Date: Mon, 9 Sep 2019 22:28:02 +1000 From: Aleksa Sarai <cyphar@...har.com> To: Mickaël Salaün <mickael.salaun@....gouv.fr> Cc: James Morris <jmorris@...ei.org>, Jeff Layton <jlayton@...nel.org>, Florian Weimer <fweimer@...hat.com>, Mickaël Salaün <mic@...ikod.net>, linux-kernel@...r.kernel.org, Alexei Starovoitov <ast@...nel.org>, Al Viro <viro@...iv.linux.org.uk>, Andy Lutomirski <luto@...nel.org>, Christian Heimes <christian@...hon.org>, Daniel Borkmann <daniel@...earbox.net>, Eric Chiang <ericchiang@...gle.com>, Jan Kara <jack@...e.cz>, Jann Horn <jannh@...gle.com>, Jonathan Corbet <corbet@....net>, Kees Cook <keescook@...omium.org>, Matthew Garrett <mjg59@...gle.com>, Matthew Wilcox <willy@...radead.org>, Michael Kerrisk <mtk.manpages@...il.com>, Mimi Zohar <zohar@...ux.ibm.com>, Philippe Trébuchet <philippe.trebuchet@....gouv.fr>, Scott Shell <scottsh@...rosoft.com>, Sean Christopherson <sean.j.christopherson@...el.com>, Shuah Khan <shuah@...nel.org>, Song Liu <songliubraving@...com>, Steve Dower <steve.dower@...hon.org>, Steve Grubb <sgrubb@...hat.com>, Thibaut Sautereau <thibaut.sautereau@....gouv.fr>, Vincent Strubel <vincent.strubel@....gouv.fr>, Yves-Alexis Perez <yves-alexis.perez@....gouv.fr>, kernel-hardening@...ts.openwall.com, linux-api@...r.kernel.org, linux-security-module@...r.kernel.org, linux-fsdevel@...r.kernel.org Subject: Re: [PATCH v2 1/5] fs: Add support for an O_MAYEXEC flag on sys_open() On 2019-09-09, Mickaël Salaün <mickael.salaun@....gouv.fr> wrote: > On 09/09/2019 12:12, James Morris wrote: > > On Mon, 9 Sep 2019, Mickaël Salaün wrote: > >> As I said, O_MAYEXEC should be ignored if it is not supported by the > >> kernel, which perfectly fit with the current open(2) flags behavior, and > >> should also behave the same with openat2(2). > > > > The problem here is programs which are already using the value of > > O_MAYEXEC, which will break. Hence, openat2(2). > > Well, it still depends on the sysctl, which doesn't enforce anything by > default, hence doesn't break existing behavior, and this unused flags > could be fixed/removed or reported by sysadmins or distro developers. Okay, but then this means that new programs which really want to enforce O_MAYEXEC (and know that they really do want this feature) won't be able to unless an admin has set the relevant sysctl. Not to mention that the old-kernel fallback will not cover the "it's disabled by the sysctl" case -- so the fallback handling would need to be: int fd = open("foo", O_MAYEXEC|O_RDONLY); if (!(fcntl(fd, F_GETFL) & O_MAYEXEC)) fallback(); if (!sysctl_feature_is_enabled) fallback(); However, there is still a race here -- if an administrator enables O_MAYEXEC after the program gets the fd, then you still won't hit the fallback (and you can't tell that O_MAYEXEC checks weren't done). You could fix the issue with the sysctl by clearing O_MAYEXEC from f_flags if the sysctl is disabled. You could also avoid some of the problems with it being a global setting by making it a prctl(2) which processes can opt-in to (though this has its own major problems). Sorry, but I'm just really not a fan of this. -- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH <https://www.cyphar.com/> Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.