From: "Mickaël Salaün" <mic@digikod.net>
To: Kees Cook <kees@kernel.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>,
Christian Brauner <brauner@kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Paul Moore <paul@paul-moore.com>, Theodore Ts'o <tytso@mit.edu>,
Alejandro Colomar <alx@kernel.org>,
Aleksa Sarai <cyphar@cyphar.com>,
Andrew Morton <akpm@linux-foundation.org>,
Andy Lutomirski <luto@kernel.org>, Arnd Bergmann <arnd@arndb.de>,
Casey Schaufler <casey@schaufler-ca.com>,
Christian Heimes <christian@python.org>,
Dmitry Vyukov <dvyukov@google.com>,
Eric Biggers <ebiggers@kernel.org>,
Eric Chiang <ericchiang@google.com>,
Fan Wu <wufan@linux.microsoft.com>,
Florian Weimer <fweimer@redhat.com>,
Geert Uytterhoeven <geert@linux-m68k.org>,
James Morris <jamorris@linux.microsoft.com>,
Jan Kara <jack@suse.cz>, Jann Horn <jannh@google.com>,
Jeff Xu <jeffxu@google.com>, Jonathan Corbet <corbet@lwn.net>,
Jordan R Abrahams <ajordanr@google.com>,
Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
Luca Boccassi <bluca@debian.org>,
Luis Chamberlain <mcgrof@kernel.org>,
"Madhavan T . Venkataraman" <madvenka@linux.microsoft.com>,
Matt Bobrowski <mattbobrowski@google.com>,
Matthew Garrett <mjg59@srcf.ucam.org>,
Matthew Wilcox <willy@infradead.org>,
Miklos Szeredi <mszeredi@redhat.com>,
Mimi Zohar <zohar@linux.ibm.com>,
Nicolas Bouchinet <nicolas.bouchinet@ssi.gouv.fr>,
Scott Shell <scottsh@microsoft.com>,
Shuah Khan <shuah@kernel.org>,
Stephen Rothwell <sfr@canb.auug.org.au>,
Steve Dower <steve.dower@python.org>,
Steve Grubb <sgrubb@redhat.com>,
Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr>,
Vincent Strubel <vincent.strubel@ssi.gouv.fr>,
Xiaoming Ni <nixiaoming@huawei.com>,
Yin Fengwei <fengwei.yin@intel.com>,
kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-integrity@vger.kernel.org,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [RFC PATCH v19 1/5] exec: Add a new AT_CHECK flag to execveat(2)
Date: Fri, 5 Jul 2024 19:53:10 +0200 [thread overview]
Message-ID: <20240705.uch1saeNi6mo@digikod.net> (raw)
In-Reply-To: <202407041656.3A05153@keescook>
On Thu, Jul 04, 2024 at 05:04:03PM -0700, Kees Cook wrote:
> On Thu, Jul 04, 2024 at 09:01:33PM +0200, Mickaël Salaün wrote:
> > Add a new AT_CHECK flag to execveat(2) to check if a file would be
> > allowed for execution. The main use case is for script interpreters and
> > dynamic linkers to check execution permission according to the kernel's
> > security policy. Another use case is to add context to access logs e.g.,
> > which script (instead of interpreter) accessed a file. As any
> > executable code, scripts could also use this check [1].
> >
> > This is different than faccessat(2) which only checks file access
> > rights, but not the full context e.g. mount point's noexec, stack limit,
> > and all potential LSM extra checks (e.g. argv, envp, credentials).
> > Since the use of AT_CHECK follows the exact kernel semantic as for a
> > real execution, user space gets the same error codes.
>
> Nice! I much prefer this method of going through the exec machinery so
> we always have a single code path for these kinds of checks.
>
> > Because AT_CHECK is dedicated to user space interpreters, it doesn't
> > make sense for the kernel to parse the checked files, look for
> > interpreters known to the kernel (e.g. ELF, shebang), and return ENOEXEC
> > if the format is unknown. Because of that, security_bprm_check() is
> > never called when AT_CHECK is used.
>
> I'd like some additional comments in the code that reminds us that
> access control checks have finished past a certain point.
Where in the code? Just before the bprm->is_check assignment?
>
> [...]
> > diff --git a/fs/exec.c b/fs/exec.c
> > index 40073142288f..ea2a1867afdc 100644
> > --- a/fs/exec.c
> > +++ b/fs/exec.c
> > @@ -931,7 +931,7 @@ static struct file *do_open_execat(int fd, struct filename *name, int flags)
> > .lookup_flags = LOOKUP_FOLLOW,
> > };
> >
> > - if ((flags & ~(AT_SYMLINK_NOFOLLOW | AT_EMPTY_PATH)) != 0)
> > + if ((flags & ~(AT_SYMLINK_NOFOLLOW | AT_EMPTY_PATH | AT_CHECK)) != 0)
> > return ERR_PTR(-EINVAL);
> > if (flags & AT_SYMLINK_NOFOLLOW)
> > open_exec_flags.lookup_flags &= ~LOOKUP_FOLLOW;
> [...]
