On Sun, Jan 10, 2016 at 7:48 AM, Konstantin Khlebnikov <koct9i@xxxxxxxxx> wrote: > On Sat, Jan 9, 2016 at 2:27 AM, Kees Cook <keescook@xxxxxxxxxxxx> wrote: >> Normally, when a user can modify a file that has setuid or setgid bits, >> those bits are cleared when they are not the file owner or a member >> of the group. This is enforced when using write and truncate but not >> when writing to a shared mmap on the file. This could allow the file >> writer to gain privileges by changing a binary without losing the >> setuid/setgid/caps bits. >> >> Changing the bits requires holding inode->i_mutex, so it cannot be done >> during the page fault (due to mmap_sem being held during the fault). We >> could do this during vm_mmap_pgoff, but that would need coverage in >> mprotect as well, but to check for MAP_SHARED, we'd need to hold mmap_sem >> again. We could clear at open() time, but it's possible things are >> accidentally opening with O_RDWR and only reading. Better to clear on >> close and error failures (i.e. an improvement over now, which is not >> clearing at all). > > I think this should be done in mmap/mprotect. Code in sys_mmap is trivial. > > In sys_mprotect you can check file_needs_remove_privs() and VM_SHARED > under mmap_sem, then if needed grab reference to struct file from vma and > clear suid after unlocking mmap_sem. > > I haven't seen previous iterations, probably this approach has known flaws. mmap_sem is still needed in mprotect (to find and hold the vma), so it's not possible. I'd love to be proven wrong, but I didn't see a way. -Kees -- Kees Cook Chrome OS & Brillo Security -- To unsubscribe from this list: send the line "unsubscribe linux-arch" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
