On May 13, 2025 2:09:48 PM PDT, Jann Horn <[email protected]> wrote:
>On Tue, May 13, 2025 at 10:57 PM Kees Cook <[email protected]> wrote:
>> On May 13, 2025 6:05:45 AM PDT, Mateusz Guzik <[email protected]> wrote:
>> >Here is my proposal: *deny* exec of suid/sgid binaries if fs_struct is
>> >shared. This will have to be checked for after the execing proc becomes
>> >single-threaded ofc.
>>
>> Unfortunately the above Chrome helper is setuid and uses CLONE_FS.
>
>Chrome first launches a setuid helper, and then the setuid helper does
>CLONE_FS. Mateusz's proposal would not impact this usecase.
>
>Mateusz is proposing to block the case where a process first does
>CLONE_FS, and *then* one of the processes sharing the fs_struct does a
>setuid execve(). Linux already downgrades such an execve() to be
>non-setuid, which probably means anyone trying to do this will get
>hard-to-understand problems. Mateusz' proposal would just turn this
>hard-to-debug edgecase, which already doesn't really work, into a
>clean error; I think that is a nice improvement even just from the
>UAPI standpoint.
>
>If this change makes it possible to clean up the kernel code a bit, even
>better.
Ah! Okay, I appreciate the clarification. :) I'm game to try making it an error
instead of silent downgrading.
-Kees
--
Kees Cook
--
Kees Cook
