On Fri, Jul 7, 2017 at 1:04 PM, Linus Torvalds <[email protected]> wrote: > On Fri, Jul 7, 2017 at 12:56 PM, Kees Cook <[email protected]> wrote: >> As discussed with Linus and Andy, we need to reset the stack rlimit >> before we do memory layouts when execing a privilege-gaining (e.g. >> setuid) program. This moves security_bprm_secureexec() earlier (with >> required changes), and then lowers the stack limit when appropriate. > > Looks sane to me, and that first patch looks like a nice cleanup > regardless - the old semantics were insane.
I wonder if we could collapse all the secureexec logic in setup_new_exec. There are three places (?). I was shy to consolidate those in this patch in case there were weird dependencies on dumpability ordering. But I'll go see if I can clean those up too... -Kees -- Kees Cook Pixel Security
