linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Mickaël Salaün" <mic@digikod.net>
To: Linus Torvalds <torvalds@linux-foundation.org>,
	Kees Cook <keescook@chromium.org>
Cc: "Al Viro" <viro@zeniv.linux.org.uk>,
	"Andrew Morton" <akpm@linux-foundation.org>,
	"Christian Heimes" <christian@python.org>,
	"Geert Uytterhoeven" <geert@linux-m68k.org>,
	"James Morris" <jmorris@namei.org>,
	"Luis Chamberlain" <mcgrof@kernel.org>,
	"Mimi Zohar" <zohar@linux.ibm.com>,
	"Muhammad Usama Anjum" <usama.anjum@collabora.com>,
	"Paul Moore" <paul@paul-moore.com>,
	"Philippe Trébuchet" <philippe.trebuchet@ssi.gouv.fr>,
	"Shuah Khan" <skhan@linuxfoundation.org>,
	"Steve Dower" <steve.dower@python.org>,
	"Thibaut Sautereau" <thibaut.sautereau@ssi.gouv.fr>,
	"Vincent Strubel" <vincent.strubel@ssi.gouv.fr>,
	linux-fsdevel <linux-fsdevel@vger.kernel.org>,
	linux-integrity <linux-integrity@vger.kernel.org>,
	"Linux Kernel Mailing List" <linux-kernel@vger.kernel.org>,
	"LSM List" <linux-security-module@vger.kernel.org>,
	"Christian Brauner" <brauner@kernel.org>
Subject: Re: [GIT PULL] Add trusted_for(2) (was O_MAYEXEC)
Date: Mon, 4 Apr 2022 22:30:13 +0200	[thread overview]
Message-ID: <816667d8-2a6c-6334-94a4-6127699d4144@digikod.net> (raw)
In-Reply-To: <CAHk-=wgoC76v-4s0xVr1Xvnx-8xZ8M+LWgyq5qGLA5UBimEXtQ@mail.gmail.com>


On 04/04/2022 20:47, Linus Torvalds wrote:
> On Mon, Apr 4, 2022 at 11:40 AM Kees Cook <keescook@chromium.org> wrote:
>>
>> It looks like this didn't get pulled for -rc1 even though it was sent
>> during the merge window and has been in -next for a while. It would be
>> really nice to get this landed since userspace can't make any forward
>> progress without the kernel support.
> 
> Honestly, I need a *lot* better reasoning for random new non-standard
> system calls than this had.
> 
> And this kind of "completely random interface with no semantics except
> for random 'future flags'" I will not pull even *with* good reasoning.

I think the semantic is well defined:
"This new syscall enables user space to ask the kernel: is this file
descriptor's content trusted to be used for this purpose?"
See the trusted_for_policy sysctl documentation: 
https://lore.kernel.org/all/20220104155024.48023-3-mic@digikod.net/

There is currently only one defined and implemented purpose: execution 
(or script interpretation). There is room for other flags because it is 
a good practice to do so, and other purposes were proposed.


> 
> I already told Mickaël in private that I wouldn't pull this.
> 
> Honestly, we have a *horrible* history with non-standard system calls,
> and that's been true even for well-designed stuff that actually
> matters, that people asked for.
> 
> Something  like this, which adds one very special system call and
> where the whole thing is designed for "let's add something random
> later because we don't even know what we want" is right out.
> 
> What the system call seems to actually *want* is basically a new flag
> to access() (and faccessat()). One that is very close to what X_OK
> already is.

I agree.


> 
> But that wasn't how it was sold.
> 
> So no. No way will this ever get merged, and whoever came up with that
> disgusting "trusted_for()" (for WHAT? WHO TRUSTS? WHY?) should look
> themselves in the mirror.

Well, naming is difficult, but I'm open to suggestion. :)

As explained in the description, the WHAT is the file descriptor 
content, the WHO TRUSTS is the system security policy (e.g. the mount 
point options) and the WHY is defined by the usage flag 
(TRUSTED_FOR_EXECUTION).
This translates to: is this file descriptor's content trusted to be used 
for this specified purpose/usage?


> 
> If you add a new X_OK variant to access(), maybe that could fly.

As answered in private, that was the approach I took for one of the 
early versions but a dedicated syscall was requested by Al Viro: 
https://lore.kernel.org/r/2ed377c4-3500-3ddc-7181-a5bc114ddf94@digikod.net
The main reason behind this request was that it doesn't have the exact 
same semantic as faccessat(2). The changes for this syscall are 
documented here: 
https://lore.kernel.org/all/20220104155024.48023-3-mic@digikod.net/
The whole history is linked in the cover letter: 
https://lore.kernel.org/all/2ed377c4-3500-3ddc-7181-a5bc114ddf94@digikod.net/

This initial proposal was using a new faccessat2(2) flag: 
AT_INTERPRETED, see 
https://lore.kernel.org/all/20200908075956.1069018-2-mic@digikod.net/
What do you think about that? I'm happy to get back to this version if 
everyone is OK with it.

  reply	other threads:[~2022-04-04 21:17 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-03-21 16:15 [GIT PULL] Add trusted_for(2) (was O_MAYEXEC) Mickaël Salaün
2022-03-21 17:38 ` Luis Chamberlain
2022-03-21 18:05   ` Mickaël Salaün
2022-03-21 23:32     ` Luis Chamberlain
2022-03-30 16:06 ` Mickaël Salaün
2022-04-04 18:40 ` Kees Cook
2022-04-04 18:47   ` Linus Torvalds
2022-04-04 20:30     ` Mickaël Salaün [this message]
2022-04-04 21:28       ` Linus Torvalds
2022-04-04 21:40         ` Linus Torvalds
2022-04-04 22:25         ` Kees Cook
2022-04-04 23:26           ` Linus Torvalds
2022-04-05 16:09             ` Mickaël Salaün
2022-04-05 16:17               ` Linus Torvalds
2023-02-08 19:32               ` Kees Cook
2023-02-09 15:43                 ` Mickaël Salaün
2022-04-05 22:21             ` Theodore Ts'o
2022-04-05 15:55           ` Mickaël Salaün
2022-04-05 15:38         ` Mickaël Salaün
2022-04-05 14:54       ` Theodore Ts'o
2022-04-05 16:14         ` Mickaël Salaün

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=816667d8-2a6c-6334-94a4-6127699d4144@digikod.net \
    --to=mic@digikod.net \
    --cc=akpm@linux-foundation.org \
    --cc=brauner@kernel.org \
    --cc=christian@python.org \
    --cc=geert@linux-m68k.org \
    --cc=jmorris@namei.org \
    --cc=keescook@chromium.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mcgrof@kernel.org \
    --cc=paul@paul-moore.com \
    --cc=philippe.trebuchet@ssi.gouv.fr \
    --cc=skhan@linuxfoundation.org \
    --cc=steve.dower@python.org \
    --cc=thibaut.sautereau@ssi.gouv.fr \
    --cc=torvalds@linux-foundation.org \
    --cc=usama.anjum@collabora.com \
    --cc=vincent.strubel@ssi.gouv.fr \
    --cc=viro@zeniv.linux.org.uk \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).