From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.9 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DE600C433DF for ; Fri, 15 May 2020 15:47:04 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B7F3820758 for ; Fri, 15 May 2020 15:47:04 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="EmpMZVAX" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726645AbgEOPrE (ORCPT ); Fri, 15 May 2020 11:47:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46594 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1726183AbgEOPrB (ORCPT ); Fri, 15 May 2020 11:47:01 -0400 Received: from mail-pg1-x541.google.com (mail-pg1-x541.google.com [IPv6:2607:f8b0:4864:20::541]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4A695C061A0C for ; Fri, 15 May 2020 08:47:01 -0700 (PDT) Received: by mail-pg1-x541.google.com with SMTP id a4so1133786pgc.0 for ; Fri, 15 May 2020 08:47:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to; bh=Tp1yJFYJhgIbfd5lJGD8jRi3pZ2NypuWNlZpcocDHT8=; b=EmpMZVAX1wx85vkyBc5/P+fYj2mwnLAsTm/P4yiv2KtxbvHfmZAwhR+zjtV1EBhN2X BReu4CY5qEYsHFiewS4+kAzWLVXb73otKnet+n4x7VjkZgTqLwE+vnM+jnEi+nk1c7ty vSY1B2yu2bdPwD71vBpulqYgYRqhkd1jMHSj0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to; bh=Tp1yJFYJhgIbfd5lJGD8jRi3pZ2NypuWNlZpcocDHT8=; b=l/7ZHqyTgLW9B3LJs2gpt00IVChczcJ9u4nTT0iR3YszCtg+zXq5WjnrTsdUkqZslW vXEpkiivETvofKzgFfLPQSXXgf2wYVX19EIanIi92pIj3MVgbHNHNuzRys/YqnkSp09a Tv00VEbXEQz93AHfHFokGC0zL+VKO/yuAzGtIkbEhTBW9HLtQzwy/QqfVhEXsUJLo4pR A1tWMTuCuA6JXsi2MkZoa1dt2tC6Sl/fggEHID5uS1sPBNQml7jEYOFj9Oes9tVTBFSh MXysVQqpr0GBUeAxciiCuOUckLhHnTO1MXL5gUJvRPk6X9ZV0mBKZNP3mkmF/7tLXkSD B4gw== X-Gm-Message-State: AOAM532XZ/BAsIT+mT4/abDAV/jchFLHZvAnGf3+R0qNe4WOVN3apq6o PwqgpwuU0sjN4fdp5ATa5rlc/Q== X-Google-Smtp-Source: ABdhPJxCxRIctKkG0jiZ7deyGgcCZJ1ccBYUj9+mcaG6GziW+a6F3XU/NV7eHM88WzhDbWN5XVC/mA== X-Received: by 2002:aa7:8603:: with SMTP id p3mr3963913pfn.116.1589557620660; Fri, 15 May 2020 08:47:00 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id i9sm2261604pfk.199.2020.05.15.08.46.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 May 2020 08:46:59 -0700 (PDT) Date: Fri, 15 May 2020 08:46:57 -0700 From: Kees Cook To: =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= Cc: Al Viro , Aleksa Sarai , Andy Lutomirski , Mimi Zohar , Stephen Smalley , Christian Heimes , Deven Bowers , Tetsuo Handa , John Johansen , Kentaro Takeda , "Lev R. Oshvang ." , Alexei Starovoitov , Daniel Borkmann , Eric Chiang , Florian Weimer , James Morris , Jan Kara , Jann Horn , Jonathan Corbet , Lakshmi Ramasubramanian , Matthew Garrett , Matthew Wilcox , Michael Kerrisk , =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= , Philippe =?iso-8859-1?Q?Tr=E9buchet?= , Scott Shell , Sean Christopherson , Shuah Khan , Steve Dower , Steve Grubb , Thibaut Sautereau , Vincent Strubel , linux-kernel , kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-integrity@vger.kernel.org, LSM List , Linux FS Devel , Rich Felker Subject: Re: How about just O_EXEC? (was Re: [PATCH v5 3/6] fs: Enable to enforce noexec mounts or file exec through O_MAYEXEC) Message-ID: <202005150740.F0154DEC@keescook> References: <20200505153156.925111-4-mic@digikod.net> <202005131525.D08BFB3@keescook> <202005132002.91B8B63@keescook> <202005140830.2475344F86@keescook> <202005142343.D580850@keescook> <1e2f6913-42f2-3578-28ed-567f6a4bdda1@digikod.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1e2f6913-42f2-3578-28ed-567f6a4bdda1@digikod.net> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, May 15, 2020 at 01:04:08PM +0200, Mickaël Salaün wrote: > > On 15/05/2020 10:01, Kees Cook wrote: > > On Thu, May 14, 2020 at 09:16:13PM +0200, Mickaël Salaün wrote: > >> On 14/05/2020 18:10, Stephen Smalley wrote: > >>> On Thu, May 14, 2020 at 11:45 AM Kees Cook wrote: > >>>> So, it looks like adding FMODE_EXEC into f_flags in do_open() is needed in > >>>> addition to injecting MAY_EXEC into acc_mode in do_open()? Hmmm > >>> > >>> Just do both in build_open_flags() and be done with it? Looks like he > >>> was already setting FMODE_EXEC in patch 1 so we just need to teach > >>> AppArmor/TOMOYO to check for it and perform file execute checking in > >>> that case if !current->in_execve? > >> > >> I can postpone the file permission check for another series to make this > >> one simpler (i.e. mount noexec only). Because it depends on the sysctl > >> setting, it is OK to add this check later, if needed. In the meantime, > >> AppArmor and Tomoyo could be getting ready for this. > > > > So, after playing around with this series, investigating Stephen's > > comments, digging through the existing FMODE_EXEC uses, and spending a > > bit more time thinking about Lev and Aleksa's dislike of the sysctls, I've > > got a much more radically simplified solution that I think could work. > > Not having a sysctl would mean that distros will probably have to patch > script interpreters to remove the use of O_MAYEXEC. Or distros would > have to exclude newer version of script interpreters because they > implement O_MAYEXEC. Or distros would have to patch their kernel to > implement themselves the sysctl knob I'm already providing. Sysadmins > may not control the