License cleanup: add SPDX GPL-2.0 license identifier to files with no license
Many source files in the tree are missing licensing information, which
makes it harder for compliance tools to determine the correct license.
By default all files without license information are under the default
license of the kernel, which is GPL version 2.
Update the files which contain no license information with the 'GPL-2.0'
SPDX license identifier. The SPDX identifier is a legally binding
shorthand, which can be used instead of the full boiler plate text.
This patch is based on work done by Thomas Gleixner and Kate Stewart and
Philippe Ombredanne.
How this work was done:
Patches were generated and checked against linux-4.14-rc6 for a subset of
the use cases:
- file had no licensing information it it.
- file was a */uapi/* one with no licensing information in it,
- file was a */uapi/* one with existing licensing information,
Further patches will be generated in subsequent months to fix up cases
where non-standard license headers were used, and references to license
had to be inferred by heuristics based on keywords.
The analysis to determine which SPDX License Identifier to be applied to
a file was done in a spreadsheet of side by side results from of the
output of two independent scanners (ScanCode & Windriver) producing SPDX
tag:value files created by Philippe Ombredanne. Philippe prepared the
base worksheet, and did an initial spot review of a few 1000 files.
The 4.13 kernel was the starting point of the analysis with 60,537 files
assessed. Kate Stewart did a file by file comparison of the scanner
results in the spreadsheet to determine which SPDX license identifier(s)
to be applied to the file. She confirmed any determination that was not
immediately clear with lawyers working with the Linux Foundation.
Criteria used to select files for SPDX license identifier tagging was:
- Files considered eligible had to be source code files.
- Make and config files were included as candidates if they contained >5
lines of source
- File already had some variant of a license header in it (even if <5
lines).
All documentation files were explicitly excluded.
The following heuristics were used to determine which SPDX license
identifiers to apply.
- when both scanners couldn't find any license traces, file was
considered to have no license information in it, and the top level
COPYING file license applied.
For non */uapi/* files that summary was:
SPDX license identifier # files
---------------------------------------------------|-------
GPL-2.0 11139
and resulted in the first patch in this series.
If that file was a */uapi/* path one, it was "GPL-2.0 WITH
Linux-syscall-note" otherwise it was "GPL-2.0". Results of that was:
SPDX license identifier # files
---------------------------------------------------|-------
GPL-2.0 WITH Linux-syscall-note 930
and resulted in the second patch in this series.
- if a file had some form of licensing information in it, and was one
of the */uapi/* ones, it was denoted with the Linux-syscall-note if
any GPL family license was found in the file or had no licensing in
it (per prior point). Results summary:
SPDX license identifier # files
---------------------------------------------------|------
GPL-2.0 WITH Linux-syscall-note 270
GPL-2.0+ WITH Linux-syscall-note 169
((GPL-2.0 WITH Linux-syscall-note) OR BSD-2-Clause) 21
((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) 17
LGPL-2.1+ WITH Linux-syscall-note 15
GPL-1.0+ WITH Linux-syscall-note 14
((GPL-2.0+ WITH Linux-syscall-note) OR BSD-3-Clause) 5
LGPL-2.0+ WITH Linux-syscall-note 4
LGPL-2.1 WITH Linux-syscall-note 3
((GPL-2.0 WITH Linux-syscall-note) OR MIT) 3
((GPL-2.0 WITH Linux-syscall-note) AND MIT) 1
and that resulted in the third patch in this series.
- when the two scanners agreed on the detected license(s), that became
the concluded license(s).
- when there was disagreement between the two scanners (one detected a
license but the other didn't, or they both detected different
licenses) a manual inspection of the file occurred.
- In most cases a manual inspection of the information in the file
resulted in a clear resolution of the license that should apply (and
which scanner probably needed to revisit its heuristics).
- When it was not immediately clear, the license identifier was
confirmed with lawyers working with the Linux Foundation.
- If there was any question as to the appropriate license identifier,
the file was flagged for further research and to be revisited later
in time.
In total, over 70 hours of logged manual review was done on the
spreadsheet to determine the SPDX license identifiers to apply to the
source files by Kate, Philippe, Thomas and, in some cases, confirmation
by lawyers working with the Linux Foundation.
Kate also obtained a third independent scan of the 4.13 code base from
FOSSology, and compared selected files where the other two scanners
disagreed against that SPDX file, to see if there was new insights. The
Windriver scanner is based on an older version of FOSSology in part, so
they are related.