> > + * To avoid race conditions leading to time-of-check to time-of-use issues,
> > + * AT_CHECK should be used with AT_EMPTY_PATH to check against a file
> > + * descriptor instead of a path.
>
> I want this enforced by the kernel. Let's not leave trivial ToCToU
> foot-guns around. i.e.:
>
> if ((flags & AT_CHECK) == AT_CHECK && (flags & AT_EMPTY_PATH) == 0)
> return ERR_PTR(-EBADF);
There are valid use cases relying on pathnames. See Linus's comment:
https://lore.kernel.org/r/CAHk-=whb=XuU=LGKnJWaa7LOYQz9VwHs8SLfgLbT5sf2VAbX1A@mail.gmail.com
next prev parent reply other threads:[~2024-07-05 17:53 UTC|newest]
Thread overview: 103+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-04 19:01 [RFC PATCH v19 0/5] Script execution control (was O_MAYEXEC) Mickaël Salaün
2024-07-04 19:01 ` [RFC PATCH v19 1/5] exec: Add a new AT_CHECK flag to execveat(2) Mickaël Salaün
2024-07-05 0:04 ` Kees Cook
2024-07-05 17:53 ` Mickaël Salaün [this message]
2024-07-08 19:38 ` Kees Cook
2024-07-05 18:03 ` Florian Weimer
2024-07-06 14:55 ` Mickaël Salaün
2024-07-06 15:32 ` Florian Weimer
2024-07-08 8:56 ` Mickaël Salaün
2024-07-08 16:37 ` [PATCH] binfmt_elf: Fail execution of shared objects with ELIBEXEC (was: Re: [RFC PATCH v19 1/5] exec: Add a new AT_CHECK flag to execveat(2)) Florian Weimer
2024-07-08 17:34 ` [PATCH] binfmt_elf: Fail execution of shared objects with ELIBEXEC Eric W. Biederman
2024-07-08 17:59 ` Florian Weimer
2024-07-10 10:05 ` [PATCH] binfmt_elf: Fail execution of shared objects with ELIBEXEC (was: Re: [RFC PATCH v19 1/5] exec: Add a new AT_CHECK flag to execveat(2)) Mickaël Salaün
2024-07-08 16:08 ` [RFC PATCH v19 1/5] exec: Add a new AT_CHECK flag to execveat(2) Jeff Xu
2024-07-08 16:25 ` Florian Weimer
2024-07-08 16:40 ` Jeff Xu
2024-07-08 17:05 ` Mickaël Salaün
2024-07-08 17:33 ` Florian Weimer
2024-07-08 17:52 ` Jeff Xu
2024-07-09 9:18 ` Mickaël Salaün
2024-07-09 10:05 ` Florian Weimer
2024-07-09 20:42 ` Mickaël Salaün
2024-07-09 18:57 ` Jeff Xu
2024-07-09 20:41 ` Mickaël Salaün
2024-07-06 8:52 ` Andy Lutomirski
2024-07-07 9:01 ` Mickaël Salaün
2024-07-17 6:33 ` Jeff Xu
2024-07-17 8:26 ` Steve Dower
2024-07-17 10:00 ` Mickaël Salaün
2024-07-18 1:02 ` Andy Lutomirski
2024-07-18 12:22 ` Mickaël Salaün
2024-07-20 1:59 ` Andy Lutomirski
2024-07-20 11:43 ` Jarkko Sakkinen
2024-07-23 13:16 ` Mickaël Salaün
2024-07-23 13:16 ` Mickaël Salaün
2024-07-18 1:51 ` Jeff Xu
2024-07-18 12:23 ` Mickaël Salaün
2024-07-18 22:54 ` Jeff Xu
2024-07-17 10:01 ` Mickaël Salaün
2024-07-18 2:08 ` Jeff Xu
2024-07-18 12:24 ` Mickaël Salaün
2024-07-18 13:03 ` James Bottomley
2024-07-18 15:35 ` Mickaël Salaün
2024-07-19 1:29 ` Jeff Xu
2024-07-19 8:44 ` Mickaël Salaün
2024-07-19 14:16 ` Jeff Xu
2024-07-19 15:04 ` Mickaël Salaün
2024-07-19 15:27 ` Jeff Xu
2024-07-23 13:15 ` Mickaël Salaün
2024-08-05 18:35 ` Jeff Xu
2024-08-09 8:45 ` Mickaël Salaün
2024-08-09 16:15 ` Jeff Xu
2024-07-19 15:12 ` Jeff Xu
2024-07-19 15:31 ` Mickaël Salaün
2024-07-19 17:36 ` Jeff Xu
2024-07-23 13:15 ` Mickaël Salaün
2024-07-18 14:46 ` enh
2024-07-18 15:35 ` Mickaël Salaün