kernel build nor the user space build, they control > the system configuration (some mount point options and some file > execution permissions) but I guess that a distro update breaking a > running system is not acceptable. Either way, unfortunately, I think it > doesn't help anyone to not have a controlling sysctl. The same apply for > access-control LSMs relying on a security policy which can be defined by > sysadmins. > > Your commits enforce file exec checks, which is a good thing from a > security point of view, but unfortunately that would requires distros to > update all the packages providing shared objects once the dynamic linker > uses O_MAYEXEC. I used to agree with this, but I'm now convinced now that the sysctls are redundant and will ultimately impede adoption. In looking at what levels the existing (CLIP OS, Chrome OS) and future (PEP 578) implementations have needed to do to meaningfully provide the protection, it seems like software will not be using this flag out of the blue. It'll need careful addition way beyond the scope of just a sysctl. (As in, I don't think using O_MAYEXEC is going to just get added without thought to all interpreters. And developers that DO add it will want to know that the system will behave in the specified way: having it be off by default will defeat the purpose of adding the flag for the end users.) I think it boils down to deciding how to control enforcement: should it be up to the individual piece of software, or should it be system-wide? Looking at the patches Chrome OS has made to the shell (and the accompanying system changes), and Python's overall plans, it seems to me that the requirements for meaningfully using this flag is going to be very software-specific. Now, if the goal is to try to get O_MAYEXEC into every interpreter as widely as possible without needing to wait for the software-specific design changes, then I can see the reason to want a default-off global sysctl. (Though in that case, I suspect it needs to be tied to userns or something to support containers with different enforcement levels.) > > Maybe I've missed some earlier discussion that ruled this out, but I > > couldn't find it: let's just add O_EXEC and be done with it. It actually > > makes the execve() path more like openat2() and is much cleaner after > > a little refactoring. Here are the results, though I haven't emailed it > > yet since I still want to do some more testing: > > https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=kspp/o_exec/v1 > > > > I look forward to flames! ;) > > > > Like Florian said, O_EXEC is for execute-only (which obviously doesn't > work for scripts): > https://pubs.opengroup.org/onlinepubs/9699919799/functions/open.html > On the other hand, the semantic of O_MAYEXEC is complementary to other > O_* flags. It is inspired by the VM_MAYEXEC flag. Ah! I see now -- it's intended to be like the O_*ONLY flags. I misunderstood what Florian meant. Okay, sure that's a good enough reason for me to retain the O_MAYEXEC name. (And then I think this distinction from O_EXEC needs to be well documented.) > The O_EXEC flag is specified for open(2). openat2(2) is Linux-specific > and it is highly unlikely that new flags will be added to open(2) or > openat(2) because of compatibility issues. Agreed. (Which in my mind is further rationale that a sysctl isn't wanted here: adding O_MAYEXEC will need to be very intentional.) > FYI, musl implements O_EXEC on Linux with O_PATH: > https://www.openwall.com/lists/musl/2013/02/22/1 > https://git.musl-libc.org/cgit/musl/commit/?id=6d05d862975188039e648273ceab350d9ab5b69e > > However, the O_EXEC flag/semantic could be useful for the dynamic > linkers, i.e. to only be able to map files in an executable (and > read-only) way. If this is OK, then we may want to rename O_MAYEXEC to > something like O_INTERPRET. This way we could have two new flags for > sightly (but important) different use cases. The sysctl bitfield could > be extended to manage both of these flags. If it's not O_EXEC, then I do like keeping "EXEC" in the flag name, since it has direct relation to noexec and exec-bit. I'm fine with O_MAYEXEC -- I just couldn't find the rationale for why it _shouldn't_ be O_EXEC. (Which is now well understood -- thanks to you you and Florian!) > Other than that, the other commits are interesting. I'm a bit worried > about the implication of the f_flags/f_mode change though. That's an area I also didn't see why FMODE_EXEC wasn't retained in f_mode. Especially given the nature of the filtering out FMODE_NONOTIFY in build_open_flags(). Why would FMODE_NONOTIFY move to f_mode, but not FMODE_EXEC? > From a practical point of view, I'm also wondering how you intent to > submit this series on LKML without conflicting with the current > O_MAYEXEC series (versions, changes…). I would like you to keep the > warnings from my patches about other ways to execute/interpret code and > the threat model (patch 1/6 and 5/6). I don't intend it to conflict -- I wanted to have actual code written out to share as a basis for discussion. I didn't want to talk about "maybe we can try $foo", but rather "here's $foo; what do y'all think?" :) -- Kees Cook