[PATCH 0/1] RFC: security: add SECURE_KEEP_FSUID to preserve fsuid/fsgid across execve

[Igor Lubashev]

This patch introduces SECURE_KEEP_FSUID to allow fsuid/fsgid to be
preserved across execve. I ran into a need for a patch trying to
implement a set-uid-root wrapper for perf.

My set-uid-root wrapper implements local policies, allowing only
certain users to run perf and only with certain arguments.

Perf, like a number of other kernel features, checks euid (and KASLR
access, required for perf top and perf report, also checks real uid)
in addition to checking capabilities.  Hence, I must execve perf from
my wrapper with root euid.

However, when I execve perf with root euid, it automatically obtains
root fsuid. This is very undesirable for a number of reasons:

1. 'perf record' will create perf.data file that cannot be deleted by
   the user.

2. 'perf record' becomes insecure, allowing the user an ability to
   overwrite any key file owned by root (and because of
   time-of-check/time-of-use principle, nothing I can check in the
   wrapper can reliably prevent the user from doing so).

3. 'perf report' can potentially read files that the user does not
   have permissions to read.


Perf and KASLR are not the only kernel features that check for root
uid/euid, so a general approach like the one in this patch seems
warranted.


This patch is the minimal set of changes required to achieve my goals.
However, I am wondering if we might want to go a bit further and have
a secure bit that stops fsuid/fsgid following euid/egid in all
contexts, including set*uid as well as ignoring uid/suid/euid in
setfsuid (and similarly for set*gid and setfsgid).

I will update man pages as needed.

Igor Lubashev (1):
  security: add SECURE_KEEP_FSUID to preserve fsuid/fsgid across execve

 include/uapi/linux/securebits.h | 10 +++++++++-
 security/commoncap.c            |  9 +++++++--
 2 files changed, 16 insertions(+), 3 deletions(-)

-- 
2.7.4