From nobody Thu Jul 2 12:41:15 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BD8F2C433EF for ; Mon, 27 Dec 2021 22:36:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233843AbhL0Wg3 (ORCPT ); Mon, 27 Dec 2021 17:36:29 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:26444 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233828AbhL0Wg2 (ORCPT ); Mon, 27 Dec 2021 17:36:28 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1640644588; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=I2MPpu4RRED/PxNo7vsNt+qZUGBH+EFljvAOqHQFBbM=; b=hmVD3pZTa+ibUKJ3HR0fGgOG8LnttH/asFFR7I3eAzsXNwR+FCvo1+SYQnSpx98hR88WZ+ lsY1RPaZ9CdLCyGI1bGMTOC0wAIxyky+gEo9hK5lnroDSCFd9SPmBAfy5S8i//g5MKLvuX 1P70hhfi6K556qUmWDs1ICqIt+EuagQ= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-554-BaBpK_k9NfyzWgxzx5evvA-1; Mon, 27 Dec 2021 17:36:25 -0500 X-MC-Unique: BaBpK_k9NfyzWgxzx5evvA-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id CAF84800480; Mon, 27 Dec 2021 22:36:22 +0000 (UTC) Received: from wcosta.com (ovpn-116-95.gru2.redhat.com [10.97.116.95]) by smtp.corp.redhat.com (Postfix) with ESMTP id 442E078D8F; Mon, 27 Dec 2021 22:35:41 +0000 (UTC) From: Wander Lairson Costa To: Alexander Viro , Ingo Molnar , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Daniel Bristot de Oliveira , Laurent Vivier , Wander Lairson Costa , YunQiang Su , Helge Deller , "Eric W. Biederman" , Jens Axboe , Andrew Morton , Alexey Gladkov , Rafael Aquini , Phil Auld , Rolf Eike Beer , Muchun Song , linux-fsdevel@vger.kernel.org (open list:FILESYSTEMS (VFS and infrastructure)), linux-kernel@vger.kernel.org (open list) Subject: [PATCH RFC 1/4] exec: add a flag indicating if an exec file is a suid/sgid Date: Mon, 27 Dec 2021 19:34:32 -0300 Message-Id: <20211227223436.317091-2-wander@redhat.com> In-Reply-To: <20211227223436.317091-1-wander@redhat.com> References: <20211227223436.317091-1-wander@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" We create an additional flag in the struct linux_bprm to indicate a suid/sgid binary. We will use this information in a later commit to set the task_struct flags accordingly. Signed-off-by: Wander Lairson Costa --- fs/exec.c | 2 ++ include/linux/binfmts.h | 6 +++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/fs/exec.c b/fs/exec.c index 2bb8dd6a4e2a..3913b335b95f 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1621,11 +1621,13 @@ static void bprm_fill_uid(struct linux_binprm *bprm= , struct file *file) if (mode & S_ISUID) { bprm->per_clear |=3D PER_CLEAR_ON_SETID; bprm->cred->euid =3D uid; + bprm->suid_bin =3D 1; } =20 if ((mode & (S_ISGID | S_IXGRP)) =3D=3D (S_ISGID | S_IXGRP)) { bprm->per_clear |=3D PER_CLEAR_ON_SETID; bprm->cred->egid =3D gid; + bprm->suid_bin =3D 1; } } =20 diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h index 049cf9421d83..c4b41b9711d2 100644 --- a/include/linux/binfmts.h +++ b/include/linux/binfmts.h @@ -41,7 +41,11 @@ struct linux_binprm { * Set when errors can no longer be returned to the * original userspace. */ - point_of_no_return:1; + point_of_no_return:1, + /* + * Is this a suid/sgid binary? + */ + suid_bin:1; #ifdef __alpha__ unsigned int taso:1; #endif --=20 2.27.0 From nobody Thu Jul 2 12:41:15 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D6EC3C433FE for ; Mon, 27 Dec 2021 22:37:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233860AbhL0WhC (ORCPT ); Mon, 