Re: [RFC][PATCH] exec: Use init rlimits for setuid exec

From: Kees Cook
Date: Fri Jul 07 2017 - 14:28:13 EST

On Fri, Jul 7, 2017 at 9:22 AM, Linus Torvalds
<torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
> On Thu, Jul 6, 2017 at 11:40 PM, Kees Cook <keescook@xxxxxxxxxxxx> wrote:
> So I definitely like this approach, as long as we clarify that crazy
> security_bprm_secureexec() model. That code really is insane.

Yeah, it really seems like security_bprm_secureexec() should be
checking the bprm cred, though there are comments in the LSMs about
why this isn't done. I'll dig through the history there; it may be an
artifact of the old cred installation ordering...

It seems like an LSM would want to see "current creds" and "new creds"
as distinct things for comparing the results, but I'll check it out.

> In contrast, if the code just did:
> if (security_bprm_secureexec(bprm)) {
> if (current->signal->rlim[RLIMIT_STACK].rlim_cur > _STK_LIM)
> current->signal->rlim[RLIMIT_STACK].rlim_cur = _STK_LIM;
> }
> and leave the hard limit alone entirely. At least that doesn't let
> anybody escape the limits that the sysadmin has set.

Sounds good to me.

> Hmm? Yes, this allows people to try to attack suid binaries with a
> really small stack. But that's a pre-existing attack - do we have
> worries about it?

Agreed, I think that's out of scope for this.


Kees Cook
Pixel Security