Commit ee212ab1 authored by Jann Horn's avatar Jann Horn Committed by Kamal Mostafa

fs: take i_mutex during prepare_binprm for set[ug]id executables

commit 8b01fc86 upstream.

This prevents a race between chown() and execve(), where chowning a
setuid-user binary to root would momentarily make the binary setuid
root.

This patch was mostly written by Linus Torvalds.
Signed-off-by: default avatarJann Horn <jann@thejh.net>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
[ luis: backported to 3.16:
  - relaced task_no_new_privs() by current->no_new_privs
  - replaced READ_ONCE() by ACCESS_ONCE() ]
Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
parent 078be168
...@@ -1267,6 +1267,53 @@ static int check_unsafe_exec(struct linux_binprm *bprm) ...@@ -1267,6 +1267,53 @@ static int check_unsafe_exec(struct linux_binprm *bprm)
return res; return res;
} }
static void bprm_fill_uid(struct linux_binprm *bprm)
{
struct inode *inode;
unsigned int mode;
kuid_t uid;
kgid_t gid;
/* clear any previous set[ug]id data from a previous binary */
bprm->cred->euid = current_euid();
bprm->cred->egid = current_egid();
if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
return;
if (current->no_new_privs)
return;
inode = file_inode(bprm->file);
mode = ACCESS_ONCE(inode->i_mode);
if (!(mode & (S_ISUID|S_ISGID)))
return;
/* Be careful if suid/sgid is set */
mutex_lock(&inode->i_mutex);
/* reload atomically mode/uid/gid now that lock held */
mode = inode->i_mode;
uid = inode->i_uid;
gid = inode->i_gid;
mutex_unlock(&inode->i_mutex);
/* We ignore suid/sgid if there are no mappings for them in the ns */
if (!kuid_has_mapping(bprm->cred->user_ns, uid) ||
!kgid_has_mapping(bprm->cred->user_ns, gid))
return;
if (mode & S_ISUID) {
bprm->per_clear |= PER_CLEAR_ON_SETID;
bprm->cred->euid = uid;
}
if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
bprm->per_clear |= PER_CLEAR_ON_SETID;
bprm->cred->egid = gid;
}
}
/* /*
* Fill the binprm structure from the inode. * Fill the binprm structure from the inode.
* Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes
...@@ -1275,36 +1322,9 @@ static int check_unsafe_exec(struct linux_binprm *bprm) ...@@ -1275,36 +1322,9 @@ static int check_unsafe_exec(struct linux_binprm *bprm)
*/ */
int prepare_binprm(struct linux_binprm *bprm) int prepare_binprm(struct linux_binprm *bprm)
{ {
struct inode *inode = file_inode(bprm->file);
umode_t mode = inode->i_mode;
int retval; int retval;
bprm_fill_uid(bprm);
/* clear any previous set[ug]id data from a previous binary */
bprm->cred->euid = current_euid();
bprm->cred->egid = current_egid();
if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) &&
!current->no_new_privs &&
kuid_has_mapping(bprm->cred->user_ns, inode->i_uid) &&
kgid_has_mapping(bprm->cred->user_ns, inode->i_gid)) {
/* Set-uid? */
if (mode & S_ISUID) {
bprm->per_clear |= PER_CLEAR_ON_SETID;
bprm->cred->euid = inode->i_uid;
}
/* Set-gid? */
/*
* If setgid is set but no group execute bit then this
* is a candidate for mandatory locking, not a setgid
* executable.
*/
if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
bprm->per_clear |= PER_CLEAR_ON_SETID;
bprm->cred->egid = inode->i_gid;
}
}
/* fill in binprm security blob */ /* fill in binprm security blob */
retval = security_bprm_set_creds(bprm); retval = security_bprm_set_creds(bprm);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment