From mboxrd@z Thu Jan 1 00:00:00 1970 From: Richard Weinberger Subject: Re: [REVIEW][PATCH 1/2] vfs: Commit to never having exectuables on proc and sysfs. Date: Fri, 10 Jul 2015 20:24:41 +0200 Message-ID: <55A00DE9.7060806@nod.at> References: <87381eyz26.fsf@x220.int.ebiederm.org> <87pp4eqktr.fsf@x220.int.ebiederm.org> <20150704231118.GT17109@ZenIV.linux.org.uk> <87mvz4yomp.fsf_-_@x220.int.ebiederm.org> <87h9pcyokc.fsf_-_@x220.int.ebiederm.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <87h9pcyokc.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: "Eric W. Biederman" , Linux Containers Cc: Seth Forshee , Linux API , Al Viro , Andy Lutomirski , Kenton Varda , Michael Kerrisk-manpages , Greg Kroah-Hartman , linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Tejun Heo , Ivan Delalande , Linus Torvalds List-Id: linux-api@vger.kernel.org Am 10.07.2015 um 18:17 schrieb Eric W. Biederman: > > Today proc and sysfs do not contain any executable files. Several > applications today mount proc or sysfs without noexec and nosuid and > then depend on there being no exectuables files on proc or sysfs. > Having any executable files show on proc or sysfs would cause > a user space visible regression, and most likely security problems. > > Therefore commit to never allowing executables on proc and sysfs by > adding a new flag to mark them as filesystems without executables and > enforce that flag. > > Test the flag where MNT_NOEXEC is tested today, so that the only user > visible effect will be that exectuables will be treated as if the > execute bit is cleared. > > The filesystems proc and sysfs do not currently incoporate any > executable files so this does not result in any user visible effects. > > This makes it unnecessary to vet changes to proc and sysfs tightly for > adding exectuable files or changes to chattr that would modify > existing files, as no matter what the individual file say they will > not be treated as exectuable files by the vfs. > > Not having to vet changes to closely is important as without this we > are only one proc_create call (or another goof up in the > implementation of notify_change) from having problematic executables > on proc. Those mistakes are all too easy to make and would create > a situation where there are security issues or the assumptions of > some program having to be broken (and cause userspace regressions). Would it make sense to add SB_I_NOEXEC to more pseudo filesystems? Say pstore or devpts? Thanks, //richard