2024-07-04 19:01 ` [RFC PATCH v19 2/5] security: Add new SHOULD_EXEC_CHECK and SHOULD_EXEC_RESTRICT securebits Mickaël Salaün
2024-07-05 0:18 ` Kees Cook
2024-07-05 17:54 ` Mickaël Salaün
2024-07-05 21:44 ` Kees Cook
2024-07-05 22:22 ` Jarkko Sakkinen
2024-07-06 14:56 ` Mickaël Salaün
2024-07-06 17:28 ` Jarkko Sakkinen
2024-07-06 14:56 ` Mickaël Salaün
2024-07-18 14:16 ` Roberto Sassu
2024-07-18 16:20 ` Mickaël Salaün
2024-07-08 16:17 ` Jeff Xu
2024-07-08 17:53 ` Jeff Xu
2024-07-08 18:48 ` Mickaël Salaün
2024-07-08 21:15 ` Jeff Xu
2024-07-08 21:25 ` Steve Dower
2024-07-08 22:07 ` Jeff Xu
2024-07-09 20:42 ` Mickaël Salaün
2024-07-09 21:57 ` Jeff Xu
2024-07-10 9:58 ` Mickaël Salaün
2024-07-10 16:26 ` Kees Cook
2024-07-11 8:57 ` Mickaël Salaün
2024-07-16 15:02 ` Jeff Xu
2024-07-16 15:10 ` Steve Dower
2024-07-16 15:15 ` Mickaël Salaün
2024-07-16 15:18 ` Jeff Xu
2024-07-10 16:32 ` Steve Dower
2024-07-20 2:06 ` Andy Lutomirski
2024-07-23 13:15 ` Mickaël Salaün
2024-07-04 19:01 ` [RFC PATCH v19 3/5] selftests/exec: Add tests for AT_CHECK and related securebits Mickaël Salaün
2024-07-04 19:01 ` [RFC PATCH v19 4/5] selftests/landlock: Add tests for execveat + AT_CHECK Mickaël Salaün
2024-07-04 19:01 ` [RFC PATCH v19 5/5] samples/should-exec: Add set-should-exec Mickaël Salaün
2024-07-08 19:40 ` Mimi Zohar
2024-07-09 20:42 ` Mickaël Salaün
2024-07-08 20:35 ` [RFC PATCH v19 0/5] Script execution control (was O_MAYEXEC) Mimi Zohar
2024-07-09 20:43 ` Mickaël Salaün
2024-07-16 15:57 ` Roberto Sassu
2024-07-16 16:12 ` James Bottomley
2024-07-16 17:29 ` Boris Lukashev
2024-07-16 17:47 ` Mickaël Salaün
2024-07-17 17:59 ` Boris Lukashev
2024-07-18 13:00 ` Mickaël Salaün
2024-07-16 17:31 ` Mickaël Salaün
2024-07-18 16:21 ` Mickaël Salaün
2024-07-15 20:16 ` Jonathan Corbet
2024-07-16 7:13 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240705.uch1saeNi6mo@digikod.net \
--to=mic@digikod.net \
--cc=ajordanr@google.com \
--cc=akpm@linux-foundation.org \
--cc=alx@kernel.org \
--cc=arnd@arndb.de \
--cc=bluca@debian.org \
--cc=brauner@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=christian@python.org \
--cc=corbet@lwn.net \
--cc=cyphar@cyphar.com \
--cc=dvyukov@google.com \
--cc=ebiggers@kernel.org \
--cc=ericchiang@google.com \
--cc=fengwei.yin@intel.com \
--cc=fweimer@redhat.com \
--cc=geert@linux-m68k.org \
--cc=jack@suse.cz \
--cc=jamorris@linux.microsoft.com \
--cc=jannh@google.com \
--cc=jeffxu@google.com \
--cc=kees@kernel.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@kernel.org \
--cc=madvenka@linux.microsoft.com \
--cc=mattbobrowski@google.com \
--cc=mcgrof@kernel.org \
--cc=mjg59@srcf.ucam.org \
--cc=mszeredi@redhat.com \
--cc=nicolas.bouchinet@ssi.gouv.fr \
--cc=nixiaoming@huawei.com \
--cc=nramas@linux.microsoft.com \
--cc=paul@paul-moore.com \
--cc=scottsh@microsoft.com \
--cc=sfr@canb.auug.org.au \
--cc=sgrubb@redhat.com \
--cc=shuah@kernel.org \
--cc=steve.dower@python.org \
--cc=thibaut.sautereau@ssi.gouv.fr \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=vincent.strubel@ssi.gouv.fr \
--cc=viro@zeniv.linux.org.uk \
--cc=willy@infradead.org \
--cc=wufan@linux.microsoft.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.