From: Kees Cook <keescook@chromium.org>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>,
Andrew Morton <akpm@linux-foundation.org>,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
Eric Biggers <ebiggers3@gmail.com>,
Dmitry Vyukov <dvyukov@google.com>,
linux-fsdevel@vger.kernel.org,
linux-security-module@vger.kernel.org, linux-api@vger.kernel.org,
linux-kernel@vger.kernel.org,
John Johansen <john.johansen@canonical.com>
Subject: Re: [PATCH 0/4] Relocate execve() sanity checks
Date: Tue, 19 May 2020 14:17:22 -0700 [thread overview]
Message-ID: <202005191342.97EE972E3@keescook> (raw)
In-Reply-To: <87sgfvrckr.fsf@x220.int.ebiederm.org>
On Tue, May 19, 2020 at 01:42:28PM -0500, Eric W. Biederman wrote:
> Kees Cook <keescook@chromium.org> writes:
>
> > On Tue, May 19, 2020 at 12:41:27PM -0500, Eric W. Biederman wrote:
> >> Kees Cook <keescook@chromium.org> writes:
> >> > and given the LSM hooks, I think the noexec check is too late as well.
> >> > (This is especially true for the coming O_MAYEXEC series, which will
> >> > absolutely need those tests earlier as well[1] -- the permission checking
> >> > is then in the correct place: during open, not exec.) I think the only
> >> > question is about leaving the redundant checks in fs/exec.c, which I
> >> > think are a cheap way to retain a sense of robustness.
> >>
> >> The trouble is when someone passes through changes one of the permission
> >> checks for whatever reason (misses that they are duplicated in another
> >> location) and things then fail in some very unexpected way.
> >
> > Do you think this series should drop the "late" checks in fs/exec.c?
> > Honestly, the largest motivation for me to move the checks earlier as
> > I've done is so that other things besides execve() can use FMODE_EXEC
> > during open() and receive the same sanity-checking as execve() (i.e the
> > O_MAYEXEC series -- the details are still under discussion but this
> > cleanup will be needed regardless).
>
> I think this series should drop the "late" checks in fs/exec.c It feels
> less error prone, and it feels like that would transform this into
> something Linus would be eager to merge because series becomes a cleanup
> that reduces line count.
Yeah, that was my initial sense too. I just started to get nervous about
removing the long-standing exec sanity checks. ;)
> I haven't been inside of open recently enough to remember if the
> location you are putting the check fundamentally makes sense. But the
> O_MAYEXEC bits make a pretty strong case that something of the sort
> needs to happen.
Right. I *think* it's correct place for now, based on my understanding
of the call graph (which is why I included it in the commit logs).
> I took a quick look but I can not see clearly where path_noexec
> and the regular file tests should go.
>
> I do see that you have code duplication with faccessat which suggests
> that you haven't put the checks in the right place.
Yeah, I have notes on the similar call sites (which I concluded, perhaps
wrongly) to ignore:
do_faccessat()
user_path_at(dfd, filename, lookup_flags, &path);
if (acc_mode & MAY_EXEC .... path_noexec()
inode_permission(inode, mode | MAY_ACCESS);
This appears to be strictly advisory, and the path_noexec() test is
there to, perhaps, avoid surprises when doing access() then fexecve()?
I would note, however, that that path-based LSMs appear to have no hook
in this call graph at all. I was expecting a call like:
security_file_permission(..., mode | MAY_ACCESS)
but I couldn't find one (or anything like it), so only
inode_permission() is being tested (which means also the existing
execve() late tests are missed, and the newly added S_ISREG() test from
do_dentry_open() is missed).
prctl_set_mm_exe_file()
err = -EACCESS;
if (!S_ISREG(inode->i_mode) || path_noexec(&exe.file->f_path))
goto exit;
err = inode_permission(inode, MAY_EXEC);
This is similar (no path-based LSM hooks present, only inode_permission()
used for permission checking), but it is at least gated by CAP_SYS_ADMIN.
