From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andy Lutomirski Subject: Re: [PATCH v2 1/5] fs: Add support for an O_MAYEXEC flag on sys_open() Date: Fri, 6 Sep 2019 14:27:19 -0700 Message-ID: References: <20190906152455.22757-1-mic@digikod.net> <20190906152455.22757-2-mic@digikod.net> <87ef0te7v3.fsf@oldenburg2.str.redhat.com> <75442f3b-a3d8-12db-579a-2c5983426b4d@ssi.gouv.fr> <20190906171335.d7mc3no5tdrcn6r5@yavin.dot.cyphar.com> <8dc59d585a133e96f9adaf0a148334e7f19058b9.camel@kernel.org> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Return-path: List-Post: List-Help: List-Unsubscribe: List-Subscribe: In-Reply-To: <8dc59d585a133e96f9adaf0a148334e7f19058b9.camel@kernel.org> To: Jeff Layton Cc: Aleksa Sarai , =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= , Florian Weimer , =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= , LKML , Alexei Starovoitov , Al Viro , Andy Lutomirski , Christian Heimes , Daniel Borkmann , Eric Chiang , James Morris , Jan Kara , Jann Horn , Jonathan Corbet , Kees Cook , Matthew Garrett , Matthew Wilcox , Michael Kerrisk , Mimi Zohar , =?UTF-8?Q?Philippe_Tr=C3=A9buchet?= , Scott Shell , Sea List-Id: linux-api@vger.kernel.org > On Sep 6, 2019, at 1:51 PM, Jeff Layton wrote: > > On Fri, 2019-09-06 at 13:06 -0700, Andy Lutomirski wrote: > >> I=E2=80=99m not at all convinced that the kernel needs to distinguish al= l these, but at least upgradability should be its own thing IMO. > > Good point. Upgradability is definitely orthogonal, though the idea > there is to alter the default behavior. If the default is NOEXEC then > UPGRADE_EXEC would make sense. > > In any case, I was mostly thinking about the middle two in your list > above. After more careful reading of the patches, I now get get that > Micka=C3=ABl is more interested in the first, and that's really a differe= nt > sort of use-case. > > Most opens never result in the fd being fed to fexecve or mmapped with > PROT_EXEC, so having userland explicitly opt-in to allowing that during > the open sounds like a reasonable thing to do. > > But I get that preventing execution via script interpreters of files > that are not executable might be something nice to have. > > Perhaps we need two flags for openat2? > > OA2_MAYEXEC : test that permissions allow execution and that the file > doesn't reside on a noexec mount before allowing the open > > OA2_EXECABLE : only allow fexecve or mmapping with PROT_EXEC if the fd > was opened with this > > > We could go one step farther and have three masks: check_perms, fd_perms, and upgrade_perms. check_perms says =E2=80=9Cfail if I don=E2=80= =99t have these perms=E2=80=9D. fd_perms is the permissions on the returned fd, and upgrade_perms is the upgrade mask. (fd_perms & ~check_perms) !=3D 0 is an error. This makes it possible to say "I want to make sure the file is writable, but I don't actually want to write to it", which could plausibly be useful. I would argue that these things should have new, sane bits, e.g. FILE_READ, FILE_WRITE, and FILE_EXECUTE (or maybe FILE_MAP_EXEC and FILE_EXECVE). And maybe there should be at least 16 bits for each mask reserved. Windows has a lot more mode bits than Linux, and it's not entirely nuts. We do *not* need any direct equivalent of O_RDWR for openat2(). --Andy