[PATCH 1/3] LSM: add security_bprm_aborting_creds() hook
From: Tetsuo Handa
Date: Sun Jan 28 2024 - 09:17:40 EST
A regression caused by commit 978ffcbf00d8 ("execve: open the executable
file before doing anything else") has been fixed by commit 4759ff71f23e
("exec: Check __FMODE_EXEC instead of in_execve for LSMs") and commit
3eab830189d9 ("uselib: remove use of __FMODE_EXEC"). While fixing this
regression, Linus commented that we want to remove current->in_execve flag.
The current->in_execve flag was introduced by commit f9ce1f1cda8b ("Add
in_execve flag into task_struct.") when TOMOYO LSM was merged, and the
reason was explained in commit f7433243770c ("LSM adapter functions.").
In short, TOMOYO's design is not compatible with COW credential model
introduced in Linux 2.6.29, and the current->in_execve flag was added for
emulating security_bprm_free() hook which has been removed by introduction
of COW credential model.
security_task_alloc()/security_task_free() hooks have been removed by
commit f1752eec6145 ("CRED: Detach the credentials from task_struct"),
and these hooks have been revived by commit 1a2a4d06e1e9 ("security:
create task_free security callback") and commit e4e55b47ed9a ("LSM: Revive
security_task_alloc() hook and per "struct task_struct" security blob.").
But security_bprm_free() hook did not revive until now. Now that Linus
wants TOMOYO to stop carrying state across two independent execve() calls,
and TOMOYO can stop carrying state if a hook for restoring previous state
upon failed execve() call were provided, this patch revives the hook.
Since security_bprm_committing_creds() and security_bprm_committed_creds()
hooks are called when an execve() request succeeded, we don't need to call
security_bprm_free() hook when an execve() request succeeded. Therefore,
this patch adds security_bprm_aborting_creds() hook which is called only
when an execve() request failed after successful prepare_bprm_creds() call.
Signed-off-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx>
---
fs/exec.c | 1 +
include/linux/lsm_hook_defs.h | 1 +
include/linux/security.h | 5 +++++
security/security.c | 14 ++++++++++++++
4 files changed, 21 insertions(+)
diff --git a/fs/exec.c b/fs/exec.c
index af4fbb61cd53..9d198cd9a75c 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1519,6 +1519,7 @@ static void free_bprm(struct linux_binprm *bprm)
}
free_arg_pages(bprm);
if (bprm->cred) {
+ security_bprm_aborting_creds(bprm);
mutex_unlock(¤t->signal->cred_guard_mutex);
abort_creds(bprm->cred);
}
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index 185924c56378..ec44ff913cee 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -54,6 +54,7 @@ LSM_HOOK(int, 0, bprm_creds_from_file, struct linux_binprm *bprm, const struct f
LSM_HOOK(int, 0, bprm_check_security, struct linux_binprm *bprm)
LSM_HOOK(void, LSM_RET_VOID, bprm_committing_creds, const struct linux_binprm *bprm)
LSM_HOOK(void, LSM_RET_VOID, bprm_committed_creds, const struct linux_binprm *bprm)
+LSM_HOOK(void, LSM_RET_VOID, bprm_aborting_creds, const struct linux_binprm *bprm)
LSM_HOOK(int, 0, fs_context_submount, struct fs_context *fc, struct super_block *reference)
LSM_HOOK(int, 0, fs_context_dup, struct fs_context *fc,
struct fs_context *src_sc)
diff --git a/include/linux/security.h b/include/linux/security.h
index d0eb20f90b26..cf78fb14ef3c 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -299,6 +299,7 @@ int security_bprm_creds_from_file(struct linux_binprm *bprm, const struct file *
int security_bprm_check(struct linux_binprm *bprm);
void security_bprm_committing_creds(const struct linux_binprm *bprm);
void security_bprm_committed_creds(const struct linux_binprm *bprm);
+void security_bprm_aborting_creds(const struct linux_binprm *bprm);
int security_fs_context_submount(struct fs_context *fc, struct super_block *reference);
int security_fs_context_dup(struct fs_context *fc, struct fs_context *src_fc);
int security_fs_context_parse_param(struct fs_context *fc, struct fs_parameter *param);
@@ -648,6 +649,10 @@ static inline void security_bprm_committed_creds(const struct linux_binprm *bprm
{
}
+static inline void security_bprm_aborting_creds(const struct linux_binprm *bprm)
+{
+}
+
static inline int security_fs_context_submount(struct fs_context *fc,
struct super_block *reference)
{
diff --git a/security/security.c b/security/security.c
index 0144a98d3712..f426841e576a 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1223,6 +1223,20 @@ void security_bprm_committed_creds(const struct linux_binprm *bprm)
call_void_hook(bprm_committed_creds, bprm);
}
+/**
+ * security_bprm_aborting_creds() - Destroy creds for a process during exec()
+ * @bprm: binary program information
+ *
+ * Prepare to destroy the new security attributes which became unused due to
+ * failed execve operation. @bprm points to the linux_binprm structure.
+ * This hook is a good place to undo changes which cannot be discarded by
+ * abort_creds().
+ */
+void security_bprm_aborting_creds(const struct linux_binprm *bprm)
+{
+ call_void_hook(bprm_aborting_creds, bprm);
+}
+
/**
* security_fs_context_submount() - Initialise fc->security
* @fc: new filesystem context
--
2.18.4