diff options
| author |   Kees Cook <keescook@chromium.org> | 2018-03-09 11:30:20 -0800 |
|---|---|---|
| committer |   James Morris <james.morris@microsoft.com> | 2018-03-19 15:49:32 +1100 |
| commit | 7bd698b3c04e61ee9e03d4c2a55003f75df14dca (patch) | |
| tree | d15e529bab47370611aa871465662775f9798027 /fs/exec.c | |
| parent | usb, signal, security: only pass the cred, not the secid, to kill_pid_info_as_cred and security_task_kill (diff) | |
| download | linux-dev-7bd698b3c04e61ee9e03d4c2a55003f75df14dca.tar.xz linux-dev-7bd698b3c04e61ee9e03d4c2a55003f75df14dca.zip | |
exec: Set file unwritable before LSM check
The LSM check should happen after the file has been confirmed to be
unchanging. Without this, we could have a race between the Time of Check
(the call to security_kernel_read_file() which could read the file and
make access policy decisions) and the Time of Use (starting with
kernel_read_file()'s reading of the file contents). In theory, file
contents could change between the two.
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: James Morris <james.morris@microsoft.com>
Diffstat (limited to 'fs/exec.c')
| -rw-r--r-- | fs/exec.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/fs/exec.c b/fs/exec.c index 7eb8d21bcab9..a919a827d181 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -895,13 +895,13 @@ int kernel_read_file(struct file *file, void **buf, loff_t *size, if (!S_ISREG(file_inode(file)->i_mode) || max_size < 0) return -EINVAL; - ret = security_kernel_read_file(file, id); + ret = deny_write_access(file); if (ret) return ret; - ret = deny_write_access(file); + ret = security_kernel_read_file(file, id); if (ret) - return ret; + goto out; i_size = i_size_read(file_inode(file)); if (max_size > 0 && i_size > max_size) { |