mirror of
https://github.com/edk2-porting/linux-next.git
synced 2025-01-23 22:25:40 +08:00
c425e189ff
The bprm_secureexec hook can be moved earlier. Right now, it is called during create_elf_tables(), via load_binary(), via search_binary_handler(), via exec_binprm(). Nearly all (see exception below) state used by bprm_secureexec is created during the bprm_set_creds hook, called from prepare_binprm(). For all LSMs (except commoncaps described next), only the first execution of bprm_set_creds takes any effect (they all check bprm->called_set_creds which prepare_binprm() sets after the first call to the bprm_set_creds hook). However, all these LSMs also only do anything with bprm_secureexec when they detected a secure state during their first run of bprm_set_creds. Therefore, it is functionally identical to move the detection into bprm_set_creds, since the results from secureexec here only need to be based on the first call to the LSM's bprm_set_creds hook. The single exception is that the commoncaps secureexec hook also examines euid/uid and egid/gid differences which are controlled by bprm_fill_uid(), via prepare_binprm(), which can be called multiple times (e.g. binfmt_script, binfmt_misc), and may clear the euid/egid for the final load (i.e. the script interpreter). However, while commoncaps specifically ignores bprm->cred_prepared, and runs its bprm_set_creds hook each time prepare_binprm() may get called, it needs to base the secureexec decision on the final call to bprm_set_creds. As a result, it will need special handling. To begin this refactoring, this adds the secureexec flag to the bprm struct, and calls the secureexec hook during setup_new_exec(). This is safe since all the cred work is finished (and past the point of no return). This explicit call will be removed in later patches once the hook has been removed. Cc: David Howells <dhowells@redhat.com> Signed-off-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Acked-by: Serge Hallyn <serge@hallyn.com> Reviewed-by: James Morris <james.l.morris@oracle.com>
147 lines
4.7 KiB
C
147 lines
4.7 KiB
C
#ifndef _LINUX_BINFMTS_H
|
|
#define _LINUX_BINFMTS_H
|
|
|
|
#include <linux/sched.h>
|
|
#include <linux/unistd.h>
|
|
#include <asm/exec.h>
|
|
#include <uapi/linux/binfmts.h>
|
|
|
|
struct filename;
|
|
|
|
#define CORENAME_MAX_SIZE 128
|
|
|
|
/*
|
|
* This structure is used to hold the arguments that are used when loading binaries.
|
|
*/
|
|
struct linux_binprm {
|
|
char buf[BINPRM_BUF_SIZE];
|
|
#ifdef CONFIG_MMU
|
|
struct vm_area_struct *vma;
|
|
unsigned long vma_pages;
|
|
#else
|
|
# define MAX_ARG_PAGES 32
|
|
struct page *page[MAX_ARG_PAGES];
|
|
#endif
|
|
struct mm_struct *mm;
|
|
unsigned long p; /* current top of mem */
|
|
unsigned int
|
|
/*
|
|
* True after the bprm_set_creds hook has been called once
|
|
* (multiple calls can be made via prepare_binprm() for
|
|
* binfmt_script/misc).
|
|
*/
|
|
called_set_creds:1,
|
|
cap_effective:1,/* true if has elevated effective capabilities,
|
|
* false if not; except for init which inherits
|
|
* its parent's caps anyway */
|
|
/*
|
|
* Set by bprm_set_creds hook to indicate a privilege-gaining
|
|
* exec has happened. Used to sanitize execution environment
|
|
* and to set AT_SECURE auxv for glibc.
