From: Richard Weinberger <richard-/L3Ra7n9ekc@public.gmane.org>
To: Greg Kroah-Hartman
<gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org>
Cc: "Eric W. Biederman"
<ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>,
"Linux Containers"
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
"Linus Torvalds"
<torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>,
linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
"Linux API" <linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
"Andy Lutomirski" <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>,
"Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>,
"Kenton Varda" <kenton-AuYgBwuPrUQTaNkGU808tA@public.gmane.org>,
"Michael Kerrisk-manpages"
<mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
"Stéphane Graber"
<stgraber-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>,
"Eric Windisch"
<ewindisch-FCduhRhOUaTQT0dZR+AlfA@public.gmane.org>,
"Tejun Heo" <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
"Seth Forshee"
<seth.forshee-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>,
"Omar Sandoval" <osandov-nWWhXC5lh1RBDgjK7y7TUQ@public.gmane.org>,
"Ivan Delalande" <colona-nzgTgzXrdUbQT0dZR+AlfA@public.gmane.org>,
"Al Viro"
<viro-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
Subject: Re: [REVIEW][PATCH 1/2] vfs: Commit to never having exectuables on proc and sysfs.
Date: Fri, 10 Jul 2015 21:38:51 +0200 [thread overview]
Message-ID: <55A01F4B.9010205@nod.at> (raw)
In-Reply-To: <20150710193052.GB19824-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
Am 10.07.2015 um 21:30 schrieb Greg Kroah-Hartman:
> On Fri, Jul 10, 2015 at 08:24:41PM +0200, Richard Weinberger wrote:
>> Am 10.07.2015 um 18:17 schrieb Eric W. Biederman:
>>>
>>> Today proc and sysfs do not contain any executable files. Several
>>> applications today mount proc or sysfs without noexec and nosuid and
>>> then depend on there being no exectuables files on proc or sysfs.
>>> Having any executable files show on proc or sysfs would cause
>>> a user space visible regression, and most likely security problems.
>>>
>>> Therefore commit to never allowing executables on proc and sysfs by
>>> adding a new flag to mark them as filesystems without executables and
>>> enforce that flag.
>>>
>>> Test the flag where MNT_NOEXEC is tested today, so that the only user
>>> visible effect will be that exectuables will be treated as if the
>>> execute bit is cleared.
>>>
>>> The filesystems proc and sysfs do not currently incoporate any
>>> executable files so this does not result in any user visible effects.
>>>
>>> This makes it unnecessary to vet changes to proc and sysfs tightly for
>>> adding exectuable files or changes to chattr that would modify
>>> existing files, as no matter what the individual file say they will
>>> not be treated as exectuable files by the vfs.
>>>
>>> Not having to vet changes to closely is important as without this we
>>> are only one proc_create call (or another goof up in the
>>> implementation of notify_change) from having problematic executables
>>> on proc. Those mistakes are all too easy to make and would create
>>> a situation where there are security issues or the assumptions of
>>> some program having to be broken (and cause userspace regressions).
>>
>> Would it make sense to add SB_I_NOEXEC to more pseudo filesystems?
>> Say pstore or devpts?
>
> And configfs and cgroupfs?
Yep. Any filesystem where exectuables do not make sense. :-)
Thanks,
//richard
next prev parent reply other threads:[~2015-07-10 19:38 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-26 20:50 [GIT PULL] User namespace related fixes for v4.2 Eric W. Biederman
2015-06-29 16:43 ` Linus Torvalds
[not found] ` <CA+55aFysKDXr2HEwNzm3z9QOw=E4ZeWcvYQ-xLhy5_k+rGbeRg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-06-29 21:13 ` Eric W. Biederman
[not found] ` <87pp4eqktr.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-07-03 22:10 ` Linus Torvalds
2015-07-03 22:10 ` Linus Torvalds
[not found] ` <CA+55aFw-DK-xDC-3HYa=BMX8WNyQgT9O01tihrAS9+-7PPj_jA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-07-04 23:11 ` Al Viro
[not found] ` <20150704231118.GT17109-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
2015-07-10 16:16 ` [REVIEW][PATCH 0/2] noexec on proc and sysfs Eric W. Biederman
2015-07-10 16:17 ` [REVIEW][PATCH 1/2] vfs: Commit to never having exectuables " Eric W. Biederman
[not found] ` <87h9pcyokc.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-07-10 18:24 ` Richard Weinberger
[not found] ` <55A00DE9.7060806-/L3Ra7n9ekc@public.gmane.org>
2015-07-10 19:30 ` Greg Kroah-Hartman
[not found] ` <20150710193052.GB19824-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
2015-07-10 19:38 ` Richard Weinberger [this message]
[not found] ` <55A01F4B.9010205-/L3Ra7n9ekc@public.gmane.org>
2015-07-10 20:00 ` Eric W. Biederman
2015-07-10 20:00 ` Eric W. Biederman
2015-07-10 19:38 ` Richard Weinberger
2015-07-10 19:30 ` Greg Kroah-Hartman
[not found] ` <87mvz4yomp.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-07-10 16:17 ` Eric W. Biederman
2015-07-10 16:18 ` [REVIEW][PATCH 2/2] mnt: fs_fully_visible enforce noexec and nosuid if !SB_I_NOEXEC Eric W. Biederman
2015-07-10 16:16 ` [REVIEW][PATCH 0/2] noexec on proc and sysfs Eric W. Biederman
[not found] ` <87381eyz26.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-06-29 16:43 ` [GIT PULL] User namespace related fixes for v4.2 Linus Torvalds
2015-07-01 20:41 ` Eric W. Biederman
2015-07-06 20:47 ` Seth Forshee
2015-07-06 21:24 ` Eric W. Biederman
[not found] ` <E81DECCD-9B19-4D42-BE43-5987DE7B05DB-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2015-07-06 22:25 ` Seth Forshee
2015-07-06 22:25 ` Seth Forshee
2015-07-06 21:24 ` Eric W. Biederman
[not found] ` <878uazhapq.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2015-07-06 20:47 ` Seth Forshee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55A01F4B.9010205@nod.at \
--to=richard-/l3ra7n9ekc@public.gmane.org \
--cc=colona-nzgTgzXrdUbQT0dZR+AlfA@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=ewindisch-FCduhRhOUaTQT0dZR+AlfA@public.gmane.org \
--cc=gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org \
--cc=kenton-AuYgBwuPrUQTaNkGU808tA@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=osandov-nWWhXC5lh1RBDgjK7y7TUQ@public.gmane.org \
--cc=serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org \
--cc=seth.forshee-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org \
--cc=stgraber-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org \
--cc=tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
--cc=torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org \
--cc=viro-3bDd1+5oDREiFSDQTTA3OLVCufUGDwFn@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.