Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 11 Aug 2020 14:36:38 -0500
From: ebiederm@...ssion.com (Eric W. Biederman)
To: Mickaël Salaün <mic@...ikod.net>
Cc: linux-kernel@...r.kernel.org,  Aleksa Sarai <cyphar@...har.com>,  Alexei
 Starovoitov <ast@...nel.org>,  Al Viro <viro@...iv.linux.org.uk>,  Andrew
 Morton <akpm@...ux-foundation.org>,  Andy Lutomirski <luto@...nel.org>,
  Christian Brauner <christian.brauner@...ntu.com>,  Christian Heimes
 <christian@...hon.org>,  Daniel Borkmann <daniel@...earbox.net>,  Deven
 Bowers <deven.desai@...ux.microsoft.com>,  Dmitry Vyukov
 <dvyukov@...gle.com>,  Eric Biggers <ebiggers@...nel.org>,  Eric Chiang
 <ericchiang@...gle.com>,  Florian Weimer <fweimer@...hat.com>,  James
 Morris <jmorris@...ei.org>,  Jan Kara <jack@...e.cz>,  Jann Horn
 <jannh@...gle.com>,  Jonathan Corbet <corbet@....net>,  Kees Cook
 <keescook@...omium.org>,  Lakshmi Ramasubramanian
 <nramas@...ux.microsoft.com>,  Matthew Garrett <mjg59@...gle.com>,
  Matthew Wilcox <willy@...radead.org>,  Michael Kerrisk
 <mtk.manpages@...il.com>,  Mimi Zohar <zohar@...ux.ibm.com>,  Philippe
 Trébuchet <philippe.trebuchet@....gouv.fr>,  Scott Shell
 <scottsh@...rosoft.com>,  Sean Christopherson
 <sean.j.christopherson@...el.com>,  Shuah Khan <shuah@...nel.org>,  Steve
 Dower <steve.dower@...hon.org>,  Steve Grubb <sgrubb@...hat.com>,  Tetsuo
 Handa <penguin-kernel@...ove.SAKURA.ne.jp>,  Thibaut Sautereau
 <thibaut.sautereau@...p-os.org>,  Vincent Strubel
 <vincent.strubel@....gouv.fr>,  kernel-hardening@...ts.openwall.com,
  linux-api@...r.kernel.org,  linux-integrity@...r.kernel.org,
  linux-security-module@...r.kernel.org,  linux-fsdevel@...r.kernel.org
Subject: Re: [PATCH v7 3/7] exec: Move path_noexec() check earlier

Mickaël Salaün <mic@...ikod.net> writes:

> From: Kees Cook <keescook@...omium.org>
>
> The path_noexec() check, like the regular file check, was happening too
> late, letting LSMs see impossible execve()s. Check it earlier as well
> in may_open() and collect the redundant fs/exec.c path_noexec() test
> under the same robustness comment as the S_ISREG() check.
>
> My notes on the call path, and related arguments, checks, etc:

A big question arises, that I think someone already asked.

Why perform this test in may_open directly instead of moving
it into inode_permission.  That way the code can be shared with
faccessat, and any other code path that wants it?

That would look to provide a more maintainable kernel.

Eric


> do_open_execat()
>     struct open_flags open_exec_flags = {
>         .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC,
>         .acc_mode = MAY_EXEC,
>         ...
>     do_filp_open(dfd, filename, open_flags)
>         path_openat(nameidata, open_flags, flags)
>             file = alloc_empty_file(open_flags, current_cred());
>             do_open(nameidata, file, open_flags)
>                 may_open(path, acc_mode, open_flag)
>                     /* new location of MAY_EXEC vs path_noexec() test */
>                     inode_permission(inode, MAY_OPEN | acc_mode)
>                         security_inode_permission(inode, acc_mode)
>                 vfs_open(path, file)
>                     do_dentry_open(file, path->dentry->d_inode, open)
>                         security_file_open(f)
>                         open()
>     /* old location of path_noexec() test */
>
> Signed-off-by: Mickaël Salaün <mic@...ikod.net>
> Signed-off-by: Kees Cook <keescook@...omium.org>
> Link: https://lore.kernel.org/r/20200605160013.3954297-4-keescook@chromium.org
> ---
>  fs/exec.c  | 12 ++++--------
>  fs/namei.c |  4 ++++
>  2 files changed, 8 insertions(+), 8 deletions(-)
>
> diff --git a/fs/exec.c b/fs/exec.c
> index bdc6a6eb5dce..4eea20c27b01 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -147,10 +147,8 @@ SYSCALL_DEFINE1(uselib, const char __user *, library)
>  	 * and check again at the very end too.
>  	 */
>  	error = -EACCES;
> -	if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode)))
> -		goto exit;
> -
> -	if (path_noexec(&file->f_path))
> +	if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode) ||
> +			 path_noexec(&file->f_path)))
>  		goto exit;
>  
>  	fsnotify_open(file);
> @@ -897,10 +895,8 @@ static struct file *do_open_execat(int fd, struct filename *name, int flags)
>  	 * and check again at the very end too.
>  	 */
>  	err = -EACCES;
> -	if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode)))
> -		goto exit;
> -
> -	if (path_noexec(&file->f_path))
> +	if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode) ||
> +			 path_noexec(&file->f_path)))
>  		goto exit;
>  
>  	err = deny_write_access(file);
> diff --git a/fs/namei.c b/fs/namei.c
> index a559ad943970..ddc9b25540fe 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -2863,6 +2863,10 @@ static int may_open(const struct path *path, int acc_mode, int flag)
>  			return -EACCES;
>  		flag &= ~O_TRUNC;
>  		break;
> +	case S_IFREG:
> +		if ((acc_mode & MAY_EXEC) && path_noexec(path))
> +			return -EACCES;
> +		break;
>  	}
>  
>  	error = inode_permission(inode, MAY_OPEN | acc_mode);

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.