LSM hook and can be safely removed. Signed-off-by: Paul Moore <paul@paul-moore.com> Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Serge Hallyn <serge@hallyn.com> Signed-off-by: Serge Hallyn <sergeh@kernel.org> 2024-07-31T18:46:51+00:00 Xu Kuohai xukuohai@huawei.com 2024-07-24T02:06:58+00:00 urn:sha1:be72a57527fde6c80061c5f9d0e28762eb817b03 To be consistent with most LSM hooks, convert the return value of hook vm_enough_memory to 0 or a negative error code. Before: - Hook vm_enough_memory returns 1 if permission is granted, 0 if not. - LSM_RET_DEFAULT(vm_enough_memory_mm) is 1. After: - Hook vm_enough_memory reutrns 0 if permission is granted, negative error code if not. - LSM_RET_DEFAULT(vm_enough_memory_mm) is 0. Signed-off-by: Xu Kuohai <xukuohai@huawei.com> Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2023-11-13T03:54:42+00:00 Paul Moore paul@paul-moore.com 2023-11-10T17:09:33+00:00 urn:sha1:b1a867eeb8ab5e097178728b01cc504c6806acca As the kernel test robot helpfully reminded us, all of the lsm_id instances defined inside the various LSMs should be marked as static. The one exception is Landlock which uses its lsm_id variable across multiple source files with an extern declaration in a header file. Reported-by: kernel test robot <lkp@intel.com> Suggested-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 2023-11-13T03:54:42+00:00 Casey Schaufler casey@schaufler-ca.com 2023-09-12T20:56:46+00:00 urn:sha1:f3b8788cde61b02f1e6c202f8fac4360e6adbafc Create a struct lsm_id to contain identifying information about Linux Security Modules (LSMs). At inception this contains the name of the module and an identifier associated with the security module. Change the security_add_hooks() interface to use this structure. Change the individual modules to maintain their own struct lsm_id and pass it to security_add_hooks(). The values are for LSM identifiers are defined in a new UAPI header file linux/lsm.h. Each existing LSM has been updated to include it's LSMID in the lsm_id. The LSM ID values are sequential, with the oldest module LSM_ID_CAPABILITY being the lowest value and the existing modules numbered in the order they were included in the main line kernel. This is an arbitrary convention for assigning the values, but none better presents itself. The value 0 is defined as being invalid. The values 1-99 are reserved for any special case uses which may arise in the future. This may include attributes of the LSM infrastructure itself, possibly related to namespacing or network attribute management. A special range is identified for such attributes to help reduce confusion for developers unfamiliar with LSMs. LSM attribute values are defined for the attributes presented by modules that are available today. As with the LSM IDs, The value 0 is defined as being invalid. The values 1-99 are reserved for any special case uses which may arise in the future. Cc: linux-security-module <linux-security-module@vger.kernel.org> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: Serge Hallyn <serge@hallyn.com> Reviewed-by: Mickael Salaun <mic@digikod.net> Reviewed-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Kees Cook <keescook@chromium.org> Nacked-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> [PM: forward ported beyond v6.6 due merge window changes] Signed-off-by: Paul Moore <paul@paul-moore.com> 2023-09-13T22:09:35+00:00 Khadija Kamran kamrankhadijadj@gmail.com 2023-08-23T07:17:29+00:00 urn:sha1:4a00c673068e72c12d243f5c31000246d6984e44 The 'bprm_creds_from_file' hook has implementation registered in commoncap. Looking at the function implementation we observe that the 'file' parameter is not changing. Mark the 'file' parameter of LSM hook security_bprm_creds_from_file() as 'const' since it will not be changing in the LSM hook. Signed-off-by: Khadija Kamran <kamrankhadijadj@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com>