27 Dec 2021 17:37:02 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]:59484 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233828AbhL0WhB (ORCPT ); Mon, 27 Dec 2021 17:37:01 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1640644621; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=k4U1IPyVy0EekGo2lRPabdEHbBtnmJjEveSqzKeRMmQ=; b=S6/+UOwMeHYBujb1wLT/28yVt+PrN9kasRYfgGAq/w/FTwZCU9TE476cPNmZPi4Z5Zu5ER qf9t22sTc0vdSzu+vLP1CbMz06fJflUcAgjDSclwa4r+78vBloMe1eA7dO9C4iSvpWr4bz k8Y7Ll+w3teJYJcLkBf69BYzdxY2234= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-613-HygyfgOWM6-B9MfclocP6w-1; Mon, 27 Dec 2021 17:36:57 -0500 X-MC-Unique: HygyfgOWM6-B9MfclocP6w-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 8BD4A14756; Mon, 27 Dec 2021 22:36:54 +0000 (UTC) Received: from wcosta.com (ovpn-116-95.gru2.redhat.com [10.97.116.95]) by smtp.corp.redhat.com (Postfix) with ESMTP id D125F78DD7; Mon, 27 Dec 2021 22:36:24 +0000 (UTC) From: Wander Lairson Costa To: Alexander Viro , Ingo Molnar , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Daniel Bristot de Oliveira , Laurent Vivier , YunQiang Su , Wander Lairson Costa , Helge Deller , "Eric W. Biederman" , Andrew Morton , Alexey Gladkov , Jens Axboe , Rafael Aquini , Phil Auld , Rolf Eike Beer , Muchun Song , linux-fsdevel@vger.kernel.org (open list:FILESYSTEMS (VFS and infrastructure)), linux-kernel@vger.kernel.org (open list) Subject: [PATCH RFC 2/4] process: add the PF_SUID flag Date: Mon, 27 Dec 2021 19:34:33 -0300 Message-Id: <20211227223436.317091-3-wander@redhat.com> In-Reply-To: <20211227223436.317091-1-wander@redhat.com> References: <20211227223436.317091-1-wander@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" If the binary file in an execve system call is a suid executable, we add the PF_SUID flag to the process and all its future new children and threads. In a later commit, we will use this information to determine if it is safe to core dump such a process. Signed-off-by: Wander Lairson Costa --- fs/exec.c | 4 ++++ include/linux/sched.h | 1 + kernel/fork.c | 2 ++ 3 files changed, 7 insertions(+) diff --git a/fs/exec.c b/fs/exec.c index 3913b335b95f..b4bd157a5282 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1311,6 +1311,10 @@ int begin_new_exec(struct linux_binprm * bprm) =20 me->flags &=3D ~(PF_RANDOMIZE | PF_FORKNOEXEC | PF_KTHREAD | PF_NOFREEZE | PF_NO_SETAFFINITY); + + if (bprm->suid_bin) + me->flags |=3D PF_SUID; + flush_thread(); me->personality &=3D ~bprm->per_clear; =20 diff --git a/include/linux/sched.h b/include/linux/sched.h index e3b328b81ac0..f7811c42b004 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -1651,6 +1651,7 @@ extern struct pid *cad_pid; #define PF_VCPU 0x00000001 /* I'm a virtual CPU */ #define PF_IDLE 0x00000002 /* I am an IDLE thread */ #define PF_EXITING 0x00000004 /* Getting shut down */ +#define PF_SUID 0x00000008 /* The process comes from a suid/sgid binary = */ #define PF_IO_WORKER 0x00000010 /* Task is an IO worker */ #define PF_WQ_WORKER 0x00000020 /* I'm a workqueue worker */ #define PF_FORKNOEXEC 0x00000040 /* Forked but didn't exec */ diff --git a/kernel/fork.c b/kernel/fork.c index 231b1ba3ca9f..1e1ffff70d14 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -2080,6 +2080,8 @@ static __latent_entropy struct task_struct *copy_proc= ess( delayacct_tsk_init(p); /* Must remain after dup_task_struct() */ p->flags &=3D ~(PF_SUPERPRIV | PF_WQ_WORKER | PF_IDLE | PF_NO_SETAFFINITY= ); p->flags |=3D PF_FORKNOEXEC; + if (current->flags & PF_SUID) + p->flags |=3D PF_SUID; INIT_LIST_HEAD(&p->children); INIT_LIST_HEAD(&p->sibling); rcu_copy_process(p); --=20 2.27.0 From nobody Thu Jul 2 12:41:15 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 41CB8C433EF for ; Mon, 27 Dec 2021 22:37:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233865AbhL0Whe (ORCPT ); Mon, 27 Dec 2021 17:37:34 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:43543 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231811AbhL0Whd (ORCPT ); Mon, 27 Dec 2021 17:37:33 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1640644653; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=oRQiwqjB0NQi4Sdbyi3eqHG7nJYYCHzMQstJ4Dw6XnM=; b=K2OdjMnKAkHABzMJac2IDR3CJXOHB02spONVAqvmFt/+JMB8kaaewpEK//0o4s+DF+/kXM PfzKbWSmrMXQIwtJfGGKyfW2tpJZJDdOCiVkTgvsXQadPNuO9A5e0YlpycZ2neXnel1KOb RqJWJhGJyjvOvcVz56Y/NSAApaiAp6M= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-150-YAFzHXULPnKfsmnBuVDelg-1; Mon, 27 Dec 2021 17:37:30 -0500 X-MC-Unique: YAFzHXULPnKfsmnBuVDelg-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 27031102CB3D; Mon, 27 Dec 2021 22:37:28 +0000 (UTC) Received: from wcosta.com (ovpn-116-95.gru2.redhat.com [10.97.116.95]) by smtp.corp.redhat.com (Postfix) with ESMTP id 7A5B178D8F; Mon, 27 Dec 2021 22:36:55 +0000 (UTC) From: Wander Lairson Costa To: Alexander Viro , Ingo Molnar , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Daniel Bristot de Oliveira , Laurent Vivier , Wander Lairson Costa , YunQiang Su , Helge Deller , "Eric W. Biederman" , Alexey Gladkov , Andrew Morton , Jens Axboe , Rafael Aquini , Phil Auld , Rolf Eike Beer , Muchun Song , linux-fsdevel@vger.kernel.org (open list:FILESYSTEMS (VFS and infrastructure)), linux-kernel@vger.kernel.org (open list) Subject: [PATCH RFC 3/4] coredump: mitigate privilege escalation of process coredump Date: Mon, 27 Dec 2021 19:34:34 -0300 Message-Id: <20211227223436.317091-4-wander@redhat.com> In-Reply-To: <20211227223436.317091-1-wander@redhat.com> References: <20211227223436.317091-1-wander@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" A set-uid executable might be a vector to a privilege escalation if the system configures the coredump file name pattern as a relative directory destiny. The full description of the vulnerability and a demonstration of how we can exploit it can be found at [1]. We now check if the core dump pattern is relative. If it is, then we verify if root owns the current directory and if it does, we deny writing the core file unless the directory is universally writable. [1] https://www.openwall.com/lists/oss-security/2021/10/20/2 Signed-off-by: Wander Lairson Costa --- fs/coredump.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/fs/coredump.c b/fs/coredump.c index 07afb5ddb1c4..74eae7bd144d 100644 --- a/fs/coredump.c +++ b/fs/coredump.c @@ -580,6 +580,7 @@ void do_coredump(const kernel_siginfo_t *siginfo) struct core_name cn; struct mm_struct *mm =3D current->mm; struct linux_binfmt * binfmt; + struct inode *pwd_inode; const struct cred *old_cred; struct cred *cred; int retval =3D 0; @@ -625,6 +626,20 @@ void do_coredump(const kernel_siginfo_t *siginfo) need_suid_safe =3D true; } =20 + /* + * If we are a set-uid/gid root process and the current directory is + * owned by root but not universally writable, prohibit dumps under + * this path. + * + * Mitigate https://www.openwall.com/lists/oss-security/2021/10/20/2 + */ + pwd_inode =3D current->fs->pwd.dentry->d_inode; + if (current->flags & PF_SUID && + capable(CAP_SYS_ADMIN) && + uid_eq(pwd_inode->i_uid, GLOBAL_ROOT_UID) && + !