diff options
author | Kees Cook <keescook@chromium.org> | 2014-05-21 15:23:46 -0700 |
---|---|---|
committer | Kees Cook <keescook@google.com> | 2016-04-08 12:32:11 -0700 |
commit | 84f9028bdc4197898a91e4ae5ad404f5377e181c (patch) | |
tree | e027eabb21321beab6b37530862b2edaa9c10967 | |
parent | f28a0cda8ace4d5a4cdd75da0054cd865720c142 (diff) | |
download | qcom-msm-v3.10-84f9028bdc4197898a91e4ae5ad404f5377e181c.tar.gz |
BACKPORT: sched: move no_new_privs into new atomic flags
Since seccomp transitions between threads requires updates to the
no_new_privs flag to be atomic, the flag must be part of an atomic flag
set. This moves the nnp flag into a separate task field, and introduces
accessors.
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Andy Lutomirski <luto@amacapital.net>
Bug: 28020023
Patchset: seccomp
(cherry picked from kernel/msm commit 8334b709bf3e12d90aba715742df9e1d5aa2eb7f)
Signed-off-by: Kees Cook <keescook@google.com>
Change-Id: I36ce9af17118e69d8664be67b17a94a459ed5144
-rw-r--r-- | fs/exec.c | 4 | ||||
-rw-r--r-- | include/linux/sched.h | 18 | ||||
-rw-r--r-- | kernel/seccomp.c | 2 | ||||
-rw-r--r-- | kernel/sys.c | 4 | ||||
-rw-r--r-- | security/apparmor/domain.c | 4 |
5 files changed, 22 insertions, 10 deletions
diff --git a/fs/exec.c b/fs/exec.c index dd6aa61c854..02ad43ce2f6 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1239,7 +1239,7 @@ static int check_unsafe_exec(struct linux_binprm *bprm) * This isn't strictly necessary, but it makes it harder for LSMs to * mess up. */ - if (current->no_new_privs) + if (task_no_new_privs(current)) bprm->unsafe |= LSM_UNSAFE_NO_NEW_PRIVS; n_fs = 1; @@ -1286,7 +1286,7 @@ int prepare_binprm(struct linux_binprm *bprm) bprm->cred->egid = current_egid(); if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) && - !current->no_new_privs && + !task_no_new_privs(current) && kuid_has_mapping(bprm->cred->user_ns, inode->i_uid) && kgid_has_mapping(bprm->cred->user_ns, inode->i_gid)) { /* Set-uid? */ diff --git a/include/linux/sched.h b/include/linux/sched.h index 5f995db070c..cd66060dfb3 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -1233,13 +1233,12 @@ struct task_struct { * execve */ unsigned in_iowait:1; - /* task may not gain privileges */ - unsigned no_new_privs:1; - /* Revert to default priority/policy when forking */ unsigned sched_reset_on_fork:1; unsigned sched_contributes_to_load:1; + unsigned long atomic_flags; /* Flags needing atomic access. */ + pid_t pid; pid_t tgid; @@ -1820,6 +1819,19 @@ static inline void memalloc_noio_restore(unsigned int flags) current->flags = (current->flags & ~PF_MEMALLOC_NOIO) | flags; } +/* Per-process atomic flags. */ +#define PFA_NO_NEW_PRIVS 0x00000001 /* May not gain new privileges. */ + +static inline bool task_no_new_privs(struct task_struct *p) +{ + return test_bit(PFA_NO_NEW_PRIVS, &p->atomic_flags); +} + +static inline void task_set_no_new_privs(struct task_struct *p) +{ + set_bit(PFA_NO_NEW_PRIVS, &p->atomic_flags); +} + /* * task->jobctl flags */ diff --git a/kernel/seccomp.c b/kernel/seccomp.c index d4b61b96742..5390739066a 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -264,7 +264,7 @@ static long seccomp_attach_filter(struct sock_fprog *fprog) * This avoids scenarios where unprivileged tasks can affect the * behavior of privileged children. */ - if (!current->no_new_privs && + if (!task_no_new_privs(current) && security_capable_noaudit(current_cred(), current_user_ns(), CAP_SYS_ADMIN) != 0) return -EACCES; diff --git a/kernel/sys.c b/kernel/sys.c index ab7fda5fbe1..407abeef9f6 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -2427,12 +2427,12 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3, if (arg2 != 1 || arg3 || arg4 || arg5) return -EINVAL; - current->no_new_privs = 1; + task_set_no_new_privs(current); break; case PR_GET_NO_NEW_PRIVS: if (arg2 || arg3 || arg4 || arg5) return -EINVAL; - return current->no_new_privs ? 1 : 0; + return task_no_new_privs(current) ? 1 : 0; case PR_SET_VMA: error = prctl_set_vma(arg2, arg3, arg4, arg5); break; diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index 859abdaac1e..9aaa4e72cc1 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -629,7 +629,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest) * There is no exception for unconfined as change_hat is not * available. */ - if (current->no_new_privs) + if (task_no_new_privs(current)) return -EPERM; /* released below */ @@ -780,7 +780,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec, * no_new_privs is set because this aways results in a reduction * of permissions. */ - if (current->no_new_privs && !unconfined(profile)) { + if (task_no_new_privs(current) && !unconfined(profile)) { put_cred(cred); return -EPERM; } |