And this bring me to a related question from my review: does
dentry_open() intentionally bypass security_inode_permission()? I.e. it
calls vfs_open() not do_open():
openat2(dfd, char * filename, open_how)
build_open_flags(open_how, open_flags)
do_filp_open(dfd, filename, open_flags)
path_openat(nameidata, open_flags, flags)
file = alloc_empty_file(open_flags, current_cred());
do_open(nameidata, file, open_flags)
may_open(path, acc_mode, open_flag)
inode_permission(inode, MAY_OPEN | acc_mode)
security_inode_permission(inode, acc_mode)
vfs_open(path, file)
do_dentry_open(file, path->dentry->d_inode, open)
if (unlikely(f->f_flags & FMODE_EXEC && !S_ISREG(inode->i_mode))) ...
security_file_open(f)
/* path-based LSMs check for open here
* and use FMODE_* flags to determine how a file
* is being opened. */
open()
vs
dentry_open(path, flags, cred)
f = alloc_empty_file(flags, cred);
vfs_open(path, f);
I would expect dentry_open() to mostly duplicate a bunch of
path_openat(), but it lacks the may_open() call, etc.
I really got the feeling that there was some new conceptual split needed
inside do_open() where the nameidata details have been finished, after
we've gained the "file" information, but before we've lost the "path"
information. For example, may_open(path, ...) has no sense of "file",
though it does do the inode_permission() call.
Note also that may_open() is used in do_tmpfile() too, and has a comment
implying it needs to be checking only a subset of the path details. So
I'm not sure how to split things up.
So, that's why I put the new checks just before the may_open() call in
do_open(): it's the most central, positions itself correctly for dealing
with O_MAYEXEC, and doesn't appear to make any existing paths worse.
> I am wondering if we need something distinct to request the type of the
> file being opened versus execute permissions.
Well, this is why I wanted to centralize it -- the knowledge of how a
file is going to be used needs to be tested both by the core VFS
(S_ISREG, path_noexec) and the LSMs. Things were inconsistent before.
> All I know is being careful and putting the tests in a good logical
> place makes the code more maintainable, whereas not being careful
> results in all kinds of sharp corners that might be exploitable.
> So I think it is worth digging in and figuring out where those checks
> should live. Especially so that code like faccessat does not need
> to duplicate them.
I think this is the right place with respect to execve(), though I think
there are other cases that could use to be improved (or at least made
more consistent).
-Kees
--
Kees Cook
next prev parent reply other threads:[~2020-05-19 21:17 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-18 5:54 [PATCH 0/4] Relocate execve() sanity checks Kees Cook
2020-05-18 5:54 ` [PATCH 1/4] exec: Change uselib(2) IS_SREG() failure to EACCES Kees Cook
2020-05-18 13:02 ` Christian Brauner
2020-05-18 14:43 ` Jann Horn
2020-05-18 14:46 ` Christian Brauner
2020-05-18 23:57 ` Eric W. Biederman
2020-05-19 8:11 ` Christian Brauner
2020-05-19 8:37 ` Andreas Schwab
2020-05-19 11:56 ` Eric W. Biederman
2020-05-19 12:12 ` Andreas Schwab
2020-05-19 12:28 ` Eric W. Biederman
2020-05-19 13:29 ` Christian Brauner
2020-05-19 14:49 ` Eric W. Biederman
2020-05-19 13:13 ` Christian Brauner
2020-05-19 14:32 ` Geert Uytterhoeven
2020-05-19 14:47 ` Christian Brauner
2020-05-18 5:54 ` [PATCH 2/4] exec: Relocate S_ISREG() check Kees Cook
[not found] ` <20200525091420.GI12456@shao2-debian>
2020-06-04 22:45 ` [exec] 166d03c9ec: ltp.execveat02.fail Kees Cook
2020-06-05 2:57 ` Kees Cook
2020-05-18 5:54 ` [PATCH 3/4] exec: Relocate path_noexec() check Kees Cook
2020-05-18 5:54 ` [PATCH 4/4] fs: Include FMODE_EXEC when converting flags to f_mode Kees Cook
2020-05-19 15:06 ` [PATCH 0/4] Relocate execve() sanity checks Eric W. Biederman
2020-05-19 16:26 ` Kees Cook
2020-05-19 17:41 ` Eric W. Biederman
2020-05-19 17:56 ` Kees Cook
2020-05-19 18:42 ` Eric W. Biederman
2020-05-19 21:17 ` Kees Cook [this message]
2020-05-19 22:58 ` John Johansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202005191342.97EE972E3@keescook \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=dvyukov@google.com \
--cc=ebiederm@xmission.com \
--cc=ebiggers3@gmail.com \
--cc=john.johansen@canonical.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).