Commit 4759ff71 authored by Kees Cook's avatar Kees Cook Committed by Linus Torvalds

exec: Check __FMODE_EXEC instead of in_execve for LSMs

After commit 978ffcbf ("execve: open the executable file before
doing anything else"), current->in_execve was no longer in sync with the
open(). This broke AppArmor and TOMOYO which depend on this flag to
distinguish "open" operations from being "exec" operations.

Instead of moving around in_execve, switch to using __FMODE_EXEC, which
is where the "is this an exec?" intent is stored. Note that TOMOYO still
uses in_execve around cred handling.
Reported-by: default avatarKevin Locke <kevin@kevinlocke.name>
Closes: https://lore.kernel.org/all/ZbE4qn9_h14OqADK@kevinlocke.nameSuggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
Fixes: 978ffcbf ("execve: open the executable file before doing anything else")
Cc: Josh Triplett <josh@joshtriplett.org>
Cc: John Johansen <john.johansen@canonical.com>
Cc: Paul Moore <paul@paul-moore.com>
Cc: James Morris <jmorris@namei.org>
Cc: Serge E. Hallyn <serge@hallyn.com>
Cc: Kentaro Takeda <takedakn@nttdata.co.jp>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Jan Kara <jack@suse.cz>
Cc: Eric Biederman <ebiederm@xmission.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Cc:  <linux-fsdevel@vger.kernel.org>
Cc:  <linux-mm@kvack.org>
Cc:  <apparmor@lists.ubuntu.com>
Cc:  <linux-security-module@vger.kernel.org>
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 1110ebe0
...@@ -469,8 +469,10 @@ static int apparmor_file_open(struct file *file) ...@@ -469,8 +469,10 @@ static int apparmor_file_open(struct file *file)
* Cache permissions granted by the previous exec check, with * Cache permissions granted by the previous exec check, with
* implicit read and executable mmap which are required to * implicit read and executable mmap which are required to
* actually execute the image. * actually execute the image.
*
* Illogically, FMODE_EXEC is in f_flags, not f_mode.
*/ */
if (current->in_execve) { if (file->f_flags & __FMODE_EXEC) {
fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP; fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP;
return 0; return 0;
} }
......
...@@ -328,7 +328,8 @@ static int tomoyo_file_fcntl(struct file *file, unsigned int cmd, ...@@ -328,7 +328,8 @@ static int tomoyo_file_fcntl(struct file *file, unsigned int cmd,
static int tomoyo_file_open(struct file *f) static int tomoyo_file_open(struct file *f)
{ {
/* Don't check read permission here if called from execve(). */ /* Don't check read permission here if called from execve(). */
if (current->in_execve) /* Illogically, FMODE_EXEC is in f_flags, not f_mode. */
if (f->f_flags & __FMODE_EXEC)
return 0; return 0;
return tomoyo_check_open_permission(tomoyo_domain(), &f->f_path, return tomoyo_check_open_permission(tomoyo_domain(), &f->f_path,
f->f_flags); f->f_flags);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment