[PATCH 1/2] fs/exec: Explicitly unshare fs_struct on exec

Kees Cook kees at kernel.org
Tue May 13 23:15:52 UTC 2025



On May 13, 2025 2:09:48 PM PDT, Jann Horn <jannh at google.com> wrote:
>On Tue, May 13, 2025 at 10:57 PM Kees Cook <kees at kernel.org> wrote:
>> On May 13, 2025 6:05:45 AM PDT, Mateusz Guzik <mjguzik at gmail.com> wrote:
>> >Here is my proposal: *deny* exec of suid/sgid binaries if fs_struct is
>> >shared. This will have to be checked for after the execing proc becomes
>> >single-threaded ofc.
>>
>> Unfortunately the above Chrome helper is setuid and uses CLONE_FS.
>
>Chrome first launches a setuid helper, and then the setuid helper does
>CLONE_FS. Mateusz's proposal would not impact this usecase.
>
>Mateusz is proposing to block the case where a process first does
>CLONE_FS, and *then* one of the processes sharing the fs_struct does a
>setuid execve(). Linux already downgrades such an execve() to be
>non-setuid, which probably means anyone trying to do this will get
>hard-to-understand problems. Mateusz' proposal would just turn this
>hard-to-debug edgecase, which already doesn't really work, into a
>clean error; I think that is a nice improvement even just from the
>UAPI standpoint.
>
>If this change makes it possible to clean up the kernel code a bit, even better.


Ah! Okay, I appreciate the clarification. :) I'm game to try making it an error instead of silent downgrading.

-Kees


-- 
Kees Cook
-- 
Kees Cook



More information about the Linux-security-module-archive mailing list