Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CALCETrVR5d2XTpAN8QLRv3cYDfpAdZRNNcD-TtE5H+v7-i7QhQ@mail.gmail.com>
Date: Fri, 6 Sep 2019 14:27:19 -0700
From: Andy Lutomirski <luto@...capital.net>
To: Jeff Layton <jlayton@...nel.org>
Cc: Aleksa Sarai <cyphar@...har.com>, Mickaël Salaün <mickael.salaun@....gouv.fr>, 
	Florian Weimer <fweimer@...hat.com>, Mickaël Salaün <mic@...ikod.net>, 
	LKML <linux-kernel@...r.kernel.org>, Alexei Starovoitov <ast@...nel.org>, 
	Al Viro <viro@...iv.linux.org.uk>, Andy Lutomirski <luto@...nel.org>, 
	Christian Heimes <christian@...hon.org>, Daniel Borkmann <daniel@...earbox.net>, 
	Eric Chiang <ericchiang@...gle.com>, James Morris <jmorris@...ei.org>, Jan Kara <jack@...e.cz>, 
	Jann Horn <jannh@...gle.com>, Jonathan Corbet <corbet@....net>, Kees Cook <keescook@...omium.org>, 
	Matthew Garrett <mjg59@...gle.com>, Matthew Wilcox <willy@...radead.org>, 
	Michael Kerrisk <mtk.manpages@...il.com>, Mimi Zohar <zohar@...ux.ibm.com>, 
	Philippe Trébuchet <philippe.trebuchet@....gouv.fr>, 
	Scott Shell <scottsh@...rosoft.com>, 
	Sean Christopherson <sean.j.christopherson@...el.com>, Shuah Khan <shuah@...nel.org>, 
	Song Liu <songliubraving@...com>, Steve Dower <steve.dower@...hon.org>, 
	Steve Grubb <sgrubb@...hat.com>, Thibaut Sautereau <thibaut.sautereau@....gouv.fr>, 
	Vincent Strubel <vincent.strubel@....gouv.fr>, 
	Yves-Alexis Perez <yves-alexis.perez@....gouv.fr>, 
	Kernel Hardening <kernel-hardening@...ts.openwall.com>, Linux API <linux-api@...r.kernel.org>, 
	LSM List <linux-security-module@...r.kernel.org>, 
	Linux FS Devel <linux-fsdevel@...r.kernel.org>
Subject: Re: [PATCH v2 1/5] fs: Add support for an O_MAYEXEC flag on sys_open()

> On Sep 6, 2019, at 1:51 PM, Jeff Layton <jlayton@...nel.org> wrote:
>
> On Fri, 2019-09-06 at 13:06 -0700, Andy Lutomirski wrote:
>
>> I’m not at all convinced that the kernel needs to distinguish all these, but at least upgradability should be its own thing IMO.
>
> Good point. Upgradability is definitely orthogonal, though the idea
> there is to alter the default behavior. If the default is NOEXEC then
> UPGRADE_EXEC would make sense.
>
> In any case, I was mostly thinking about the middle two in your list
> above. After more careful reading of the patches, I now get get that
> Mickaël is more interested in the first, and that's really a different
> sort of use-case.
>
> Most opens never result in the fd being fed to fexecve or mmapped with
> PROT_EXEC, so having userland explicitly opt-in to allowing that during
> the open sounds like a reasonable thing to do.
>
> But I get that preventing execution via script interpreters of files
> that are not executable might be something nice to have.
>
> Perhaps we need two flags for openat2?
>
> OA2_MAYEXEC : test that permissions allow execution and that the file
> doesn't reside on a noexec mount before allowing the open
>
> OA2_EXECABLE : only allow fexecve or mmapping with PROT_EXEC if the fd
> was opened with this
>
>
>

We could go one step farther and have three masks: check_perms,
fd_perms, and upgrade_perms.  check_perms says “fail if I don’t have
these perms”.  fd_perms is the permissions on the returned fd, and
upgrade_perms is the upgrade mask.  (fd_perms  & ~check_perms) != 0 is
an error.  This makes it possible to say "I want to make sure the file
is writable, but I don't actually want to write to it", which could
plausibly be useful.

I would argue that these things should have new, sane bits, e.g.
FILE_READ, FILE_WRITE, and FILE_EXECUTE (or maybe FILE_MAP_EXEC and
FILE_EXECVE).  And maybe there should be at least 16 bits for each
mask reserved.  Windows has a lot more mode bits than Linux, and it's
not entirely nuts.  We do *not* need any direct equivalent of O_RDWR
for openat2().

--Andy

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.