Thomas did random spot checks in about 500 files from the spreadsheets
for the uapi headers and agreed with SPDX license identifier in the
files he inspected. For the non-uapi files Thomas did random spot checks
in about 15000 files.
In initial set of patches against 4.14-rc6, 3 files were found to have
copy/paste license identifier errors, and have been fixed to reflect the
correct identifier.
Additionally Philippe spent 10 hours this week doing a detailed manual
inspection and review of the 12,461 patched files from the initial patch
version early this week with:
- a full scancode scan run, collecting the matched texts, detected
license ids and scores
- reviewing anything where there was a license detected (about 500+
files) to ensure that the applied SPDX license was correct
- reviewing anything where there was no detection but the patch license
was not GPL-2.0 WITH Linux-syscall-note to ensure that the applied
SPDX license was correct
This produced a worksheet with 20 files needing minor correction. This
worksheet was then exported into 3 different .csv files for the
different types of files to be modified.
These .csv files were then reviewed by Greg. Thomas wrote a script to
parse the csv files and add the proper SPDX tag to the file, in the
format that the file expected. This script was further refined by Greg
based on the output to detect more types of files automatically and to
distinguish between header and source .c files (which need different
comment types.) Finally Greg ran the script using the .csv files to
generate the patches.
Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org>
Reviewed-by: Philippe Ombredanne <pombredanne@nexb.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-11-01 15:07:57 +01:00
|
|
|
/* SPDX-License-Identifier: GPL-2.0 */
|
2005-04-17 00:20:36 +02:00
|
|
|
#ifndef _LINUX_BINFMTS_H
|
|
|
|
#define _LINUX_BINFMTS_H
|
|
|
|
|
2012-02-04 10:47:10 +01:00
|
|
|
#include <linux/sched.h>
|
2012-09-30 19:20:09 +02:00
|
|
|
#include <linux/unistd.h>
|
2012-08-03 10:14:44 +02:00
|
|
|
#include <asm/exec.h>
|
2012-10-13 11:46:48 +02:00
|
|
|
#include <uapi/linux/binfmts.h>
|
2005-04-17 00:20:36 +02:00
|
|
|
|
2017-02-05 14:24:31 +01:00
|
|
|
struct filename;
|
|
|
|
|
2007-05-17 07:11:16 +02:00
|
|
|
#define CORENAME_MAX_SIZE 128
|
|
|
|
|
2005-04-17 00:20:36 +02:00
|
|
|
/*
|
|
|
|
* This structure is used to hold the arguments that are used when loading binaries.
|
|
|
|
*/
|
2011-01-13 02:00:02 +01:00
|
|
|
struct linux_binprm {
|
2005-04-17 00:20:36 +02:00
|
|
|
char buf[BINPRM_BUF_SIZE];
|
2007-07-19 10:48:16 +02:00
|
|
|
#ifdef CONFIG_MMU
|
|
|
|
struct vm_area_struct *vma;
|
2010-11-30 20:55:34 +01:00
|
|
|
unsigned long vma_pages;
|
2007-07-19 10:48:16 +02:00
|
|
|
#else
|
|
|
|
# define MAX_ARG_PAGES 32
|
2005-04-17 00:20:36 +02:00
|
|
|
struct page *page[MAX_ARG_PAGES];
|
2007-07-19 10:48:16 +02:00
|
|
|
#endif
|
2005-04-17 00:20:36 +02:00
|
|
|
struct mm_struct *mm;
|
|
|
|
unsigned long p; /* current top of mem */
|
2009-04-03 01:58:29 +02:00
|
|
|
unsigned int
|
2017-07-19 00:25:23 +02:00
|
|
|
/*
|
|
|
|
* True after the bprm_set_creds hook has been called once
|
|
|
|
* (multiple calls can be made via prepare_binprm() for
|
|
|
|
* binfmt_script/misc).
|
|
|
|
*/
|
|
|
|
called_set_creds:1,
|
2017-07-19 00:25:27 +02:00
|
|
|
/*
|
|
|
|
* True if most recent call to the commoncaps bprm_set_creds
|
|
|
|
* hook (due to multiple prepare_binprm() calls from the
|
|
|
|
* binfmt_script/misc handlers) resulted in elevated
|
|
|
|
* privileges.
|
|
|
|
*/
|
|
|
|
cap_elevated:1,
|
binfmt: Introduce secureexec flag
The bprm_secureexec hook can be moved earlier. Right now, it is called
during create_elf_tables(), via load_binary(), via search_binary_handler(),
via exec_binprm(). Nearly all (see exception below) state used by
bprm_secureexec is created during the bprm_set_creds hook, called from
prepare_binprm().
