On May 13, 2025 2:09:48 PM PDT, Jann Horn <jannh@xxxxxxxxxx> wrote: >On Tue, May 13, 2025 at 10:57 PM Kees Cook <kees@xxxxxxxxxx> wrote: >> On May 13, 2025 6:05:45 AM PDT, Mateusz Guzik <mjguzik@xxxxxxxxx> wrote: >> >Here is my proposal: *deny* exec of suid/sgid binaries if fs_struct is >> >shared. This will have to be checked for after the execing proc becomes >> >single-threaded ofc. >> >> Unfortunately the above Chrome helper is setuid and uses CLONE_FS. > >Chrome first launches a setuid helper, and then the setuid helper does >CLONE_FS. Mateusz's proposal would not impact this usecase. > >Mateusz is proposing to block the case where a process first does >CLONE_FS, and *then* one of the processes sharing the fs_struct does a >setuid execve(). Linux already downgrades such an execve() to be >non-setuid, which probably means anyone trying to do this will get >hard-to-understand problems. Mateusz' proposal would just turn this >hard-to-debug edgecase, which already doesn't really work, into a >clean error; I think that is a nice improvement even just from the >UAPI standpoint. > >If this change makes it possible to clean up the kernel code a bit, even better. Ah! Okay, I appreciate the clarification. :) I'm game to try making it an error instead of silent downgrading. -Kees -- Kees Cook -- Kees Cook
