From: Kees Cook keescook@chromium.org
mainline inclusion from mainline-v6.8-rc2 commit 4759ff71f23e1a9cba001009abab68cde6dc327a category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/IAZ996 CVE: NA
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
After commit 978ffcbf00d8 ("execve: open the executable file before doing anything else"), current->in_execve was no longer in sync with the open(). This broke AppArmor and TOMOYO which depend on this flag to distinguish "open" operations from being "exec" operations.
Instead of moving around in_execve, switch to using __FMODE_EXEC, which is where the "is this an exec?" intent is stored. Note that TOMOYO still uses in_execve around cred handling.
Reported-by: Kevin Locke kevin@kevinlocke.name Closes: https://lore.kernel.org/all/ZbE4qn9_h14OqADK@kevinlocke.name Suggested-by: Linus Torvalds torvalds@linux-foundation.org Fixes: 978ffcbf00d8 ("execve: open the executable file before doing anything else") Cc: Josh Triplett josh@joshtriplett.org Cc: John Johansen john.johansen@canonical.com Cc: Paul Moore paul@paul-moore.com Cc: James Morris jmorris@namei.org Cc: Serge E. Hallyn serge@hallyn.com Cc: Kentaro Takeda takedakn@nttdata.co.jp Cc: Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp Cc: Alexander Viro viro@zeniv.linux.org.uk Cc: Christian Brauner brauner@kernel.org Cc: Jan Kara jack@suse.cz Cc: Eric Biederman ebiederm@xmission.com Cc: Andrew Morton akpm@linux-foundation.org Cc: Sebastian Andrzej Siewior bigeasy@linutronix.de Cc: linux-fsdevel@vger.kernel.org Cc: linux-mm@kvack.org Cc: apparmor@lists.ubuntu.com Cc: linux-security-module@vger.kernel.org Signed-off-by: Kees Cook keescook@chromium.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Gu Bowen gubowen5@huawei.com --- security/apparmor/lsm.c | 4 +++- security/tomoyo/tomoyo.c | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 5303a51eff9c..56cd03fa8086 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -461,8 +461,10 @@ static int apparmor_file_open(struct file *file) * Cache permissions granted by the previous exec check, with * implicit read and executable mmap which are required to * actually execute the image. + * + * Illogically, FMODE_EXEC is in f_flags, not f_mode. */ - if (current->in_execve) { + if (file->f_flags & __FMODE_EXEC) { fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP; return 0; } diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index 298d182759c2..db1fefbd66de 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -327,7 +327,8 @@ static int tomoyo_file_fcntl(struct file *file, unsigned int cmd, static int tomoyo_file_open(struct file *f) { /* Don't check read permission here if called from execve(). */ - if (current->in_execve) + /* Illogically, FMODE_EXEC is in f_flags, not f_mode. */ + if (f->f_flags & __FMODE_EXEC) return 0; return tomoyo_check_open_permission(tomoyo_domain(), &f->f_path, f->f_flags);