On Tue, May 13, 2025 at 10:57 PM Kees Cook <kees@xxxxxxxxxx> wrote: > On May 13, 2025 6:05:45 AM PDT, Mateusz Guzik <mjguzik@xxxxxxxxx> wrote: > >Here is my proposal: *deny* exec of suid/sgid binaries if fs_struct is > >shared. This will have to be checked for after the execing proc becomes > >single-threaded ofc. > > Unfortunately the above Chrome helper is setuid and uses CLONE_FS. Chrome first launches a setuid helper, and then the setuid helper does CLONE_FS. Mateusz's proposal would not impact this usecase. Mateusz is proposing to block the case where a process first does CLONE_FS, and *then* one of the processes sharing the fs_struct does a setuid execve(). Linux already downgrades such an execve() to be non-setuid, which probably means anyone trying to do this will get hard-to-understand problems. Mateusz' proposal would just turn this hard-to-debug edgecase, which already doesn't really work, into a clean error; I think that is a nice improvement even just from the UAPI standpoint. If this change makes it possible to clean up the kernel code a bit, even better.
