From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id AF1B3C2D0F8 for ; Tue, 12 May 2020 20:35:50 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8FA192312B for ; Tue, 12 May 2020 20:35:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731222AbgELUfq (ORCPT ); Tue, 12 May 2020 16:35:46 -0400 Received: from out02.mta.xmission.com ([166.70.13.232]:42488 "EHLO out02.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731183AbgELUfo (ORCPT ); Tue, 12 May 2020 16:35:44 -0400 Received: from in02.mta.xmission.com ([166.70.13.52]) by out02.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jYbch-0002xz-HY; Tue, 12 May 2020 14:35:31 -0600 Received: from ip68-227-160-95.om.om.cox.net ([68.227.160.95] helo=x220.xmission.com) by in02.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.87) (envelope-from ) id 1jYbcg-0006hZ-NY; Tue, 12 May 2020 14:35:31 -0600 From: ebiederm@xmission.com (Eric W. Biederman) To: Kees Cook Cc: Linus Torvalds , Tetsuo Handa , Linux Kernel Mailing List , Oleg Nesterov , Jann Horn , Greg Ungerer , Rob Landley , Bernd Edlinger , linux-fsdevel , Al Viro , Alexey Dobriyan , Andrew Morton , Casey Schaufler , LSM List , James Morris , "Serge E. Hallyn" , Andy Lutomirski References: <87h7wujhmz.fsf@x220.int.ebiederm.org> <87sgga6ze4.fsf@x220.int.ebiederm.org> <87v9l4zyla.fsf_-_@x220.int.ebiederm.org> <87eerszyim.fsf_-_@x220.int.ebiederm.org> <87sgg6v8we.fsf@x220.int.ebiederm.org> <202005111428.B094E3B76A@keescook> <874kslq9jm.fsf@x220.int.ebiederm.org> <202005121218.ED0B728DA@keescook> Date: Tue, 12 May 2020 15:31:57 -0500 In-Reply-To: <202005121218.ED0B728DA@keescook> (Kees Cook's message of "Tue, 12 May 2020 12:25:24 -0700") Message-ID: <87lflwq4hu.fsf@x220.int.ebiederm.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1jYbcg-0006hZ-NY;;;mid=<87lflwq4hu.fsf@x220.int.ebiederm.org>;;;hst=in02.mta.xmission.com;;;ip=68.227.160.95;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX1+qsyyfmYubd8DotJ8yuQl163vwuqW1glQ= X-SA-Exim-Connect-IP: 68.227.160.95 X-SA-Exim-Mail-From: ebiederm@xmission.com Subject: Re: [PATCH 3/5] exec: Remove recursion from search_binary_handler X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org Kees Cook writes: > On Tue, May 12, 2020 at 01:42:53PM -0500, Eric W. Biederman wrote: >> Kees Cook writes: >> > Should binfmt_misc do the install, or can the consuming binfmt do it? >> > i.e. when binfmt_elf sees bprm->execfd, does it perform the install >> > instead? >> >> I am still thinking about this one, but here is where I am at. At a >> practical level passing the file descriptor of the script to interpreter >> seems like something we should encourage in the long term. It removes >> races and it is cheaper because then the interpreter does not have to >> turn around and open the script itself. > > Yeah, this does sounds pretty good, though I have concerns about doing > it for a process that isn't expecting it. I've seen a lot of bad code > make assumptions about initial fd numbers. :( Yes. That is definitely a concern. >> Strictly speaking binfmt_misc should not need to close the file >> descriptor in binfmt_misc because we have already unshared the files >> struct and reset_files_struct should handle restoring it. > > If I get what you mean, I agree. The error case is fine. > >> Calling fd_install in binfmt_misc still seems wrong, as that exposes >> the new file descriptor to user space with the old creds. > > I haven't dug into the details here -- is there a real risk here? The > old creds are what opened the file originally for the exec. Are you > thinking about executable-but-not-readable files? I am thinking about looking in proc//fd and maybe opening those files. That access is gated by ptrace_may_access which is gated by the process credentials. So I know strictly speaking it is wrong. I think you are correct that it would only allow access to a file that could be accessed another way. Even execveat at a quick glance appears to go through the orinary permission checks of open. The current code is definitely a maintenance pitfall as it install state into the process early. >> It is possible although unlikely for userspace to find the file >> descriptor without consulting AT_EXECFD so just to be conservative I >> think we should install the file descriptor in begin_new_exec even if >> the next interpreter does not support AT_EXECFD. > > I think universally installing the fd needs to be a distinct patch -- > it's going to have a lot of consequences, IMO. We can certainly deal > with them, but I don't think it should be part of this clean-up series. I meant generically installing the fd not universally installing it. >> I am still working on how to handle recursive binfmts but I suspect it >> is just a matter of having an array of struct files in struct >> linux_binprm. > > If install is left if binfmt_misc, then the recursive problem goes away, > yes? I don't think leaving the install in binfmt_misc is responsible at this point. Eric