• Kees Cook's avatar
    commoncap: Refactor to remove bprm_secureexec hook · 46d98eb4
    Kees Cook authored
    The commoncap implementation of the bprm_secureexec hook is the only LSM
    that depends on the final call to its bprm_set_creds hook (since it may
    be called for multiple files, it ignores bprm->called_set_creds). As a
    result, it cannot safely _clear_ bprm->secureexec since other LSMs may
    have set it.  Instead, remove the bprm_secureexec hook by introducing a
    new flag to bprm specific to commoncap: cap_elevated. This is similar to
    cap_effective, but that is used for a specific subset of elevated
    privileges, and exists solely to track state from bprm_set_creds to
    bprm_secureexec. As such, it will be removed in the next patch.
    
    Here, set the new bprm->cap_elevated flag when setuid/setgid has happened
    from bprm_fill_uid() or fscapabilities have been prepared. This temporarily
    moves the bprm_secureexec hook to a static inline. The helper will be
    removed in the next patch; this makes the step easier to review and bisect,
    since this does not introduce any changes to inputs nor outputs to the
    "elevated privileges" calculation.
    
    The new flag is merged with the bprm->secureexec flag in setup_new_exec()
    since this marks the end of any further prepare_binprm() calls.
    
    Cc: Andy Lutomirski <luto@kernel.org>
    Signed-off-by: default avatarKees Cook <keescook@chromium.org>
    Reviewed-by: default avatarAndy Lutomirski <luto@kernel.org>
    Acked-by: default avatarJames Morris <james.l.morris@oracle.com>
    Acked-by: default avatarSerge Hallyn <serge@hallyn.com>
    46d98eb4
exec.c 45.9 KB