Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 15 May 2020 07:37:16 -0700
From: Kees Cook <keescook@...omium.org>
To: Florian Weimer <fweimer@...hat.com>
Cc: Mickaël Salaün <mic@...ikod.net>,
	Al Viro <viro@...iv.linux.org.uk>, Aleksa Sarai <cyphar@...har.com>,
	Andy Lutomirski <luto@...nel.org>, Mimi Zohar <zohar@...ux.ibm.com>,
	Stephen Smalley <stephen.smalley.work@...il.com>,
	Christian Heimes <christian@...hon.org>,
	Deven Bowers <deven.desai@...ux.microsoft.com>,
	Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>,
	John Johansen <john.johansen@...onical.com>,
	Kentaro Takeda <takedakn@...data.co.jp>,
	"Lev R. Oshvang ." <levonshe@...il.com>,
	Alexei Starovoitov <ast@...nel.org>,
	Daniel Borkmann <daniel@...earbox.net>,
	Eric Chiang <ericchiang@...gle.com>,
	James Morris <jmorris@...ei.org>, Jan Kara <jack@...e.cz>,
	Jann Horn <jannh@...gle.com>, Jonathan Corbet <corbet@....net>,
	Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>,
	Matthew Garrett <mjg59@...gle.com>,
	Matthew Wilcox <willy@...radead.org>,
	Michael Kerrisk <mtk.manpages@...il.com>,
	Mickaël Salaün <mickael.salaun@....gouv.fr>,
	Philippe Trébuchet <philippe.trebuchet@....gouv.fr>,
	Scott Shell <scottsh@...rosoft.com>,
	Sean Christopherson <sean.j.christopherson@...el.com>,
	Shuah Khan <shuah@...nel.org>, Steve Dower <steve.dower@...hon.org>,
	Steve Grubb <sgrubb@...hat.com>,
	Thibaut Sautereau <thibaut.sautereau@....gouv.fr>,
	Vincent Strubel <vincent.strubel@....gouv.fr>,
	linux-kernel <linux-kernel@...r.kernel.org>,
	kernel-hardening@...ts.openwall.com, linux-api@...r.kernel.org,
	linux-integrity@...r.kernel.org,
	LSM List <linux-security-module@...r.kernel.org>,
	Linux FS Devel <linux-fsdevel@...r.kernel.org>
Subject: Re: How about just O_EXEC? (was Re: [PATCH v5 3/6] fs: Enable to
 enforce noexec mounts or file exec through O_MAYEXEC)

On Fri, May 15, 2020 at 10:43:34AM +0200, Florian Weimer wrote:
> * Kees Cook:
> 
> > Maybe I've missed some earlier discussion that ruled this out, but I
> > couldn't find it: let's just add O_EXEC and be done with it. It actually
> > makes the execve() path more like openat2() and is much cleaner after
> > a little refactoring. Here are the results, though I haven't emailed it
> > yet since I still want to do some more testing:
> > https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=kspp/o_exec/v1
> 
> I think POSIX specifies O_EXEC in such a way that it does not confer
> read permissions.  This seems incompatible with what we are trying to
> achieve here.

I was trying to retain this behavior, since we already make this
distinction between execve() and uselib() with the MAY_* flags:

execve():
        struct open_flags open_exec_flags = {
                .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC,
                .acc_mode = MAY_EXEC,

uselib():
        static const struct open_flags uselib_flags = {
                .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC,
                .acc_mode = MAY_READ | MAY_EXEC,

I tried to retain this in my proposal, in the O_EXEC does not imply
MAY_READ:

+	/* Should execution permissions be checked on open? */
+	if (flags & O_EXEC) {
+		flags |= __FMODE_EXEC;
+		acc_mode |= MAY_EXEC;
+	}

-- 
Kees Cook

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.