[PATCH 1/5] exec: Call cap_bprm_set_creds directly from prepare_binprm
Eric W. Biederman
ebiederm at xmission.com
Sat May 9 19:40:53 UTC 2020
The function cap_bprm_set_creds is the only instance of
security_bprm_set_creds that does something for the primary executable
file and for every interpreter the rest of the implementations of
security_bprm_set_creds do something only for the primary executable
file even if that file is a shell script.
The function cap_bprm_set_creds is also special in that it is called
even when CONFIG_SECURITY is unset.
So calling cap_bprm_set_creds separately to make these two cases explicit,
and allow future changes to take advantages of these differences
to simplify the code.
Signed-off-by: "Eric W. Biederman" <ebiederm at xmission.com>
---
fs/exec.c | 4 ++++
include/linux/security.h | 2 +-
security/commoncap.c | 1 -
3 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/fs/exec.c b/fs/exec.c
index b0620d5ebc66..765bfd51a546 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1641,6 +1641,10 @@ int prepare_binprm(struct linux_binprm *bprm)
return retval;
bprm->called_set_creds = 1;
+ retval = cap_bprm_set_creds(bprm);
+ if (retval)
+ return retval;
+
memset(bprm->buf, 0, BINPRM_BUF_SIZE);
return kernel_read(bprm->file, bprm->buf, BINPRM_BUF_SIZE, &pos);
}
diff --git a/include/linux/security.h b/include/linux/security.h
index a8d9310472df..c1aa1638429a 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -571,7 +571,7 @@ static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
static inline int security_bprm_set_creds(struct linux_binprm *bprm)
{
- return cap_bprm_set_creds(bprm);
+ return 0;
}
static inline int security_bprm_check(struct linux_binprm *bprm)
diff --git a/security/commoncap.c b/security/commoncap.c
index f4ee0ae106b2..3757988abe42 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -1346,7 +1346,6 @@ static struct security_hook_list capability_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(ptrace_traceme, cap_ptrace_traceme),
LSM_HOOK_INIT(capget, cap_capget),
LSM_HOOK_INIT(capset, cap_capset),
- LSM_HOOK_INIT(bprm_set_creds, cap_bprm_set_creds),
LSM_HOOK_INIT(inode_need_killpriv, cap_inode_need_killpriv),
LSM_HOOK_INIT(inode_killpriv, cap_inode_killpriv),
LSM_HOOK_INIT(inode_getsecurity, cap_inode_getsecurity),
--
2.25.0
More information about the Linux-security-module-archive
mailing list