From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.2 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D8EECC43331 for ; Fri, 6 Sep 2019 18:46:27 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id AD082208C3 for ; Fri, 6 Sep 2019 18:46:27 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=tycho-ws.20150623.gappssmtp.com header.i=@tycho-ws.20150623.gappssmtp.com header.b="fW9yI0r5" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2436612AbfIFSq0 (ORCPT ); Fri, 6 Sep 2019 14:46:26 -0400 Received: from mail-io1-f65.google.com ([209.85.166.65]:43087 "EHLO mail-io1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2436614AbfIFSqZ (ORCPT ); Fri, 6 Sep 2019 14:46:25 -0400 Received: by mail-io1-f65.google.com with SMTP id u185so14915877iod.10 for ; Fri, 06 Sep 2019 11:46:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tycho-ws.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=QRnJITRgtGPLg2irBHffabraOH6qFTHyLeWEmn2CG4k=; b=fW9yI0r5PaavEuDpO3wqhc1PKV3gT7W2PHr0YvMv8yeRB3SF0rAwRE2BkG1RKIldB5 pk0J20GIWh4t241wQZQAl1zHWNJxStYwy5kxUtaiwtqqhZ1ozaqrys8TEuTqNPhLzMt5 Zm7do94cFWUwupAl/AOKTQpMgaVyhyVNN+4sksBHKSxv/0mSVTnzzbyVyIbnqt1snF5t iguQSIF5qEqKP9/56X/CjyzTRl1ktsNgpb3jvd0i/WW+d9og8BLCwLR8APIzc18T/0uR OlizzA0soMA5t0+LMz3QvB2o7vOuygMelmEjFL6nD4NQrfX5rILFVMakZMg0djTuN2a5 pLkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to:user-agent; bh=QRnJITRgtGPLg2irBHffabraOH6qFTHyLeWEmn2CG4k=; b=ohO0IojSKf+damm/xvnNA3BhqVUMK9IAmbTwJKz74t2B6a7EroPQhJIeoOkks9B9JC GU52Ic/yLft2BY4vQRDiJ+XIyVK5GTQU8T7wv+xAv+vY9FZ2UDjJNyMHf9GD58IKqktJ IR1PrA1O7GiCxPTn9ZhCNENr6ekqPfq3GL4Nq95rTeKlBTVtJNW1kx+JjJvY3HhHaXBp 3Fs3qLvPWvE2vcbb/Qc1hBn2iBC7g/ZOP/kk6gBQfTpIWp0WxgdpD2ipoC37ceXSrwLu 9bT0XThoJu+fPaluYE+3fTXTAwox2GW3kQuZq5PrajwTxsZe0sSVqMRvWxmgLnM8UDQX gYxQ== X-Gm-Message-State: APjAAAUhlRdcGVtlL02UDCxqnwuBTbRNp7DMdFIlvQgQgMsWgDDBP+EU vUUHapx5he9kD/dg3Yt/OLEViQ== X-Google-Smtp-Source: APXvYqx8a3vQaJo05FM2AJxDurm67u0wSOJsrKfOs76p1ALl+/al6SlzLMWYqNVPkldCZ7AZ/oWTyQ== X-Received: by 2002:a02:ab90:: with SMTP id t16mr12092436jan.110.1567795583168; Fri, 06 Sep 2019 11:46:23 -0700 (PDT) Received: from cisco ([2601:282:901:dd7b:49a:5f6f:e06:3c33]) by smtp.gmail.com with ESMTPSA id h4sm5578707iok.1.2019.09.06.11.46.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 Sep 2019 11:46:22 -0700 (PDT) Date: Fri, 6 Sep 2019 12:46:20 -0600 From: Tycho Andersen To: Florian Weimer Cc: Christian Brauner , Aleksa Sarai , =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= , =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= , linux-kernel@vger.kernel.org, Alexei Starovoitov , Al Viro , Andy Lutomirski , Christian Heimes , Daniel Borkmann , Eric Chiang , James Morris , Jan Kara , Jann Horn , Jonathan Corbet , Kees Cook , Matthew Garrett , Matthew Wilcox , Michael Kerrisk , Mimi Zohar , Philippe =?iso-8859-1?Q?Tr=E9buchet?= , Scott Shell , Sean Christopherson , Shuah Khan , Song Liu , Steve Dower , Steve Grubb , Thibaut Sautereau , Vincent Strubel , Yves-Alexis Perez , kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org Subject: Re: [PATCH v2 1/5] fs: Add support for an O_MAYEXEC flag on sys_open() Message-ID: <20190906184620.GI7627@cisco> References: <20190906152455.22757-1-mic@digikod.net> <20190906152455.22757-2-mic@digikod.net> <87ef0te7v3.fsf@oldenburg2.str.redhat.com> <75442f3b-a3d8-12db-579a-2c5983426b4d@ssi.gouv.fr> <20190906170739.kk3opr2phidb7ilb@yavin.dot.cyphar.com> <20190906172050.v44f43psd6qc6awi@wittgenstein> <20190906174041.GH7627@cisco> <87v9u5cmb0.fsf@oldenburg2.str.redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <87v9u5cmb0.fsf@oldenburg2.str.redhat.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: On Fri, Sep 06, 2019 at 08:27:31PM +0200, Florian Weimer wrote: > * Tycho Andersen: > > > On Fri, Sep 06, 2019 at 07:20:51PM +0200, Christian Brauner wrote: > >> On Sat, Sep 07, 2019 at 03:07:39AM +1000, Aleksa Sarai wrote: > >> > On 2019-09-06, Mickaël Salaün wrote: > >> > > > >> > > On 06/09/2019 17:56, Florian Weimer wrote: > >> > > > Let's assume I want to add support for this to the glibc dynamic loader, > >> > > > while still being able to run on older kernels. > >> > > > > >> > > > Is it safe to try the open call first, with O_MAYEXEC, and if that fails > >> > > > with EINVAL, try again without O_MAYEXEC? > >> > > > >> > > The kernel ignore unknown open(2) flags, so yes, it is safe even for > >> > > older kernel to use O_MAYEXEC. > >> > > >> > Depends on your definition of "safe" -- a security feature that you will > >> > silently not enable on older kernels doesn't sound super safe to me. > >> > Unfortunately this is a limitation of open(2) that we cannot change -- > >> > which is why the openat2(2) proposal I've been posting gives -EINVAL for > >> > unknown O_* flags. > >> > > >> > There is a way to probe for support (though unpleasant), by creating a > >> > test O_MAYEXEC fd and then checking if the flag is present in > >> > /proc/self/fdinfo/$n. > >> > >> Which Florian said they can't do for various reasons. > >> > >> It is a major painpoint if there's no easy way for userspace to probe > >> for support. Especially if it's security related which usually means > >> that you want to know whether this feature works or not. > > > > What about just trying to violate the policy via fexecve() instead of > > looking around in /proc? Still ugly, though. > > How would we do this? This is about opening the main executable as part > of an explicit loader invocation. Typically, an fexecve will succeed > and try to run the program, but with the wrong dynamic loader. Yeah, fexecve() was a think-o, sorry, you don't need to go that far. I was thinking do what the tests in this series do: create a tmpfs with MS_NOEXEC, put an executable file in it, and try and open it with O_MAYEXEC. If that works, the kernel doesn't support the flag, and it should give you -EACCES if the kernel does support the flag. Still a lot of work, though. Seems better to just use openat2. Tycho