From: "Mickaël Salaün" <mic@digikod.net> To: Florian Weimer <fweimer@redhat.com>, Al Viro <viro@zeniv.linux.org.uk> Cc: linux-kernel@vger.kernel.org, "Aleksa Sarai" <cyphar@cyphar.com>, "Alexei Starovoitov" <ast@kernel.org>, "Andrew Morton" <akpm@linux-foundation.org>, "Andy Lutomirski" <luto@kernel.org>, "Christian Brauner" <christian.brauner@ubuntu.com>, "Christian Heimes" <christian@python.org>, "Daniel Borkmann" <daniel@iogearbox.net>, "Deven Bowers" <deven.desai@linux.microsoft.com>, "Dmitry Vyukov" <dvyukov@google.com>, "Eric Biggers" <ebiggers@kernel.org>, "Eric Chiang" <ericchiang@google.com>, "James Morris" <jmorris@namei.org>, "Jan Kara" <jack@suse.cz>, "Jann Horn" <jannh@google.com>, "Jonathan Corbet" <corbet@lwn.net>, "Kees Cook" <keescook@chromium.org>, "Lakshmi Ramasubramanian" <nramas@linux.microsoft.com>, "Matthew Garrett" <mjg59@google.com>, "Matthew Wilcox" <willy@infradead.org>, "Michael Kerrisk" <mtk.manpages@gmail.com>, "Mimi Zohar" <zohar@linux.ibm.com>, "Philippe Trébuchet" <philippe.trebuchet@ssi.gouv.fr>, "Scott Shell" <scottsh@microsoft.com>, "Sean Christopherson" <sean.j.christopherson@intel.com>, "Shuah Khan" <shuah@kernel.org>, "Steve Dower" <steve.dower@python.org>, "Steve Grubb" <sgrubb@redhat.com>, "Tetsuo Handa" <penguin-kernel@i-love.sakura.ne.jp>, "Thibaut Sautereau" <thibaut.sautereau@clip-os.org>, "Vincent Strubel" <vincent.strubel@ssi.gouv.fr>, kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, "Thibaut Sautereau" <thibaut.sautereau@ssi.gouv.fr> Subject: Re: [PATCH v7 4/7] fs: Introduce O_MAYEXEC flag for openat2(2) Date: Mon, 27 Jul 2020 21:46:55 +0200 [thread overview] Message-ID: <eaf5bc42-e086-740b-a90c-93e67c535eee@digikod.net> (raw) In-Reply-To: <87y2n55xzv.fsf@oldenburg2.str.redhat.com> On 27/07/2020 07:27, Florian Weimer wrote: > * Al Viro: > >> On Thu, Jul 23, 2020 at 07:12:24PM +0200, Mickaël Salaün wrote: >>> When the O_MAYEXEC flag is passed, openat2(2) may be subject to >>> additional restrictions depending on a security policy managed by the >>> kernel through a sysctl or implemented by an LSM thanks to the >>> inode_permission hook. This new flag is ignored by open(2) and >>> openat(2) because of their unspecified flags handling. When used with >>> openat2(2), the default behavior is only to forbid to open a directory. >> >> Correct me if I'm wrong, but it looks like you are introducing a magical >> flag that would mean "let the Linux S&M take an extra special whip >> for this open()". There is nothing magic, it doesn't only work with the LSM framework, and there is nothing painful nor humiliating here (except maybe this language). >> >> Why is it done during open? If the caller is passing it deliberately, >> why not have an explicit request to apply given torture device to an >> already opened file? Why not sys_masochism(int fd, char *hurt_flavour), >> for that matter? > > While I do not think this is appropriate language for a workplace, Al > has a point: If the auditing event can be generated on an already-open > descriptor, it would also cover scenarios like this one: > > perl < /path/to/script > > Where the process that opens the file does not (and cannot) know that it > will be used for execution purposes. The check is done during open because the goal of this patch series is to address the problem of script execution when opening a script in well controlled systems (e.g. to enforce a "write xor execute" policy, to do an atomic integrity check [1], to check specific execute/read permissions, etc.). As discussed multiple times, controlling other means to interpret commands (stdin, environment variables, etc.) is out of scope and should be handled by interpreters (in userspace). Someone could still extend fcntl(2) to enable to check file descriptors, but it is an independent change not required for now. Specific audit features are also out of scope for now [2]. [1] https://lore.kernel.org/lkml/1544699060.6703.11.camel@linux.ibm.com/ [2] https://lore.kernel.org/lkml/202007160822.CCDB5478@keescook/
