diff options
| author | Kees Cook <keescook@chromium.org> | 2014-05-21 15:23:46 -0700 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2017-10-12 15:28:22 +0100 |
| commit | 5f3333219189a3fe4bbbd2d67e636ed1bb74d243 (patch) | |
| tree | e4078c65d51b66763aaaee24b3b9b14cb80771ca | |
| parent | 9e839401a65a30d15cbe9a1255640cd5ce2b548d (diff) | |
| download | linux-stable-5f3333219189a3fe4bbbd2d67e636ed1bb74d243.tar.gz linux-stable-5f3333219189a3fe4bbbd2d67e636ed1bb74d243.tar.bz2 linux-stable-5f3333219189a3fe4bbbd2d67e636ed1bb74d243.zip | |
sched: move no_new_privs into new atomic flags
commit 1d4457f99928a968767f6405b4a1f50845aa15fd upstream.
Since seccomp transitions between threads requires updates to the
no_new_privs flag to be atomic, the flag must be part of an atomic flag
set. This moves the nnp flag into a separate task field, and introduces
accessors.
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Andy Lutomirski <luto@amacapital.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
| -rw-r--r-- | fs/exec.c | 4 | ||||
| -rw-r--r-- | include/linux/sched.h | 18 | ||||
| -rw-r--r-- | kernel/seccomp.c | 2 | ||||
| -rw-r--r-- | kernel/sys.c | 4 | ||||
| -rw-r--r-- | security/apparmor/domain.c | 4 |
5 files changed, 22 insertions, 10 deletions
diff --git a/fs/exec.c b/fs/exec.c index b5af6a256cf7..fa3604731bae 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1269,7 +1269,7 @@ static void check_unsafe_exec(struct linux_binprm *bprm) * This isn't strictly necessary, but it makes it harder for LSMs to * mess up. */ - if (current->no_new_privs) + if (task_no_new_privs(current)) bprm->unsafe |= LSM_UNSAFE_NO_NEW_PRIVS; t = p; @@ -1303,7 +1303,7 @@ static void bprm_fill_uid(struct linux_binprm *bprm) if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) return; - if (current->no_new_privs) + if (task_no_new_privs(current)) return; inode = file_inode(bprm->file); diff --git a/include/linux/sched.h b/include/linux/sched.h index 504f5599463e..7e433ffee3a7 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -1317,13 +1317,12 @@ struct task_struct { * execve */ unsigned in_iowait:1; - /* task may not gain privileges */ - unsigned no_new_privs:1; - /* Revert to default priority/policy when forking */ unsigned sched_reset_on_fork:1; unsigned sched_contributes_to_load:1; + unsigned long atomic_flags; /* Flags needing atomic access. */ + pid_t pid; pid_t tgid; @@ -1979,6 +1978,19 @@ static inline void memalloc_noio_restore(unsigned int flags) current->flags = (current->flags & ~PF_MEMALLOC_NOIO) | flags; } +/* Per-process atomic flags. */ +#define PFA_NO_NEW_PRIVS 0x00000001 /* May not gain new privileges. */ + +static inline bool task_no_new_privs(struct task_struct *p) +{ + return test_bit(PFA_NO_NEW_PRIVS, &p->atomic_flags); +} + +static inline void task_set_no_new_privs(struct task_struct *p) +{ + set_bit(PFA_NO_NEW_PRIVS, &p->atomic_flags); +} + /* * task->jobctl flags */ diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 301bbc24739c..e2eb71b1e970 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -224,7 +224,7 @@ static long seccomp_attach_filter(struct sock_fprog *fprog) * This avoids scenarios where unprivileged tasks can affect the * behavior of privileged children. */ - if (!current->no_new_privs && + if (!task_no_new_privs(current) && security_capable_noaudit(current_cred(), current_user_ns(), CAP_SYS_ADMIN) != 0) return -EACCES; diff --git a/kernel/sys.c b/kernel/sys.c index 6fe6c5986c59..0cb192dc4a93 100644 --- a/kernel/sys.c +++ b/kernel/sys.c @@ -1989,12 +1989,12 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3, if (arg2 != 1 || arg3 || arg4 || arg5) return -EINVAL; - current->no_new_privs = 1; + task_set_no_new_privs(current); break; case PR_GET_NO_NEW_PRIVS: if (arg2 || arg3 || arg4 || arg5) return -EINVAL; - return current->no_new_privs ? 1 : 0; + return task_no_new_privs(current) ? 1 : 0; case PR_GET_THP_DISABLE: if (arg2 || arg3 || arg4 || arg5) return -EINVAL; diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index c0ee04da93e6..24a21cd72b4c 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -621,7 +621,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest) * There is no exception for unconfined as change_hat is not * available. */ - if (current->no_new_privs) + if (task_no_new_privs(current)) return -EPERM; /* released below */ @@ -778,7 +778,7 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec, * no_new_privs is set because this aways results in a reduction * of permissions. */ - if (current->no_new_privs && !unconfined(profile)) { + if (task_no_new_privs(current) && !unconfined(profile)) { put_cred(cred); return -EPERM; } |