|
Message-ID: <202007160822.CCDB5478@keescook> Date: Thu, 16 Jul 2020 08:31:32 -0700 From: Kees Cook <keescook@...omium.org> To: Mickaël Salaün <mic@...ikod.net> Cc: Jan Kara <jack@...e.cz>, Matthew Bobrowski <mbobrowski@...browski.org>, linux-nfs@...r.kernel.org, linux-kernel@...r.kernel.org, Aleksa Sarai <cyphar@...har.com>, Alexei Starovoitov <ast@...nel.org>, Al Viro <viro@...iv.linux.org.uk>, Andrew Morton <akpm@...ux-foundation.org>, Andy Lutomirski <luto@...nel.org>, Christian Brauner <christian.brauner@...ntu.com>, Christian Heimes <christian@...hon.org>, Daniel Borkmann <daniel@...earbox.net>, Deven Bowers <deven.desai@...ux.microsoft.com>, Dmitry Vyukov <dvyukov@...gle.com>, Eric Biggers <ebiggers@...nel.org>, Eric Chiang <ericchiang@...gle.com>, Florian Weimer <fweimer@...hat.com>, James Morris <jmorris@...ei.org>, Jann Horn <jannh@...gle.com>, Jonathan Corbet <corbet@....net>, Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>, Matthew Garrett <mjg59@...gle.com>, Matthew Wilcox <willy@...radead.org>, Michael Kerrisk <mtk.manpages@...il.com>, Mickaël Salaün <mickael.salaun@....gouv.fr>, Mimi Zohar <zohar@...ux.ibm.com>, Philippe Trébuchet <philippe.trebuchet@....gouv.fr>, Scott Shell <scottsh@...rosoft.com>, Sean Christopherson <sean.j.christopherson@...el.com>, Shuah Khan <shuah@...nel.org>, Steve Dower <steve.dower@...hon.org>, Steve Grubb <sgrubb@...hat.com>, Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>, Thibaut Sautereau <thibaut.sautereau@....gouv.fr>, Vincent Strubel <vincent.strubel@....gouv.fr>, kernel-hardening@...ts.openwall.com, linux-api@...r.kernel.org, linux-integrity@...r.kernel.org, linux-security-module@...r.kernel.org, linux-fsdevel@...r.kernel.org Subject: Re: [PATCH v6 4/7] fs: Introduce O_MAYEXEC flag for openat2(2) On Thu, Jul 16, 2020 at 04:18:27PM +0200, Mickaël Salaün wrote: > On 15/07/2020 22:06, Kees Cook wrote: > > On Tue, Jul 14, 2020 at 08:16:35PM +0200, Mickaël Salaün wrote: > >> The implementation of O_MAYEXEC almost duplicates what execve(2) and > >> uselib(2) are already doing: setting MAY_OPENEXEC in acc_mode (which can > >> then be checked as MAY_EXEC, if enforced), and propagating FMODE_EXEC to > >> _fmode via __FMODE_EXEC flag (which can then trigger a > >> fanotify/FAN_OPEN_EXEC event). > >> [...] > > > > Adding __FMODE_EXEC here will immediately change the behaviors of NFS > > and fsnotify. If that's going to happen, I think it needs to be under > > the control of the later patches doing the behavioral controls. > > (specifically, NFS looks like it completely changes its access control > > test when this is set and ignores the read/write checks entirely, which > > is not what's wanted). > > __FMODE_EXEC was suggested by Jan Kara and Matthew Bobrowski because of > fsnotify. However, the NFS handling of SUID binaries [1] indeed leads to > an unintended behavior. This also means that uselib(2) shouldn't work > properly with NFS. I can remove the __FMODE_EXEC flag for now. I kind of wonder if we need to more completely fix __FMODE_EXEC? > [1] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=f8d9a897d4384b77f13781ea813156568f68b83e Hmpf, this implies that "fmode" should contain MAY_EXEC? It really looks like __FMODE_EXEC is a hack for places where only "flags" were passed around, and this only seems to be an issue for NFS at this point? And it should be fixable for fsnotify too? Hmm. (And nothing should use uselib anyway...) -- Kees Cook
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.