Re: [RFC][PATCH] exec: Use init rlimits for setuid exec

From: Kees Cook
Date: Mon Jul 10 2017 - 12:12:29 EST


On Mon, Jul 10, 2017 at 1:44 AM, Michal Hocko <mhocko@xxxxxxxxxx> wrote:
> On Thu 06-07-17 12:12:55, Kees Cook wrote:
>> On Thu, Jul 6, 2017 at 10:52 AM, Linus Torvalds
>> <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
>> > On Thu, Jul 6, 2017 at 10:29 AM, Kees Cook <keescook@xxxxxxxxxxxx> wrote:
>> >>>
>> >>> (a) minimal: just use our existing default stack (and stack _only_)
>> >>> limit value for suid binaries that actually get extra permissions: {
>> >>> _STK_LIM, RLIM_INFINITY }.
>> >>
>> >> This would look a lot like the existing patch; it'd just not copy the
>> >> init process rlimits.
>> >
>> > Can't we just do the final rlimit setting so late in execve that we
>> > don't need that whole "saved_rlimit" thing?
>>
>> The stack rlimit defines the mmap layout too:
>>
>> do_execveat_common() ->
>> exec_binprm() ->
>> search_binary_handler() ->
>> fmt->load_binary (load_elf_binary()) ->
>> setup_new_exec() ->
>> arch_pick_mmap_layout() ->
>> mmap_is_legacy() ->
>> rlimit(RLIMIT_STACK) == RLIM_INFINITY
>
> FWIW this is gone in tip tree. See
> lkml.kernel.org/r/20170614082218.12450-1-mhocko@xxxxxxxxxx

Sounds good to me, but won't large-memory users in 32-bit get annoyed?

A setuid/setgid exec will also get ADDR_COMPAT_LAYOUT cleared in
bprm_fill_uid() (but not for fs-caps), so that'll keep things from
getting layout-controlled. Thanks!

(ADDR_COMPAT_LAYOUT isn't cleared for capability elevations, though, I think.)

-Kees

--
Kees Cook
Pixel Security