For all LSMs (except commoncaps described next), only the first execution
of bprm_set_creds takes any effect (they all check bprm->called_set_creds
which prepare_binprm() sets after the first call to the bprm_set_creds
hook). However, all these LSMs also only do anything with bprm_secureexec
when they detected a secure state during their first run of bprm_set_creds.
Therefore, it is functionally identical to move the detection into
bprm_set_creds, since the results from secureexec here only need to be
based on the first call to the LSM's bprm_set_creds hook.
The single exception is that the commoncaps secureexec hook also examines
euid/uid and egid/gid differences which are controlled by bprm_fill_uid(),
via prepare_binprm(), which can be called multiple times (e.g.
binfmt_script, binfmt_misc), and may clear the euid/egid for the final
load (i.e. the script interpreter). However, while commoncaps specifically
ignores bprm->cred_prepared, and runs its bprm_set_creds hook each time
prepare_binprm() may get called, it needs to base the secureexec decision
on the final call to bprm_set_creds. As a result, it will need special
handling.
To begin this refactoring, this adds the secureexec flag to the bprm
struct, and calls the secureexec hook during setup_new_exec(). This is
safe since all the cred work is finished (and past the point of no return).
This explicit call will be removed in later patches once the hook has been
removed.
Cc: David Howells <dhowells@redhat.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: John Johansen <john.johansen@canonical.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
2017-07-19 00:25:22 +02:00
|
|
|
/*
|
|
|
|
* Set by bprm_set_creds hook to indicate a privilege-gaining
|
|
|
|
* exec has happened. Used to sanitize execution environment
|
|
|
|
* and to set AT_SECURE auxv for glibc.
|
|
|
|
*/
|
|
|
|
secureexec:1;
|
2008-10-16 07:02:37 +02:00
|
|
|
#ifdef __alpha__
|
|
|
|
unsigned int taso:1;
|
|
|
|
#endif
|
2013-09-11 23:24:39 +02:00
|
|
|
unsigned int recursion_depth; /* only for search_binary_handler() */
|
2005-04-17 00:20:36 +02:00
|
|
|
struct file * file;
|
CRED: Make execve() take advantage of copy-on-write credentials
Make execve() take advantage of copy-on-write credentials, allowing it to set
up the credentials in advance, and then commit the whole lot after the point
of no return.
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
(1) execve().
The credential bits from struct linux_binprm are, for the most part,
replaced with a single credentials pointer (bprm->cred). This means that
all the creds can be calculated in advance and then applied at the point
of no return with no possibility of failure.
I would like to replace bprm->cap_effective with:
cap_isclear(bprm->cap_effective)
but this seems impossible due to special behaviour for processes of pid 1
(they always retain their parent's capability masks where normally they'd
be changed - see cap_bprm_set_creds()).
The following sequence of events now happens:
(a) At the start of do_execve, the current task's cred_exec_mutex is
locked to prevent PTRACE_ATTACH from obsoleting the calculation of
creds that we make.
(a) prepare_exec_creds() is then called to make a copy of the current
task's credentials and prepare it. This copy is then assigned to
bprm->cred.
This renders security_bprm_alloc() and security_bprm_free()
unnecessary, and so they've been removed.
(b) The determination of unsafe execution is now performed immediately
after (a) rather than later on in the code. The result is stored in
bprm->unsafe for future reference.
(c) prepare_binprm() is called, possibly multiple times.
(i) This applies the result of set[ug]id binaries to the new creds
attached to bprm->cred. Personality bit clearance is recorded,
but now deferred on the basis that the exec procedure may yet
fail.
(ii) This then calls the new security_bprm_set_creds(). This should
calculate the new LSM and capability credentials into *bprm->cred.
This folds together security_bprm_set() and parts of
security_bprm_apply_creds() (these two have been removed).
Anything that might fail must be done at this point.
(iii) bprm->cred_prepared is set to 1.
bprm->cred_prepared is 0 on the first pass of the security
calculations, and 1 on all subsequent passes. This allows SELinux
in (ii) to base its calculations only on the initial script and
not on the interpreter.
(d) flush_old_exec() is called to commit the task to execution. This
performs the following steps with regard to credentials:
(i) Clear pdeath_signal and set dumpable on certain circumstances that
may not be covered by commit_creds().
