|
Message-ID: <20200722161639.GA24129@gandi.net> Date: Wed, 22 Jul 2020 18:16:39 +0200 From: Thibaut Sautereau <thibaut.sautereau@...p-os.org> To: Kees Cook <keescook@...omium.org>, Mickaël Salaün <mic@...ikod.net> Cc: linux-kernel@...r.kernel.org, Aleksa Sarai <cyphar@...har.com>, Alexei Starovoitov <ast@...nel.org>, Al Viro <viro@...iv.linux.org.uk>, Andrew Morton <akpm@...ux-foundation.org>, Andy Lutomirski <luto@...nel.org>, Christian Brauner <christian.brauner@...ntu.com>, Christian Heimes <christian@...hon.org>, Daniel Borkmann <daniel@...earbox.net>, Deven Bowers <deven.desai@...ux.microsoft.com>, Dmitry Vyukov <dvyukov@...gle.com>, Eric Biggers <ebiggers@...nel.org>, Eric Chiang <ericchiang@...gle.com>, Florian Weimer <fweimer@...hat.com>, James Morris <jmorris@...ei.org>, Jan Kara <jack@...e.cz>, Jann Horn <jannh@...gle.com>, Jonathan Corbet <corbet@....net>, Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>, Matthew Garrett <mjg59@...gle.com>, Matthew Wilcox <willy@...radead.org>, Michael Kerrisk <mtk.manpages@...il.com>, Mickaël Salaün <mickael.salaun@....gouv.fr>, Mimi Zohar <zohar@...ux.ibm.com>, Philippe Trébuchet <philippe.trebuchet@....gouv.fr>, Scott Shell <scottsh@...rosoft.com>, Sean Christopherson <sean.j.christopherson@...el.com>, Shuah Khan <shuah@...nel.org>, Steve Dower <steve.dower@...hon.org>, Steve Grubb <sgrubb@...hat.com>, Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>, Thibaut Sautereau <thibaut.sautereau@....gouv.fr>, Vincent Strubel <vincent.strubel@....gouv.fr>, kernel-hardening@...ts.openwall.com, linux-api@...r.kernel.org, linux-integrity@...r.kernel.org, linux-security-module@...r.kernel.org, linux-fsdevel@...r.kernel.org Subject: Re: [PATCH v6 5/7] fs,doc: Enable to enforce noexec mounts or file exec through O_MAYEXEC On Thu, Jul 16, 2020 at 04:39:14PM +0200, Mickaël Salaün wrote: > > On 15/07/2020 22:37, Kees Cook wrote: > > On Tue, Jul 14, 2020 at 08:16:36PM +0200, Mickaël Salaün wrote: > >> @@ -2849,7 +2855,7 @@ static int may_open(const struct path *path, int acc_mode, int flag) > >> case S_IFLNK: > >> return -ELOOP; > >> case S_IFDIR: > >> - if (acc_mode & (MAY_WRITE | MAY_EXEC)) > >> + if (acc_mode & (MAY_WRITE | MAY_EXEC | MAY_OPENEXEC)) > >> return -EISDIR; > >> break; > > > > (I need to figure out where "open for reading" rejects S_IFDIR, since > > it's clearly not here...) Doesn't it come from generic_read_dir() in fs/libfs.c? > > > >> case S_IFBLK: > >> @@ -2859,13 +2865,26 @@ static int may_open(const struct path *path, int acc_mode, int flag) > >> fallthrough; > >> case S_IFIFO: > >> case S_IFSOCK: > >> - if (acc_mode & MAY_EXEC) > >> + if (acc_mode & (MAY_EXEC | MAY_OPENEXEC)) > >> return -EACCES; > >> flag &= ~O_TRUNC; > >> break; > > > > This will immediately break a system that runs code with MAY_OPENEXEC > > set but reads from a block, char, fifo, or socket, even in the case of > > a sysadmin leaving the "file" sysctl disabled. > > As documented, O_MAYEXEC is for regular files. The only legitimate use > case seems to be with pipes, which should probably be allowed when > enforcement is disabled. By the way Kees, while we fix that for the next series, do you think it would be relevant, at least for the sake of clarity, to add a WARN_ON_ONCE(acc_mode & MAY_OPENEXEC) for the S_IFSOCK case, since a socket cannot be open anyway? -- Thibaut Sautereau CLIP OS developer
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.