From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.6 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1F04DC433E0 for ; Thu, 14 May 2020 16:10:49 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E62992065D for ; Thu, 14 May 2020 16:10:48 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ME8yQCgb" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727853AbgENQKs (ORCPT ); Thu, 14 May 2020 12:10:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51378 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726073AbgENQKs (ORCPT ); Thu, 14 May 2020 12:10:48 -0400 Received: from mail-oi1-x243.google.com (mail-oi1-x243.google.com [IPv6:2607:f8b0:4864:20::243]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DE62CC061A0C; Thu, 14 May 2020 09:10:43 -0700 (PDT) Received: by mail-oi1-x243.google.com with SMTP id c12so24004768oic.1; Thu, 14 May 2020 09:10:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=D5CbZd976r0FX8cps+cJg5GK1CX9lUZ+rR6vnN8xQ1g=; b=ME8yQCgbH2SZIDcdab7oOsHlv314+eYedrIFbgnDiv53fMIMW6h9hp1VKmEFSyrYZI ZSs829U1wHjFRgb8Z16vo5mQfCn03DReReAjYmZtQ2fcNZlTCtKTUnI1QwBesLOPRl0W d6vcjzwONEDKS9hHqk07r5NGbdWF3yHtjy/r+Rr5V0YC3Dp2aEo4V12d2OectxjEIosS WdY7O9cXLsRXiweqFenSDiCPZmyIDpM4iTXd71EmDlwoyHHu3I7PSr8magZZobs/ZFZB fiIstOhiEvBiglPKnuaRHDddwv4WaI/VifjsX4Xw/CdRzk8xvmHD8S4XS0Uz/yRBSm0f gNeA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=D5CbZd976r0FX8cps+cJg5GK1CX9lUZ+rR6vnN8xQ1g=; b=pcG74EqGa3HTz9NLzLGwtB1vzr8JkBWiP82bMyF5J+Olxs2771Hxu490B7w9qqd8iO 2xeXbnOxCWNjKlPzlVpiM0TOjdfO2BirarUbZ01Xs9xVayD5MyAYd3dgUdat5GEgAW46 xKvvHaHBxSJ5D88VnMyC5FYae5+CWPQTW5OBO5Xv9d7GSrqMfU9tFVJIR2EjIkv4RsQB iTtF7LLp9U9TaUPgmKqJtw+V8ZyzcerzaaYSDefifhozyZzSF/gEWzFU8+BlsZsHtHO7 ggtBnNZOoMDoLf/uIz2aGp1jBdpg7YIeQyOXoPD44079O1baAgu6D2P5R41KjMRlbqcj 5yWA== X-Gm-Message-State: AGi0PuaDKdl5VQO8o9wwHt9zkzkyL4VOkSoS4ZANkOdkny6ehVmMN58z neXRoTaoj1FFi8iaMQ/oVaXmGD91CO1c9j1vMJQ= X-Google-Smtp-Source: APiQypKtIw3xzkHAtALvSyqt4k9eNzYlxJoUxyheJsa+r6YEEdui4LketFU7MqwuU2v/F0vGykL4KdxDlzE9Lo0hTmQ= X-Received: by 2002:aca:5e0b:: with SMTP id s11mr29579870oib.160.1589472642862; Thu, 14 May 2020 09:10:42 -0700 (PDT) MIME-Version: 1.0 References: <20200505153156.925111-1-mic@digikod.net> <20200505153156.925111-4-mic@digikod.net> <202005131525.D08BFB3@keescook> <202005132002.91B8B63@keescook> <202005140830.2475344F86@keescook> In-Reply-To: <202005140830.2475344F86@keescook> From: Stephen Smalley Date: Thu, 14 May 2020 12:10:31 -0400 Message-ID: Subject: Re: [PATCH v5 3/6] fs: Enable to enforce noexec mounts or file exec through O_MAYEXEC To: Kees Cook Cc: =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= , linux-kernel , Aleksa Sarai , Alexei Starovoitov , Al Viro , Andy Lutomirski , Christian Heimes , Daniel Borkmann , Deven Bowers , Eric Chiang , Florian Weimer , James Morris , Jan Kara , Jann Horn , Jonathan Corbet , Lakshmi Ramasubramanian , Matthew Garrett , Matthew Wilcox , Michael Kerrisk , =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= , Mimi Zohar , =?UTF-8?Q?Philippe_Tr=C3=A9buchet?= , Scott Shell , Sean Christopherson , Shuah Khan , Steve Dower , Steve Grubb , Thibaut Sautereau , Vincent Strubel , kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-integrity@vger.kernel.org, LSM List , Linux FS Devel Content-Type: text/plain; charset="UTF-8" Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org On Thu, May 14, 2020 at 11:45 AM Kees Cook wrote: > > On Thu, May 14, 2020 at 08:22:01AM -0400, Stephen Smalley wrote: > > On Wed, May 13, 2020 at 11:05 PM Kees Cook wrote: > > > > > > On Wed, May 13, 2020 at 04:27:39PM -0700, Kees Cook wrote: > > > > Like, couldn't just the entire thing just be: > > > > > > > > diff --git a/fs/namei.c b/fs/namei.c > > > > index a320371899cf..0ab18e19f5da 100644 > > > > --- a/fs/namei.c > > > > +++ b/fs/namei.c > > > > @@ -2849,6 +2849,13 @@ static int may_open(const struct path *path, int acc_mode, int flag) > > > > break; > > > > } > > > > > > > > + if (unlikely(mask & MAY_OPENEXEC)) { > > > > + if (sysctl_omayexec_enforce & OMAYEXEC_ENFORCE_MOUNT && > > > > + path_noexec(path)) > > > > + return -EACCES; > > > > + if (sysctl_omayexec_enforce & OMAYEXEC_ENFORCE_FILE) > > > > + acc_mode |= MAY_EXEC; > > > > + } > > > > error = inode_permission(inode, MAY_OPEN | acc_mode); > > > > if (error) > > > > return error; > > > > > > > > > > FYI, I've confirmed this now. Effectively with patch 2 dropped, patch 3 > > > reduced to this plus the Kconfig and sysctl changes, the self tests > > > pass. > > > > > > I think this makes things much cleaner and correct. > > > > I think that covers inode-based security modules but not path-based > > ones (they don't implement the inode_permission hook). For those, I > > would tentatively guess that we need to make sure FMODE_EXEC is set on > > the open file and then they need to check for that in their file_open > > hooks. > > I kept confusing myself about what order things happened in, so I made > these handy notes about the call graph: > > openat2(dfd, char * filename, open_how) > do_filp_open(dfd, filename, open_flags) > path_openat(nameidata, open_flags, flags) > do_open(nameidata, file, open_flags) > may_open(path, acc_mode, open_flag) > inode_permission(inode, MAY_OPEN | acc_mode) > security_inode_permission(inode, acc_mode) > vfs_open(path, file) > do_dentry_open(file, path->dentry->d_inode, open) > if (unlikely(f->f_flags & FMODE_EXEC && !S_ISREG(inode->i_mode))) ... > security_file_open(f) > open() > > So, it looks like adding FMODE_EXEC into f_flags in do_open() is needed in > addition to injecting MAY_EXEC into acc_mode in do_open()? Hmmm Just do both in build_open_flags() and be done with it? Looks like he was already setting FMODE_EXEC in patch 1 so we just need to teach AppArmor/TOMOYO to check for it and perform file execute checking in that case if !current->in_execve?