(ii) Clear any bits in current->personality that were deferred from
(c.i).
(e) install_exec_creds() [compute_creds() as was] is called to install the
new credentials. This performs the following steps with regard to
credentials:
(i) Calls security_bprm_committing_creds() to apply any security
requirements, such as flushing unauthorised files in SELinux, that
must be done before the credentials are changed.
This is made up of bits of security_bprm_apply_creds() and
security_bprm_post_apply_creds(), both of which have been removed.
This function is not allowed to fail; anything that might fail
must have been done in (c.ii).
(ii) Calls commit_creds() to apply the new credentials in a single
assignment (more or less). Possibly pdeath_signal and dumpable
should be part of struct creds.
(iii) Unlocks the task's cred_replace_mutex, thus allowing
PTRACE_ATTACH to take place.
(iv) Clears The bprm->cred pointer as the credentials it was holding
are now immutable.
(v) Calls security_bprm_committed_creds() to apply any security
alterations that must be done after the creds have been changed.
SELinux uses this to flush signals and signal handlers.
(f) If an error occurs before (d.i), bprm_free() will call abort_creds()
to destroy the proposed new credentials and will then unlock
cred_replace_mutex. No changes to the credentials will have been
made.
(2) LSM interface.
A number of functions have been changed, added or removed:
(*) security_bprm_alloc(), ->bprm_alloc_security()
(*) security_bprm_free(), ->bprm_free_security()
Removed in favour of preparing new credentials and modifying those.
(*) security_bprm_apply_creds(), ->bprm_apply_creds()
(*) security_bprm_post_apply_creds(), ->bprm_post_apply_creds()
Removed; split between security_bprm_set_creds(),
security_bprm_committing_creds() and security_bprm_committed_creds().
(*) security_bprm_set(), ->bprm_set_security()
Removed; folded into security_bprm_set_creds().
(*) security_bprm_set_creds(), ->bprm_set_creds()
New. The new credentials in bprm->creds should be checked and set up
as appropriate. bprm->cred_prepared is 0 on the first call, 1 on the
second and subsequent calls.
(*) security_bprm_committing_creds(), ->bprm_committing_creds()
(*) security_bprm_committed_creds(), ->bprm_committed_creds()
New. Apply the security effects of the new credentials. This
includes closing unauthorised files in SELinux. This function may not
fail. When the former is called, the creds haven't yet been applied
to the process; when the latter is called, they have.
The former may access bprm->cred, the latter may not.
(3) SELinux.
SELinux has a number of changes, in addition to those to support the LSM
interface changes mentioned above:
(a) The bprm_security_struct struct has been removed in favour of using
the credentials-under-construction approach.
(c) flush_unauthorized_files() now takes a cred pointer and passes it on
to inode_has_perm(), file_has_perm() and dentry_open().
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
2008-11-14 00:39:24 +01:00
|
|
|
struct cred *cred; /* new credentials */
|
|
|
|
int unsafe; /* how unsafe this exec is (mask of LSM_UNSAFE_*) */
|
|
|
|
unsigned int per_clear; /* bits to clear in current->personality */
|
2005-04-17 00:20:36 +02:00
|
|
|
int argc, envc;
|
2010-08-18 00:52:56 +02:00
|
|
|
const char * filename; /* Name of binary as seen by procps */
|
|
|
|
const char * interp; /* Name of the binary really executed. Most
|
2005-04-17 00:20:36 +02:00
|
|
|
of the time same as filename, but could be
|
|
|
|
different for binfmt_{misc,script} */
|
|
|
|
unsigned interp_flags;
|
|
|
|
unsigned interp_data;
|
|
|
|
unsigned long loader, exec;
|
2018-04-11 01:35:01 +02:00
|
|
|
|
|
|
|
struct rlimit rlim_stack; /* Saved RLIMIT_STACK used during exec. */
|
2016-10-28 10:22:25 +02:00
|
|
|
} __randomize_layout;
|
2005-04-17 00:20:36 +02:00
|
|
|
|
|
|
|
#define BINPRM_FLAGS_ENFORCE_NONDUMP_BIT 0
|
|
|
|
#define BINPRM_FLAGS_ENFORCE_NONDUMP (1 << BINPRM_FLAGS_ENFORCE_NONDUMP_BIT)
|
|
|
|
|
|
|
|
/* fd of the binary should be passed to the interpreter */
|
|
|
|
#define BINPRM_FLAGS_EXECFD_BIT 1
|
|
|
|
#define BINPRM_FLAGS_EXECFD (1 << BINPRM_FLAGS_EXECFD_BIT)
|
|
|
|
|
syscalls: implement execveat() system call
This patchset adds execveat(2) for x86, and is derived from Meredydd
Luff's patch from Sept 2012 (https://lkml.org/lkml/2012/9/11/528).