next prev parent reply other threads:[~2020-07-27 19:47 UTC|newest] Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-07-23 17:12 [PATCH v7 0/7] Add support for O_MAYEXEC Mickaël Salaün 2020-07-23 17:12 ` [PATCH v7 1/7] exec: Change uselib(2) IS_SREG() failure to EACCES Mickaël Salaün 2020-08-11 18:59 ` Eric W. Biederman 2020-08-11 19:14 ` Eric W. Biederman 2020-07-23 17:12 ` [PATCH v7 2/7] exec: Move S_ISREG() check earlier Mickaël Salaün 2020-08-11 19:27 ` Eric W. Biederman 2020-07-23 17:12 ` [PATCH v7 3/7] exec: Move path_noexec() " Mickaël Salaün 2020-08-11 19:36 ` Eric W. Biederman 2020-08-13 15:31 ` Mickaël Salaün 2020-07-23 17:12 ` [PATCH v7 4/7] fs: Introduce O_MAYEXEC flag for openat2(2) Mickaël Salaün 2020-07-24 19:03 ` Kees Cook 2020-07-27 4:21 ` Al Viro 2020-07-27 5:27 ` Florian Weimer 2020-07-27 19:46 ` Mickaël Salaün [this message] 2020-08-11 19:51 ` Eric W. Biederman 2020-08-13 14:36 ` Mickaël Salaün 2020-07-23 17:12 ` [PATCH v7 5/7] fs,doc: Enable to enforce noexec mounts or file exec through O_MAYEXEC Mickaël Salaün 2020-07-24 19:03 ` Kees Cook 2020-08-11 19:58 ` Eric W. Biederman 2020-08-13 14:49 ` Mickaël Salaün 2020-07-23 17:12 ` [PATCH v7 6/7] selftest/openat2: Add tests for O_MAYEXEC enforcing Mickaël Salaün 2020-07-24 19:03 ` Kees Cook 2020-07-23 17:12 ` [PATCH v7 7/7] ima: add policy support for the new file open MAY_OPENEXEC flag Mickaël Salaün 2020-07-24 19:04 ` Kees Cook 2020-07-24 11:20 ` [PATCH v7 0/7] Add support for O_MAYEXEC Thibaut Sautereau 2020-07-24 19:06 ` Kees Cook 2020-07-25 11:15 ` Christian Brauner 2020-08-10 20:11 ` Mickaël Salaün 2020-08-10 20:21 ` Al Viro 2020-08-10 22:09 ` David Laight 2020-08-10 22:28 ` Al Viro 2020-08-10 22:47 ` Mickaël Salaün 2020-08-11 8:09 ` David Laight 2020-08-11 8:50 ` Mickaël Salaün 2020-08-10 22:43 ` Mickaël Salaün 2020-08-10 23:03 ` Jann Horn 2020-08-11 8:48 ` Mickaël Salaün 2020-08-11 13:56 ` Mimi Zohar 2020-08-11 14:02 ` Matthew Wilcox 2020-08-11 14:30 ` Mimi Zohar 2020-08-11 17:18 ` Deven Bowers 2020-08-10 23:05 ` Al Viro 2020-08-11 8:49 ` Mickaël Salaün
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=eaf5bc42-e086-740b-a90c-93e67c535eee@digikod.net \ --to=mic@digikod.net \ --cc=akpm@linux-foundation.org \ --cc=ast@kernel.org \ --cc=christian.brauner@ubuntu.com \ --cc=christian@python.org \ --cc=corbet@lwn.net \ --cc=cyphar@cyphar.com \ --cc=daniel@iogearbox.net \ --cc=deven.desai@linux.microsoft.com \ --cc=dvyukov@google.com \ --cc=ebiggers@kernel.org \ --cc=ericchiang@google.com \ --cc=fweimer@redhat.com \ --cc=jack@suse.cz \ --cc=jannh@google.com \ --cc=jmorris@namei.org \ --cc=keescook@chromium.org \ --cc=kernel-hardening@lists.openwall.com \ --cc=linux-api@vger.kernel.org \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-integrity@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=luto@kernel.org \ --cc=mjg59@google.com \ --cc=mtk.manpages@gmail.com \ --cc=nramas@linux.microsoft.com \ --cc=penguin-kernel@i-love.sakura.ne.jp \ --cc=philippe.trebuchet@ssi.gouv.fr \ --cc=scottsh@microsoft.com \ --cc=sean.j.christopherson@intel.com \ --cc=sgrubb@redhat.com \ --cc=shuah@kernel.org \ --cc=steve.dower@python.org \ --cc=thibaut.sautereau@clip-os.org \ --cc=thibaut.sautereau@ssi.gouv.fr \ --cc=vincent.strubel@ssi.gouv.fr \ --cc=viro@zeniv.linux.org.uk \ --cc=willy@infradead.org \ --cc=zohar@linux.ibm.com \ --subject='Re: [PATCH v7 4/7] fs: Introduce O_MAYEXEC flag for openat2(2)' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).