Date: Fri, 6 Sep 2019 12:26:51 -0700 From: Andy Lutomirski <luto@...capital.net> To: Steve Grubb <sgrubb@...hat.com> Cc: Florian Weimer <fweimer@...hat.com>, Mickaël Salaün <mic@...ikod.net>, linux-kernel@...r.kernel.org, Aleksa Sarai <cyphar@...har.com>, Alexei Starovoitov <ast@...nel.org>, Al Viro <viro@...iv.linux.org.uk>, Andy Lutomirski <luto@...nel.org>, Christian Heimes <christian@...hon.org>, Daniel Borkmann <daniel@...earbox.net>, Eric Chiang <ericchiang@...gle.com>, James Morris <jmorris@...ei.org>, Jan Kara <jack@...e.cz>, Jann Horn <jannh@...gle.com>, Jonathan Corbet <corbet@....net>, Kees Cook <keescook@...omium.org>, Matthew Garrett <mjg59@...gle.com>, Matthew Wilcox <willy@...radead.org>, Michael Kerrisk <mtk.manpages@...il.com>, Mickaël Salaün <mickael.salaun@....gouv.fr>, Mimi Zohar <zohar@...ux.ibm.com>, Philippe Trébuchet <philippe.trebuchet@....gouv.fr>, Scott Shell <scottsh@...rosoft.com>, Sean Christopherson <sean.j.christopherson@...el.com>, Shuah Khan <shuah@...nel.org>, Song Liu <songliubraving@...com>, Steve Dower <steve.dower@...hon.org>, Thibaut S autereau <thibaut.sautereau@....gouv.fr>, Vincent Strubel <vincent.strubel@....gouv.fr>, Yves-Alexis Perez <yves-alexis.perez@....gouv.fr>, kernel-hardening@...ts.openwall.com, linux-api@...r.kernel.org, linux-security-module@...r.kernel.org, linux-fsdevel@...r.kernel.org Subject: Re: [PATCH v2 0/5] Add support for O_MAYEXEC > On Sep 6, 2019, at 12:07 PM, Steve Grubb <sgrubb@...hat.com> wrote: > >> On Friday, September 6, 2019 2:57:00 PM EDT Florian Weimer wrote: >> * Steve Grubb: >>> Now with LD_AUDIT >>> $ LD_AUDIT=/home/sgrubb/test/openflags/strip-flags.so.0 strace ./test >>> 2>&1 | grep passwd openat(3, "passwd", O_RDONLY) = 4 >>> >>> No O_CLOEXEC flag. >> >> I think you need to explain in detail why you consider this a problem. > > Because you can strip the O_MAYEXEC flag from being passed into the kernel. > Once you do that, you defeat the security mechanism because it never gets > invoked. The issue is that the only thing that knows _why_ something is being > opened is user space. With this mechanism, you can attempt to pass this > reason to the kernel so that it may see if policy permits this. But you can > just remove the flag. I’m with Florian here. Once you are executing code in a process, you could just emulate some other unapproved code. This series is not intended to provide the kind of absolute protection you’re imagining. What the kernel *could* do is prevent mmapping a non-FMODE_EXEC file with PROT_EXEC, which would indeed have a real effect (in an iOS-like world, for example) but would break many, many things.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.