(pwd_inode->i_mode & 0002)) + need_suid_safe =3D true; + retval =3D coredump_wait(siginfo->si_signo, &core_state); if (retval < 0) goto fail_creds; --=20 2.27.0 From nobody Thu Jul 2 12:41:15 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 41CD0C433FE for ; Mon, 27 Dec 2021 22:38:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233874AbhL0WiJ (ORCPT ); Mon, 27 Dec 2021 17:38:09 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]:55319 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229643AbhL0WiI (ORCPT ); Mon, 27 Dec 2021 17:38:08 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1640644687; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5Uf/VTxgXWXe/MU6bZ79vAxvKJyPz0bXiu+f31mk1cc=; b=X08n57P1ou7h6Rc4wEsKYh2R6xxljjnq+UbRLDXh5ylc4rioZojb20R6MSdkqKlvyaJyjc /g4Lj8JGdbzA+2Qp0l6fPucScYmWBrtoCzTaRQrjoyOaVAMhfDrz4pFuobywuNA70Cxq2l JPPJk5cOumqcBUlfllvsYKxI0OiJ3rA= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-17-0kjuCe4ENGeeTDfRukP9Yw-1; Mon, 27 Dec 2021 17:38:04 -0500 X-MC-Unique: 0kjuCe4ENGeeTDfRukP9Yw-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E96B081CCB4; Mon, 27 Dec 2021 22:38:01 +0000 (UTC) Received: from wcosta.com (ovpn-116-95.gru2.redhat.com [10.97.116.95]) by smtp.corp.redhat.com (Postfix) with ESMTP id 153BB78D8F; Mon, 27 Dec 2021 22:37:29 +0000 (UTC) From: Wander Lairson Costa To: Alexander Viro , Ingo Molnar , Peter Zijlstra , Juri Lelli , Vincent Guittot , Dietmar Eggemann , Steven Rostedt , Ben Segall , Mel Gorman , Daniel Bristot de Oliveira , YunQiang Su , Laurent Vivier , Wander Lairson Costa , Helge Deller , "Eric W. Biederman" , Jens Axboe , Alexey Gladkov , Andrew Morton , Rafael Aquini , Phil Auld , Rolf Eike Beer , Muchun Song , linux-fsdevel@vger.kernel.org (open list:FILESYSTEMS (VFS and infrastructure)), linux-kernel@vger.kernel.org (open list) Subject: [PATCH RFC 4/4] exec: only set the suid flag if the current proc isn't root Date: Mon, 27 Dec 2021 19:34:35 -0300 Message-Id: <20211227223436.317091-5-wander@redhat.com> In-Reply-To: <20211227223436.317091-1-wander@redhat.com> References: <20211227223436.317091-1-wander@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" The goal of PF_SUID flag is to check if it is safe to coredump the process. If the current process is already privileged, there is no point in performing security checks because the name image is a set-uid process. Because of that, we don't set the suid flag if the forked process already runs as root. Signed-off-by: Wander Lairson Costa --- fs/exec.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/fs/exec.c b/fs/exec.c index b4bd157a5282..d73b21b6298c 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1312,7 +1312,11 @@ int begin_new_exec(struct linux_binprm * bprm) me->flags &=3D ~(PF_RANDOMIZE | PF_FORKNOEXEC | PF_KTHREAD | PF_NOFREEZE | PF_NO_SETAFFINITY); =20 - if (bprm->suid_bin) + /* + * We set the PF_SUID flags for security reasons. There is no + * point in setting it if the parent is root. + */ + if (bprm->suid_bin && !capable(CAP_SYS_ADMIN)) me->flags |=3D PF_SUID; =20 flush_thread(); --=20 2.27.0