Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 7 Sep 2019 03:13:35 +1000
From: Aleksa Sarai <cyphar@...har.com>
To: Jeff Layton <jlayton@...nel.org>
Cc: Mickaël Salaün <mickael.salaun@....gouv.fr>,
	Florian Weimer <fweimer@...hat.com>,
	Mickaël Salaün <mic@...ikod.net>,
	linux-kernel@...r.kernel.org, Alexei Starovoitov <ast@...nel.org>,
	Al Viro <viro@...iv.linux.org.uk>,
	Andy Lutomirski <luto@...nel.org>,
	Christian Heimes <christian@...hon.org>,
	Daniel Borkmann <daniel@...earbox.net>,
	Eric Chiang <ericchiang@...gle.com>,
	James Morris <jmorris@...ei.org>, Jan Kara <jack@...e.cz>,
	Jann Horn <jannh@...gle.com>, Jonathan Corbet <corbet@....net>,
	Kees Cook <keescook@...omium.org>,
	Matthew Garrett <mjg59@...gle.com>,
	Matthew Wilcox <willy@...radead.org>,
	Michael Kerrisk <mtk.manpages@...il.com>,
	Mimi Zohar <zohar@...ux.ibm.com>,
	Philippe Trébuchet <philippe.trebuchet@....gouv.fr>,
	Scott Shell <scottsh@...rosoft.com>,
	Sean Christopherson <sean.j.christopherson@...el.com>,
	Shuah Khan <shuah@...nel.org>, Song Liu <songliubraving@...com>,
	Steve Dower <steve.dower@...hon.org>,
	Steve Grubb <sgrubb@...hat.com>,
	Thibaut Sautereau <thibaut.sautereau@....gouv.fr>,
	Vincent Strubel <vincent.strubel@....gouv.fr>,
	Yves-Alexis Perez <yves-alexis.perez@....gouv.fr>,
	kernel-hardening@...ts.openwall.com, linux-api@...r.kernel.org,
	linux-security-module@...r.kernel.org,
	linux-fsdevel@...r.kernel.org
Subject: Re: [PATCH v2 1/5] fs: Add support for an O_MAYEXEC flag on
 sys_open()

On 2019-09-06, Jeff Layton <jlayton@...nel.org> wrote:
> On Fri, 2019-09-06 at 18:06 +0200, Mickaël Salaün wrote:
> > On 06/09/2019 17:56, Florian Weimer wrote:
> > > Let's assume I want to add support for this to the glibc dynamic loader,
> > > while still being able to run on older kernels.
> > > 
> > > Is it safe to try the open call first, with O_MAYEXEC, and if that fails
> > > with EINVAL, try again without O_MAYEXEC?
> > 
> > The kernel ignore unknown open(2) flags, so yes, it is safe even for
> > older kernel to use O_MAYEXEC.
> > 
> 
> Well...maybe. What about existing programs that are sending down bogus
> open flags? Once you turn this on, they may break...or provide a way to
> circumvent the protections this gives.

It should be noted that this has been a valid concern for every new O_*
flag introduced (and yet we still introduced new flags, despite the
concern) -- though to be fair, O_TMPFILE actually does have a
work-around with the O_DIRECTORY mask setup.

The openat2() set adds O_EMPTYPATH -- though in fairness it's also
backwards compatible because empty path strings have always given ENOENT
(or EINVAL?) while O_EMPTYPATH is a no-op non-empty strings.

> Maybe this should be a new flag that is only usable in the new openat2()
> syscall that's still under discussion? That syscall will enforce that
> all flags are recognized. You presumably wouldn't need the sysctl if you
> went that route too.

I'm also interested in whether we could add an UPGRADE_NOEXEC flag to
how->upgrade_mask for the openat2(2) patchset (I reserved a flag bit for
it, since I'd heard about this work through the grape-vine).

-- 
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
<https://www.cyphar.com/>

Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.