From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C166DC83007 for ; Tue, 28 Apr 2020 21:21:48 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A1637206D6 for ; Tue, 28 Apr 2020 21:21:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726468AbgD1VVo (ORCPT ); Tue, 28 Apr 2020 17:21:44 -0400 Received: from albireo.enyo.de ([37.24.231.21]:52356 "EHLO albireo.enyo.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726274AbgD1VVo (ORCPT ); Tue, 28 Apr 2020 17:21:44 -0400 Received: from [172.17.203.2] (helo=deneb.enyo.de) by albireo.enyo.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) id 1jTXfa-0000qq-1U; Tue, 28 Apr 2020 21:21:34 +0000 Received: from fw by deneb.enyo.de with local (Exim 4.92) (envelope-from ) id 1jTXeO-000142-Bl; Tue, 28 Apr 2020 23:20:20 +0200 From: Florian Weimer To: Jann Horn Cc: =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= , kernel list , Aleksa Sarai , Alexei Starovoitov , Al Viro , Andy Lutomirski , Christian Heimes , Daniel Borkmann , Deven Bowers , Eric Chiang , James Morris , Jan Kara , Jonathan Corbet , Kees Cook , Matthew Garrett , Matthew Wilcox , Michael Kerrisk , =?iso-8859-1?Q?Micka=EBl_Sala?= =?iso-8859-1?Q?=FCn?= , Mimi Zohar , Philippe =?iso-8859-1?Q?Tr=E9buchet?= , Scott Shell , Sean Christopherson , Shuah Khan , Steve Dower , Steve Grubb , Thibaut Sautereau , Vincent Strubel , Kernel Hardening , Linux API , linux-security-module , linux-fsdevel Subject: Re: [PATCH v3 0/5] Add support for RESOLVE_MAYEXEC References: <20200428175129.634352-1-mic@digikod.net> Date: Tue, 28 Apr 2020 23:20:20 +0200 In-Reply-To: (Jann Horn's message of "Tue, 28 Apr 2020 21:21:48 +0200") Message-ID: <87blnb48a3.fsf@mid.deneb.enyo.de> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-api-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-api@vger.kernel.org * Jann Horn: > Just as a comment: You'd probably also have to use RESOLVE_MAYEXEC in > the dynamic linker. Absolutely. In typical configurations, the kernel does not enforce that executable mappings must be backed by files which are executable. It's most obvious with using an explicit loader invocation to run executables on noexec mounts. RESOLVE_MAYEXEC is much more useful than trying to reimplement the kernel permission checks (or what some believe they should be) in userspace.