Re: [PATCH 0/2] exec: Use sane stack rlimit for setuid exec
From: Linus Torvalds
Date: Fri Jul 07 2017 - 16:09:57 EST
On Fri, Jul 7, 2017 at 1:04 PM, Linus Torvalds
<torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
>
> It looks like Kees went through the security modules [..]
i take that back. It looks like Kees looked at smack, but not at
SElinux, for example.
selinux_bprm_secureexec() seems to just look at current_security(),
not at the new stuff in bprm at all.
Which would seem to be exactly the wrong thing to do, and is insane
(why pass in bprm at all?) but comes from the fact that we used to
call bprm_secureexec() in an insane place.
So I think this patch series is sadly broken - I think it does the
right thing, but the security modules definitely look like they need
to be updated for that right thing.
Linus