The primary aim of adding an execveat syscall is to allow an
implementation of fexecve(3) that does not rely on the /proc filesystem,
at least for executables (rather than scripts). The current glibc version
of fexecve(3) is implemented via /proc, which causes problems in sandboxed
or otherwise restricted environments.
Given the desire for a /proc-free fexecve() implementation, HPA suggested
(https://lkml.org/lkml/2006/7/11/556) that an execveat(2) syscall would be
an appropriate generalization.
Also, having a new syscall means that it can take a flags argument without
back-compatibility concerns. The current implementation just defines the
AT_EMPTY_PATH and AT_SYMLINK_NOFOLLOW flags, but other flags could be
added in future -- for example, flags for new namespaces (as suggested at
https://lkml.org/lkml/2006/7/11/474).
Related history:
- https://lkml.org/lkml/2006/12/27/123 is an example of someone
realizing that fexecve() is likely to fail in a chroot environment.
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=514043 covered
documenting the /proc requirement of fexecve(3) in its manpage, to
"prevent other people from wasting their time".
- https://bugzilla.redhat.com/show_bug.cgi?id=241609 described a
problem where a process that did setuid() could not fexecve()
because it no longer had access to /proc/self/fd; this has since
been fixed.
This patch (of 4):
Add a new execveat(2) system call. execveat() is to execve() as openat()
is to open(): it takes a file descriptor that refers to a directory, and
resolves the filename relative to that.
In addition, if the filename is empty and AT_EMPTY_PATH is specified,
execveat() executes the file to which the file descriptor refers. This
replicates the functionality of fexecve(), which is a system call in other
UNIXen, but in Linux glibc it depends on opening "/proc/self/fd/<fd>" (and
so relies on /proc being mounted).
The filename fed to the executed program as argv[0] (or the name of the
script fed to a script interpreter) will be of the form "/dev/fd/<fd>"
(for an empty filename) or "/dev/fd/<fd>/<filename>", effectively
reflecting how the executable was found. This does however mean that
execution of a script in a /proc-less environment won't work; also, script
execution via an O_CLOEXEC file descriptor fails (as the file will not be
accessible after exec).
Based on patches by Meredydd Luff.
Signed-off-by: David Drysdale <drysdale@google.com>
Cc: Meredydd Luff <meredydd@senatehouse.org>
Cc: Shuah Khan <shuah.kh@samsung.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Rich Felker <dalias@aerifal.cx>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-12-13 01:57:29 +01:00
|
|
|
/* filename of the binary will be inaccessible after exec */
|
|
|
|
#define BINPRM_FLAGS_PATH_INACCESSIBLE_BIT 2
|
|
|
|
#define BINPRM_FLAGS_PATH_INACCESSIBLE (1 << BINPRM_FLAGS_PATH_INACCESSIBLE_BIT)
|
|
|
|
|
2009-12-18 00:27:16 +01:00
|
|
|
/* Function parameter for binfmt->coredump */
|
|
|
|
struct coredump_params {
|
2013-10-13 23:57:29 +02:00
|
|
|
const siginfo_t *siginfo;
|
2009-12-18 00:27:16 +01:00
|
|
|
struct pt_regs *regs;
|
|
|
|
struct file *file;
|
|
|
|
unsigned long limit;
|
2010-03-05 22:44:12 +01:00
|
|
|
unsigned long mm_flags;
|
2013-10-05 21:32:35 +02:00
|
|
|
loff_t written;
|
2016-06-05 23:14:14 +02:00
|
|
|
loff_t pos;
|
2009-12-18 00:27:16 +01:00
|
|
|
};
|
|
|
|
|
2005-04-17 00:20:36 +02:00
|
|
|
/*
|
|
|
|
* This structure defines the functions that are used to load the binary formats that
|
|
|
|
* linux accepts.
