exec: Check __FMODE_EXEC instead of in_execve for LSMs

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

After commit 978ffcbf00d8 ("execve: open the executable file before
doing anything else"), current->in_execve was no longer in sync with the
open(). This broke AppArmor and TOMOYO which depend on this flag to
distinguish "open" operations from being "exec" operations.

Instead of moving around in_execve, switch to using __FMODE_EXEC, which
is where the "is this an exec?" intent is stored. Note that TOMOYO still
uses in_execve around cred handling.

Reported-by: Kevin Locke <kevin@kevinlocke.name>
Closes: https://lore.kernel.org/all/ZbE4qn9_h14OqADK@kevinlocke.name
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Fixes: 978ffcbf00d8 ("execve: open the executable file before doing anything else")
Cc: Josh Triplett <josh@joshtriplett.org>
Cc: John Johansen <john.johansen@canonical.com>
Cc: Paul Moore <paul@paul-moore.com>
Cc: James Morris <jmorris@namei.org>
Cc: Serge E. Hallyn <serge@hallyn.com>
Cc: Kentaro Takeda <takedakn@nttdata.co.jp>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Jan Kara <jack@suse.cz>
Cc: Eric Biederman <ebiederm@xmission.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Cc: <linux-fsdevel@vger.kernel.org>
Cc: <linux-mm@kvack.org>
Cc: <apparmor@lists.ubuntu.com>
Cc: <linux-security-module@vger.kernel.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

Kees Cook and committed by

Linus Torvalds 2 years ago 4759ff71 1110ebe0

+5 -2

2 changed files

expand all

security

apparmor

lsm.c

tomoyo

tomoyo.c

+3 -1

security/apparmor/lsm.c

··· 469 469 * Cache permissions granted by the previous exec check, with 470 470 * implicit read and executable mmap which are required to 471 471 * actually execute the image. 472 + * 473 + * Illogically, FMODE_EXEC is in f_flags, not f_mode. 472 474 */ 473 - if (current->in_execve) { 475 + if (file->f_flags & __FMODE_EXEC) { 474 476 fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP; 475 477 return 0; 476 478 }

+2 -1

security/tomoyo/tomoyo.c

··· 328 328 static int tomoyo_file_open(struct file *f) 329 329 { 330 330 /* Don't check read permission here if called from execve(). */ 331 - if (current->in_execve) 331 + /* Illogically, FMODE_EXEC is in f_flags, not f_mode. */ 332 + if (f->f_flags & __FMODE_EXEC) 332 333 return 0; 333 334 return tomoyo_check_open_permission(tomoyo_domain(), &f->f_path, 334 335 f->f_flags);