From: Linus Torvalds <torvalds@linux-foundation.org>
To: Kees Cook <keescook@chromium.org>,
Kentaro Takeda <takedakn@nttdata.co.jp>,
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
John Johansen <john.johansen@canonical.com>,
Paul Moore <paul@paul-moore.com>
Cc: Kevin Locke <kevin@kevinlocke.name>,
Josh Triplett <josh@joshtriplett.org>,
Mateusz Guzik <mjguzik@gmail.com>,
Al Viro <viro@zeniv.linux.org.uk>,
linux-mm@kvack.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [6.8-rc1 Regression] Unable to exec apparmor_parser from virt-aa-helper
Date: Wed, 24 Jan 2024 10:27:03 -0800 [thread overview]
Message-ID: <CAHk-=whDAUMSPhDhMUeHNKGd-ZX8ixNeEz7FLfQasAGvi_knDg@mail.gmail.com> (raw)
In-Reply-To: <CAHk-=whq+Kn-_LTvu8naGqtN5iK0c48L1mroyoGYuq_DgFEC7g@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1450 bytes --]
On Wed, 24 Jan 2024 at 09:27, Linus Torvalds
<torvalds@linux-foundation.org> wrote:
>
> IOW, I think the goal here should be "minimal fix" followed by "remove
> that horrendous thing".
Ugh. The tomoyo use is even *more* disgusting, in how it uses it for
"tomoyo_domain()" entirely independently of even the ->file_open()
callback.
So for tomoyo, it's not about the file open, it's about
tomoyo_cred_prepare() and friends.
So the patch I posted probably fixes apparmor, but only breaks tomoyo
instead, because tomoyo really does seem to use it around the whole
security_bprm_creds_for_exec() thing.
Now, tomoyo *also* uses it for the file_open() callback, just to confuse things.
IOW, I think the right thing to do is to split this in two:
- leave the existing ->in_execve for the bprm_creds dance in
boprm_execve(). Horrendous and disgusing.
- the ->file_open() thing is changed to check file->f_flags
(with a comment about how FMODE_EXEC is in f_flags, not f_mode like it
should be).
IOW, I think the patch I posted earlier - and Kees' version of the
same thing - is just broken. This attached patch might work.
And as noted, since it checks __FMODE_EXEC, it now allows the uselib()
case too. I think that's ok.
UNTESTED. But I think this is at least a movement in the right
direction. The whole cred use of current->in_execve in tomoyo should
*also* be fixed, but I didn't even try to follow what it actually
wanted.
Linus
[-- Attachment #2: patch.diff --]
[-- Type: text/x-patch, Size: 1366 bytes --]
security/apparmor/lsm.c | 4 +++-
security/tomoyo/tomoyo.c | 5 +++--
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 7717354ce095..98e1150bee9d 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -469,8 +469,10 @@ static int apparmor_file_open(struct file *file)
* Cache permissions granted by the previous exec check, with
* implicit read and executable mmap which are required to
* actually execute the image.
+ *
+ * Illogically, FMODE_EXEC is in f_flags, not f_mode.
*/
- if (current->in_execve) {
+ if (file->f_flags & __FMODE_EXEC) {
fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP;
return 0;
}
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index 3c3af149bf1c..e8fb02b716aa 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -327,8 +327,9 @@ static int tomoyo_file_fcntl(struct file *file, unsigned int cmd,
*/
static int tomoyo_file_open(struct file *f)
{
- /* Don't check read permission here if called from execve(). */
- if (current->in_execve)
+ /* Don't check read permission here if execve(). */
+ /* Illogically, FMODE_EXEC is in f_flags, not f_mode. */
+ if (file->f_flags & __FMODE_EXEC)
return 0;
return tomoyo_check_open_permission(tomoyo_domain(), &f->f_path,
f->f_flags);
next prev parent reply other threads:[~2024-01-24 18:27 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-24 16:19 [6.8-rc1 Regression] Unable to exec apparmor_parser from virt-aa-helper Kevin Locke
2024-01-24 16:35 ` Kees Cook
2024-01-24 16:46 ` Linus Torvalds
2024-01-24 16:54 ` Linus Torvalds
2024-01-24 17:10 ` Linus Torvalds
2024-01-24 17:21 ` Kees Cook
2024-01-24 17:27 ` Linus Torvalds
2024-01-24 18:27 ` Linus Torvalds [this message]
2024-01-24 18:29 ` Linus Torvalds
2024-01-24 19:02 ` Kees Cook
2024-01-24 19:41 ` Linus Torvalds
2024-01-25 14:16 ` Tetsuo Handa
2024-01-25 17:17 ` Linus Torvalds
2024-01-27 7:04 ` Tetsuo Handa
2024-01-27 11:00 ` Tetsuo Handa
2024-01-27 11:23 ` Tetsuo Handa
2024-01-24 18:57 ` Kees Cook
2024-01-27 5:17 ` John Johansen
2024-01-24 17:15 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHk-=whDAUMSPhDhMUeHNKGd-ZX8ixNeEz7FLfQasAGvi_knDg@mail.gmail.com' \
--to=torvalds@linux-foundation.org \
--cc=john.johansen@canonical.com \
--cc=josh@joshtriplett.org \
--cc=keescook@chromium.org \
--cc=kevin@kevinlocke.name \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mjguzik@gmail.com \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=takedakn@nttdata.co.jp \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).