|
|
|
|
*/
|
|
|
|
struct linux_binfmt {
|
2007-10-17 08:26:03 +02:00
|
|
|
struct list_head lh;
|
2005-04-17 00:20:36 +02:00
|
|
|
struct module *module;
|
2012-10-21 04:00:48 +02:00
|
|
|
int (*load_binary)(struct linux_binprm *);
|
2005-04-17 00:20:36 +02:00
|
|
|
int (*load_shlib)(struct file *);
|
2009-12-18 00:27:16 +01:00
|
|
|
int (*core_dump)(struct coredump_params *cprm);
|
2005-04-17 00:20:36 +02:00
|
|
|
unsigned long min_coredump; /* minimal dump size */
|
2016-10-28 10:22:25 +02:00
|
|
|
} __randomize_layout;
|
2005-04-17 00:20:36 +02:00
|
|
|
|
2012-03-17 08:05:16 +01:00
|
|
|
extern void __register_binfmt(struct linux_binfmt *fmt, int insert);
|
2009-05-01 00:08:49 +02:00
|
|
|
|
|
|
|
/* Registration of default binfmt handlers */
|
2012-03-17 08:05:16 +01:00
|
|
|
static inline void register_binfmt(struct linux_binfmt *fmt)
|
2009-05-01 00:08:49 +02:00
|
|
|
{
|
2012-03-17 08:05:16 +01:00
|
|
|
__register_binfmt(fmt, 0);
|
2009-05-01 00:08:49 +02:00
|
|
|
}
|
|
|
|
/* Same as above, but adds a new binfmt at the top of the list */
|
2012-03-17 08:05:16 +01:00
|
|
|
static inline void insert_binfmt(struct linux_binfmt *fmt)
|
2009-05-01 00:08:49 +02:00
|
|
|
{
|
2012-03-17 08:05:16 +01:00
|
|
|
__register_binfmt(fmt, 1);
|
2009-05-01 00:08:49 +02:00
|
|
|
}
|
|
|
|
|
2007-10-17 08:26:04 +02:00
|
|
|
extern void unregister_binfmt(struct linux_binfmt *);
|
2005-04-17 00:20:36 +02:00
|
|
|
|
|
|
|
extern int prepare_binprm(struct linux_binprm *);
|
2007-07-19 10:48:16 +02:00
|
|
|
extern int __must_check remove_arg_zero(struct linux_binprm *);
|
2012-10-21 03:53:31 +02:00
|
|
|
extern int search_binary_handler(struct linux_binprm *);
|
2005-04-17 00:20:36 +02:00
|
|
|
extern int flush_old_exec(struct linux_binprm * bprm);
|
Split 'flush_old_exec' into two functions
'flush_old_exec()' is the point of no return when doing an execve(), and
it is pretty badly misnamed. It doesn't just flush the old executable
environment, it also starts up the new one.
Which is very inconvenient for things like setting up the new
personality, because we want the new personality to affect the starting
of the new environment, but at the same time we do _not_ want the new
personality to take effect if flushing the old one fails.
As a result, the x86-64 '32-bit' personality is actually done using this
insane "I'm going to change the ABI, but I haven't done it yet" bit
(TIF_ABI_PENDING), with SET_PERSONALITY() not actually setting the
personality, but just the "pending" bit, so that "flush_thread()" can do
the actual personality magic.
This patch in no way changes any of that insanity, but it does split the
'flush_old_exec()' function up into a preparatory part that can fail
(still called flush_old_exec()), and a new part that will actually set
up the new exec environment (setup_new_exec()). All callers are changed
to trivially comply with the new world order.
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-01-29 07:14:42 +01:00
|
|
|
extern void setup_new_exec(struct linux_binprm * bprm);
|
2018-04-11 01:34:57 +02:00
|
|
|
extern void finalize_exec(struct linux_binprm *bprm);
|
2011-06-19 18:49:47 +02:00
|
|
|
extern void would_dump(struct linux_binprm *, struct file *);
|
2005-04-17 00:20:36 +02:00
|
|
|
|
2005-06-23 09:09:43 +02:00
|
|
|
extern int suid_dumpable;
|
|
|
|
|
2005-04-17 00:20:36 +02:00
|
|
|
/* Stack area protections */
|
|
|
|
#define EXSTACK_DEFAULT 0 /* Whatever the arch defaults to */
|
|
|
|
#define EXSTACK_DISABLE_X 1 /* Disable executable stacks */
|
|
|
|
#define EXSTACK_ENABLE_X 2 /* Enable executable stacks */
|
|
|
|
|
|
|
|
extern int setup_arg_pages(struct linux_binprm * bprm,
|
|
|
|
unsigned long stack_top,
|
|
|
|
int executable_stack);
|
2016-07-24 17:30:18 +02:00
|
|
|
extern int transfer_args_to_stack(struct linux_binprm *bprm,
|
|
|
|
unsigned long *sp_location);
|
2017-10-04 01:15:42 +02:00
|
|
|
extern int bprm_change_interp(const char *interp, struct linux_binprm *bprm);
|
2010-08-18 00:52:56 +02:00
|
|
|
extern int copy_strings_kernel(int argc, const char *const *argv,
|
|
|
|
struct linux_binprm *bprm);
|
2009-09-05 20:17:13 +02:00
|
|
|
extern int prepare_bprm_creds(struct linux_binprm *bprm);
|
CRED: Make execve() take advantage of copy-on-write credentials
Make execve() take advantage of copy-on-write credentials, allowing it to set
up the credentials in advance, and then commit the whole lot after the point
of no return.
