• Yoav Zach's avatar
    [PATCH] Handle non-readable binfmt_misc executables · 79baf43b
    Yoav Zach authored
    <background>
    
    I work in a group that works on enabling the IA-32 Execution Layer
    (http://www.intel.com/pressroom/archive/releases/20040113comp.htm) on Linux.
    In a few words - this is a dynamic translator for IA-32 binaries on IPF
    platform.  Following David Mosberger's advice - we use the binfmt_misc
    mechanism for the invocation of the translator whenever the user tries to
    exec an IA-32 binary.
    
    The EL is meant to help in the migration path from IA-32 to IPF.  From our
    beta customers we learnt that at first stage - they tend to keep their
    environment mostly intact, using the legacy IA-32 binaries.
    
    Such an environment has, naturally, setuid and non-readable binaries.  It
    will be useless to ask the administrator to change the settings of such an
    environment - some of them are very complex, and the administrators are
    reluctant to make any changes in a system that already proved itself to be
    robust and secure.  So, our target with these patches is not to enhance the
    support for scripts but rather to allow a translator to be integrated into a
    working environment that is not (and should not be) aware to the fact it's
    being emulated.
    
    As I said before - it is practically hopeless to expect an administrator of
    such a system to change it so that it will suit the current behavior of
    binfmt_misc.  But, even if we could do that,
    
    I'm not sure it would be a good idea - these changes are likely to be less
    secure than the suggested patches -
    
    - In order to execute non-readable binaries the binary will have to be made
      readable, which is obviously less secure than allowing only a trusted
      translator to read it
    
    - There will be no way for the translator to calculate the accurate
      AT_SECURE value for the translated process.  This might end up with the
      translated process running in a non-secured mode when it actually needs to
      be secured.
    
    </background>
    
    
    I prepared a patch that solves a couple of problems that interpreters have
    when invoked via binfmt_misc.  currently -
    
    1) such interpreters cannot open non-readable binaries
    
    2) the processes will have their credentials and security attributes
       calculated according to interpreter permissions and not those of the
       original binary
    
    the proposed patch solves these problems by -
    
    1) opening the binary on behalf of the interpreter and passing its fd
       instead of the path as argv[1] to the interpreter
    
    2) calling prepare_binprm with the file struct of the binary and not the
       one of the interpreter
    
    The new functionality is enabled by adding a special flag to the registration
    string.  If this flag is not added then old behavior is not changed.
    
    A preliminary version of this patch was sent to the list on 9/1/2003 with the
    title "[PATCH]: non-readable binaries - binfmt_misc 2.6.0-test4".  This new
    version fixes the concerns that were raised by the patch, except of calling
    unshare_files() before allocating a new fd.  this is because this feature did
    not enter 2.6 yet.
    
    
    Arun Sharma <arun.sharma@intel.com> says:
    
    We were going through an internal review of this patch:
    
    http://marc.theaimsgroup.com/?l=linux-kernel&m=107424598901720&w=2
    
    which is in your tree already.  I'm not sure if this line of code got
    sufficient review.
    
    +               /* call prepare_binprm before switching to interpreter's file
    +                * so that all security calculation will be done according to
    +                * binary and not interpreter */
    +               retval = prepare_binprm(bprm);
    
    The case that concerns me is: unprivileged interpreter and a privileged
    binary.  One can use binfmt_misc to execute untrusted code (interpreter) with
    elevated privileges.  One could argue that all binfmt_misc interpreters are
    trusted, because only root can register them.  But that's a change from the
    traditional behavior of binfmt_misc (and binfmt_script).
    
    
    (Update):
    
    Arun pointed out that calculating the process credentials according to the
    binary that needs to be translated is a bit risky, since it requires the
    administrator to pay extra attention not to register an interpreter which is
    not intended to run with root credentials.
    
    After discussing this issue with him, I would like to propose a modified
    patch: The old patch did 2 things - 1) open the binary for reading and 2)
    calculate the credentials according to the binary.
    
    I removed the riskier part of changing the credentials calculation, so the
    revised patch only opens the binary for reading.  It also includes few words
    of warning in the description of the 'open-binary' feature in
    binfmt_misc.txt, and makes the function entry_status print the flags in use.
    
    As for the 'credentials' part of the patch, I will prepare a separate patch
    for it and send it again to the LKML, describe the problem and ask for people
    comments.
    Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
    79baf43b
binfmt_misc.c 15.2 KB