Re: [PATCH 0/2] exec: Use sane stack rlimit for setuid exec

From: Linus Torvalds
Date: Fri Jul 07 2017 - 16:09:57 EST

Next message: Rob Herring: "Re: [PATCH 2/8] usb: bdc: Add Device Tree binding document for Broadcom BDC driver"
Previous message: Gustavo A. R. Silva: "Re: [PATCH] net: ethernet: mediatek: add NULL check on of_match_device() return value"
In reply to: Linus Torvalds: "Re: [PATCH 0/2] exec: Use sane stack rlimit for setuid exec"
Next in thread: Kees Cook: "Re: [PATCH 0/2] exec: Use sane stack rlimit for setuid exec"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Jul 7, 2017 at 1:04 PM, Linus Torvalds
<torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
>
> It looks like Kees went through the security modules [..]

i take that back. It looks like Kees looked at smack, but not at
SElinux, for example.

selinux_bprm_secureexec() seems to just look at current_security(),
not at the new stuff in bprm at all.

Which would seem to be exactly the wrong thing to do, and is insane
(why pass in bprm at all?) but comes from the fact that we used to
call bprm_secureexec() in an insane place.

So I think this patch series is sadly broken - I think it does the
right thing, but the security modules definitely look like they need
to be updated for that right thing.

Linus

Next message: Rob Herring: "Re: [PATCH 2/8] usb: bdc: Add Device Tree binding document for Broadcom BDC driver"
Previous message: Gustavo A. R. Silva: "Re: [PATCH] net: ethernet: mediatek: add NULL check on of_match_device() return value"
In reply to: Linus Torvalds: "Re: [PATCH 0/2] exec: Use sane stack rlimit for setuid exec"
Next in thread: Kees Cook: "Re: [PATCH 0/2] exec: Use sane stack rlimit for setuid exec"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]