|
|
*/
|
|
secureexec:1;
|
|
#ifdef __alpha__
|
|
unsigned int taso:1;
|
|
#endif
|
|
unsigned int recursion_depth; /* only for search_binary_handler() */
|
|
struct file * file;
|
|
struct cred *cred; /* new credentials */
|
|
int unsafe; /* how unsafe this exec is (mask of LSM_UNSAFE_*) */
|
|
unsigned int per_clear; /* bits to clear in current->personality */
|
|
int argc, envc;
|
|
const char * filename; /* Name of binary as seen by procps */
|
|
const char * interp; /* Name of the binary really executed. Most
|
|
of the time same as filename, but could be
|
|
different for binfmt_{misc,script} */
|
|
unsigned interp_flags;
|
|
unsigned interp_data;
|
|
unsigned long loader, exec;
|
|
} __randomize_layout;
|
|
|
|
#define BINPRM_FLAGS_ENFORCE_NONDUMP_BIT 0
|
|
#define BINPRM_FLAGS_ENFORCE_NONDUMP (1 << BINPRM_FLAGS_ENFORCE_NONDUMP_BIT)
|
|
|
|
/* fd of the binary should be passed to the interpreter */
|
|
#define BINPRM_FLAGS_EXECFD_BIT 1
|
|
#define BINPRM_FLAGS_EXECFD (1 << BINPRM_FLAGS_EXECFD_BIT)
|
|
|
|
/* filename of the binary will be inaccessible after exec */
|
|
#define BINPRM_FLAGS_PATH_INACCESSIBLE_BIT 2
|
|
#define BINPRM_FLAGS_PATH_INACCESSIBLE (1 << BINPRM_FLAGS_PATH_INACCESSIBLE_BIT)
|
|
|
|
/* Function parameter for binfmt->coredump */
|
|
struct coredump_params {
|
|
const siginfo_t *siginfo;
|
|
struct pt_regs *regs;
|
|
struct file *file;
|
|
unsigned long limit;
|
|
unsigned long mm_flags;
|
|
loff_t written;
|
|
loff_t pos;
|
|
};
|
|
|
|
/*
|
|
* This structure defines the functions that are used to load the binary formats that
|
|
* linux accepts.
|
|
*/
|
|
struct linux_binfmt {
|
|
struct list_head lh;
|
|
struct module *module;
|
|
int (*load_binary)(struct linux_binprm *);
|
|
int (*load_shlib)(struct file *);
|
|
int (*core_dump)(struct coredump_params *cprm);
|
|
unsigned long min_coredump; /* minimal dump size */
|
|
} __randomize_layout;
|
|
|
|
extern void __register_binfmt(struct linux_binfmt *fmt, int insert);
|
|
|
|
/* Registration of default binfmt handlers */
|
|
static inline void register_binfmt(struct linux_binfmt *fmt)
|
|
{
|
|
__register_binfmt(fmt, 0);
|
|
}
|
|
/* Same as above, but adds a new binfmt at the top of the list */
|
|
static inline void insert_binfmt(struct linux_binfmt *fmt)
|
|
{
|
|
__register_binfmt(fmt, 1);
|
|
}
|
|
|
|
extern void unregister_binfmt(struct linux_binfmt *);
|
|
|
|
extern int prepare_binprm(struct linux_binprm *);
|
|
extern int __must_check remove_arg_zero(struct linux_binprm *);
|
|
extern int search_binary_handler(struct linux_binprm *);
|
|
extern int flush_old_exec(struct linux_binprm * bprm);
|
|
extern void setup_new_exec(struct linux_binprm * bprm);
|
|
extern void would_dump(struct linux_binprm *, struct file *);
|
|
|
|
extern int suid_dumpable;
|
|
|
|
/* Stack area protections */
|
|
#define EXSTACK_DEFAULT 0 /* Whatever the arch defaults to */
|
|
#define EXSTACK_DISABLE_X 1 /* Disable executable stacks */
|
|
#define EXSTACK_ENABLE_X 2 /* Enable executable stacks */
|
|
|
|
extern int setup_arg_pages(struct linux_binprm * bprm,
|
|
unsigned long stack_top,
|
|
int executable_stack);
|
|
extern int transfer_args_to_stack(struct linux_binprm *bprm,
|
|
unsigned long *sp_location);
|
|
extern int bprm_change_interp(char *interp, struct linux_binprm *bprm);
|
|
extern int copy_strings_kernel(int argc, const char *const *argv,
|
|
struct linux_binprm *bprm);
|
|
extern int prepare_bprm_creds(struct linux_binprm *bprm);
|
|
extern void install_exec_creds(struct linux_binprm *bprm);
|
|
extern void set_binfmt(struct linux_binfmt *new);
|
|
extern ssize_t read_code(struct file *, unsigned long, loff_t, size_t);
|
|
|
|
extern int do_execve(struct filename *,
|
|
const char __user * const __user *,
|
|
const char __user * const __user *);
|
|
extern int do_execveat(int, struct filename *,
|
|
const char __user * const __user *,
|
|
const char __user * const __user *,
|
|
int);
|
|
|
|
#endif /* _LINUX_BINFMTS_H */
|