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
(1) execve().
The credential bits from struct linux_binprm are, for the most part,
replaced with a single credentials pointer (bprm->cred). This means that
all the creds can be calculated in advance and then applied at the point
of no return with no possibility of failure.
I would like to replace bprm->cap_effective with:
cap_isclear(bprm->cap_effective)
but this seems impossible due to special behaviour for processes of pid 1
(they always retain their parent's capability masks where normally they'd
be changed - see cap_bprm_set_creds()).
The following sequence of events now happens:
(a) At the start of do_execve, the current task's cred_exec_mutex is
locked to prevent PTRACE_ATTACH from obsoleting the calculation of
creds that we make.
(a) prepare_exec_creds() is then called to make a copy of the current
task's credentials and prepare it. This copy is then assigned to
bprm->cred.
This renders security_bprm_alloc() and security_bprm_free()
unnecessary, and so they've been removed.
(b) The determination of unsafe execution is now performed immediately
after (a) rather than later on in the code. The result is stored in
bprm->unsafe for future reference.
(c) prepare_binprm() is called, possibly multiple times.
(i) This applies the result of set[ug]id binaries to the new creds
attached to bprm->cred. Personality bit clearance is recorded,
but now deferred on the basis that the exec procedure may yet
fail.
(ii) This then calls the new security_bprm_set_creds(). This should
calculate the new LSM and capability credentials into *bprm->cred.
This folds together security_bprm_set() and parts of
security_bprm_apply_creds() (these two have been removed).
Anything that might fail must be done at this point.
(iii) bprm->cred_prepared is set to 1.
bprm->cred_prepared is 0 on the first pass of the security
calculations, and 1 on all subsequent passes. This allows SELinux
in (ii) to base its calculations only on the initial script and
not on the interpreter.
(d) flush_old_exec() is called to commit the task to execution. This
performs the following steps with regard to credentials:
(i) Clear pdeath_signal and set dumpable on certain circumstances that
may not be covered by commit_creds().
(ii) Clear any bits in current->personality that were deferred from
(c.i).
(e) install_exec_creds() [compute_creds() as was] is called to install the
new credentials. This performs the following steps with regard to
credentials:
(i) Calls security_bprm_committing_creds() to apply any security
requirements, such as flushing unauthorised files in SELinux, that
must be done before the credentials are changed.
This is made up of bits of security_bprm_apply_creds() and
security_bprm_post_apply_creds(), both of which have been removed.
This function is not allowed to fail; anything that might fail
must have been done in (c.ii).
(ii) Calls commit_creds() to apply the new credentials in a single
assignment (more or less). Possibly pdeath_signal and dumpable
should be part of struct creds.
(iii) Unlocks the task's cred_replace_mutex, thus allowing
PTRACE_ATTACH to take place.
(iv) Clears The bprm->cred pointer as the credentials it was holding
are now immutable.
(v) Calls security_bprm_committed_creds() to apply any security
alterations that must be done after the creds have been changed.
SELinux uses this to flush signals and signal handlers.
(f) If an error occurs before (d.i), bprm_free() will call abort_creds()
to destroy the proposed new credentials and will then unlock
cred_replace_mutex. No changes to the credentials will have been
made.
(2) LSM interface.
A number of functions have been changed, added or removed:
(*) security_bprm_alloc(), ->bprm_alloc_security()
(*) security_bprm_free(), ->bprm_free_security()
Removed in favour of preparing new credentials and modifying those.
(*) security_bprm_apply_creds(), ->bprm_apply_creds()
(*) security_bprm_post_apply_creds(), ->bprm_post_apply_creds()
Removed; split between security_bprm_set_creds(),
security_bprm_committing_creds() and security_bprm_committed_creds().
