On Fri, Jul 7, 2017 at 1:04 PM, Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote: > On Fri, Jul 7, 2017 at 12:56 PM, Kees Cook <keescook@xxxxxxxxxxxx> wrote: >> As discussed with Linus and Andy, we need to reset the stack rlimit >> before we do memory layouts when execing a privilege-gaining (e.g. >> setuid) program. This moves security_bprm_secureexec() earlier (with >> required changes), and then lowers the stack limit when appropriate. > > Looks sane to me, and that first patch looks like a nice cleanup > regardless - the old semantics were insane. I wonder if we could collapse all the secureexec logic in setup_new_exec. There are three places (?). I was shy to consolidate those in this patch in case there were weird dependencies on dumpability ordering. But I'll go see if I can clean those up too... -Kees -- Kees Cook Pixel Security
