Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 27 Jul 2020 07:27:00 +0200
From: Florian Weimer <fweimer@...hat.com>
To: Al Viro <viro@...iv.linux.org.uk>
Cc: Mickaël Salaün <mic@...ikod.net>,
  linux-kernel@...r.kernel.org,  Aleksa
 Sarai <cyphar@...har.com>,  Alexei Starovoitov <ast@...nel.org>,  Andrew
 Morton <akpm@...ux-foundation.org>,  Andy Lutomirski <luto@...nel.org>,
  Christian Brauner <christian.brauner@...ntu.com>,  Christian Heimes
 <christian@...hon.org>,  Daniel Borkmann <daniel@...earbox.net>,  Deven
 Bowers <deven.desai@...ux.microsoft.com>,  Dmitry Vyukov
 <dvyukov@...gle.com>,  Eric Biggers <ebiggers@...nel.org>,  Eric Chiang
 <ericchiang@...gle.com>,  James Morris <jmorris@...ei.org>,  Jan Kara
 <jack@...e.cz>,  Jann Horn <jannh@...gle.com>,  Jonathan Corbet
 <corbet@....net>,  Kees Cook <keescook@...omium.org>,  Lakshmi
 Ramasubramanian <nramas@...ux.microsoft.com>,  Matthew Garrett
 <mjg59@...gle.com>,  Matthew Wilcox <willy@...radead.org>,  Michael
 Kerrisk <mtk.manpages@...il.com>,  Mimi Zohar <zohar@...ux.ibm.com>,
  Philippe Trébuchet <philippe.trebuchet@....gouv.fr>,
  Scott Shell
 <scottsh@...rosoft.com>,  Sean Christopherson
 <sean.j.christopherson@...el.com>,  Shuah Khan <shuah@...nel.org>,  Steve
 Dower <steve.dower@...hon.org>,  Steve Grubb <sgrubb@...hat.com>,  Tetsuo
 Handa <penguin-kernel@...ove.sakura.ne.jp>,  Thibaut Sautereau
 <thibaut.sautereau@...p-os.org>,  Vincent Strubel
 <vincent.strubel@....gouv.fr>,  kernel-hardening@...ts.openwall.com,
  linux-api@...r.kernel.org,  linux-integrity@...r.kernel.org,
  linux-security-module@...r.kernel.org,  linux-fsdevel@...r.kernel.org,
  Thibaut Sautereau <thibaut.sautereau@....gouv.fr>
Subject: Re: [PATCH v7 4/7] fs: Introduce O_MAYEXEC flag for openat2(2)

* Al Viro:

> On Thu, Jul 23, 2020 at 07:12:24PM +0200, Mickaël Salaün wrote:
>> When the O_MAYEXEC flag is passed, openat2(2) may be subject to
>> additional restrictions depending on a security policy managed by the
>> kernel through a sysctl or implemented by an LSM thanks to the
>> inode_permission hook.  This new flag is ignored by open(2) and
>> openat(2) because of their unspecified flags handling.  When used with
>> openat2(2), the default behavior is only to forbid to open a directory.
>
> Correct me if I'm wrong, but it looks like you are introducing a magical
> flag that would mean "let the Linux S&M take an extra special whip
> for this open()".
>
> Why is it done during open?  If the caller is passing it deliberately,
> why not have an explicit request to apply given torture device to an
> already opened file?  Why not sys_masochism(int fd, char *hurt_flavour),
> for that matter?

While I do not think this is appropriate language for a workplace, Al
has a point: If the auditing event can be generated on an already-open
descriptor, it would also cover scenarios like this one:

  perl < /path/to/script

Where the process that opens the file does not (and cannot) know that it
will be used for execution purposes.

Thanks,
Florian

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.