(*) security_bprm_set(), ->bprm_set_security()
Removed; folded into security_bprm_set_creds().
(*) security_bprm_set_creds(), ->bprm_set_creds()
New. The new credentials in bprm->creds should be checked and set up
as appropriate. bprm->cred_prepared is 0 on the first call, 1 on the
second and subsequent calls.
(*) security_bprm_committing_creds(), ->bprm_committing_creds()
(*) security_bprm_committed_creds(), ->bprm_committed_creds()
New. Apply the security effects of the new credentials. This
includes closing unauthorised files in SELinux. This function may not
fail. When the former is called, the creds haven't yet been applied
to the process; when the latter is called, they have.
The former may access bprm->cred, the latter may not.
(3) SELinux.
SELinux has a number of changes, in addition to those to support the LSM
interface changes mentioned above:
(a) The bprm_security_struct struct has been removed in favour of using
the credentials-under-construction approach.
(c) flush_unauthorized_files() now takes a cred pointer and passes it on
to inode_has_perm(), file_has_perm() and dentry_open().
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
2008-11-14 00:39:24 +01:00
|
|
|
extern void install_exec_creds(struct linux_binprm *bprm);
|
2009-09-24 00:56:59 +02:00
|
|
|
extern void set_binfmt(struct linux_binfmt *new);
|
2013-04-14 02:31:37 +02:00
|
|
|
extern ssize_t read_code(struct file *, unsigned long, loff_t, size_t);
|
2005-04-17 00:20:36 +02:00
|
|
|
|
2017-02-05 14:24:31 +01:00
|
|
|
extern int do_execve(struct filename *,
|
|
|
|
const char __user * const __user *,
|
|
|
|
const char __user * const __user *);
|
|
|
|
extern int do_execveat(int, struct filename *,
|
|
|
|
const char __user * const __user *,
|
|
|
|
const char __user * const __user *,
|
|
|
|
int);
|
umh: introduce fork_usermode_blob() helper
Introduce helper:
int fork_usermode_blob(void *data, size_t len, struct umh_info *info);
struct umh_info {
struct file *pipe_to_umh;
struct file *pipe_from_umh;
pid_t pid;
};
that GPLed kernel modules (signed or unsigned) can use it to execute part
of its own data as swappable user mode process.
The kernel will do:
- allocate a unique file in tmpfs
- populate that file with [data, data + len] bytes
- user-mode-helper code will do_execve that file and, before the process
starts, the kernel will create two unix pipes for bidirectional
communication between kernel module and umh
- close tmpfs file, effectively deleting it
- the fork_usermode_blob will return zero on success and populate
'struct umh_info' with two unix pipes and the pid of the user process
As the first step in the development of the bpfilter project
the fork_usermode_blob() helper is introduced to allow user mode code
to be invoked from a kernel module. The idea is that user mode code plus
normal kernel module code are built as part of the kernel build
and installed as traditional kernel module into distro specified location,
such that from a distribution point of view, there is
no difference between regular kernel modules and kernel modules + umh code.
Such modules can be signed, modprobed, rmmod, etc. The use of this new helper
by a kernel module doesn't make it any special from kernel and user space
tooling point of view.
Such approach enables kernel to delegate functionality traditionally done
by the kernel modules into the user space processes (either root or !root) and
reduces security attack surface of the new code. The buggy umh code would crash
the user process, but not the kernel. Another advantage is that umh code
of the kernel module can be debugged and tested out of user space
(e.g. opening the possibility to run clang sanitizers, fuzzers or
user space test suites on the umh code).
In case of the bpfilter project such architecture allows complex control plane
to be done in the user space while bpf based data plane stays in the kernel.
Since umh can crash, can be oom-ed by the kernel, killed by the admin,
the kernel module that uses them (like bpfilter) needs to manage life
time of umh on its own via two unix pipes and the pid of umh.
The exit code of such kernel module should kill the umh it started,
so that rmmod of the kernel module will cleanup the corresponding umh.
Just like if the kernel module does kmalloc() it should kfree() it
in the exit code.
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-05-22 04:22:29 +02:00
|
|
|
int do_execve_file(struct file *file, void *__argv, void *__envp);
|
2017-02-05 14:24:31 +01:00
|
|
|
|
2005-04-17 00:20:36 +02:00
|
|
|
#endif /* _LINUX_BINFMTS_H */
|