)]}'
{
  "commit": "f88c3719a1100d5936dd7b90c9b14746c6f25095",
  "tree": "ab86b1f609a5f422e05398487cec274ffb084ec2",
  "parents": [
    "4a242f94f9264723761ef74e1eb4b262b9861e6c"
  ],
  "author": {
    "name": "David Howells",
    "email": "dhowells@redhat.com",
    "time": "Fri Aug 05 16:05:26 2011 +0100"
  },
  "committer": {
    "name": "David Howells",
    "email": "dhowells@redhat.com",
    "time": "Mon Jul 08 14:08:40 2013 +0100"
  },
  "message": "LSM: Use derived creds for accessing an executable\u0027s interpreter and binary loader\n\nCurrently, the caller must be able to open the script interpreter and/or the\nbinary loader that an executable wants to make use of, even if the executable\nwill be transitioned to a different context that can make use of that\ninterpreter or loader when the caller\u0027s context does not permit it.\n\nOverride credentials in open_exec() and kernel_read() with the currently\nconstructed new credentials so that if the executable file or its interpreter\nspecifies a transition to a different security context (DAC or MAC), then the\ncaller only has to provide access to the file to be executed, and not to the\ninterpreter (e.g. perl) or binary loader (e.g. ld.so) for the executable or\ninterpreter.\n\nThis means that if the caller does not have access to a script interpreter or\nbinary loader, it can still use scripts and executables that transition to a\nsecurity context that do.\n\n\nFor the initial opening of the executable file specified to execve(), this\nwon\u0027t make much difference as the new creds at that point are a clone of the\nold ones (except that the new creds do not have thread or process keyrings).\n\nFor the opening of script interpreters (e.g. /bin/sh), the file will be opened\nwith the credentials-to-be rather than the credentials of the caller of\nexecve() by the script binfmt passing the bprm to open_exec(), and the file\nwill be reopened on the subsequent pass through prepare_binprm() if a security\ncontext transition takes place.\n\nFor the opening of binary loaders (e.g. ld-linux.so), the file will be opened\nwith the credentials-to-be rather than the credentials of the caller of\nexecve() by the binary binfmt passing the bprm to open_exec().\n\nIf we publish the new credentials by making use of them, however, we may not\nchange them thereafter.  This relies on the previous patches to make the cred\npointer in struct linux_binfmt semi-committed once it\u0027s assigned there.\n\nNote that reopen_exec() uses dentry_open() rather than do_file_open().  To use\nthe latter, prepare_binprm() has to be furnished with a pointer to the filename\nfor whatever was opened for bprm-\u003efile and the core SELinux policy requires an\nadditional rule:\n\n\tallow setfiles_t bin_t:lnk_file read;\n\nso that /sbin/setfiles can be exec\u0027d as /sbin/restorecon (which is a symlink).\n\n\nTo make the SELinux testsuite work after this patch, the following two rules\nneed to be added to the policy:\n\n\t[policy/test_ptrace.te]\n\tallow test_ptrace_traced_t bin_t:file { execute read open };\n\n\t[policy/test_file.te]\n\tallow fileop_t fileop_exec_t:file { execute read open };\n\nThe first allows the ptrace test to use the perl interpreter (labelled bin_t)\nto run a perl script and the second allows the SIGIO file test\u0027s wait program\nto use its binary (labelled fileop_exec_t).\n\nReported-by: Tetsuo Handa \u003cpenguin-kernel@i-love.sakura.ne.jp\u003e\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "f93d2181afe835e89c5f3083e51b856c06b8fbbe",
      "old_mode": 33188,
      "old_path": "fs/exec.c",
      "new_id": "c654afe7fa07f4f6bb32c9544e371c5ac1a80769",
      "new_mode": 33188,
      "new_path": "fs/exec.c"
    }
  ]
}