From: Kees Cook <keescook@chromium.org>
To: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: Paul Moore <paul@paul-moore.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
linux-security-module <linux-security-module@vger.kernel.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>
Subject: Re: [PATCH v3 1/3] LSM: add security_execve_abort() hook
Date: Wed, 7 Feb 2024 06:34:55 -0800 [thread overview]
Message-ID: <202402070631.7B39C4E8@keescook> (raw)
In-Reply-To: <1138640a-162b-4ba0-ac40-69e039884034@I-love.SAKURA.ne.jp>
On Wed, Feb 07, 2024 at 08:10:55PM +0900, Tetsuo Handa wrote:
> On 2024/02/07 9:00, Paul Moore wrote:
> >> @@ -1223,6 +1223,17 @@ void security_bprm_committed_creds(const struct linux_binprm *bprm)
> >> call_void_hook(bprm_committed_creds, bprm);
> >> }
> >>
> >> +/**
> >> + * security_execve_abort() - Notify that exec() has failed
> >> + *
> >> + * This hook is for undoing changes which cannot be discarded by
> >> + * abort_creds().
> >> + */
> >> +void security_execve_abort(void)
> >> +{
> >> + call_void_hook(execve_abort);
> >> +}
> >
> > I don't have a problem with reinstating something like
> > security_bprm_free(), but I don't like the name security_execve_abort(),
> > especially given that it is being called from alloc_bprm() as well as
> > all of the execve code. At the risk of bikeshedding this, I'd be much
> > happier if this hook were renamed to security_bprm_free() and the
> > hook's description explained that this hook is called when a linux_bprm
> > instance is being destroyed, after the bprm creds have been released,
> > and is intended to cleanup any internal LSM state associated with the
> > linux_bprm instance.
> >
> > Are you okay with that?
>
> Hmm, that will bring us back to v1 of this series.
>
> v3 was based on Eric W. Biederman's suggestion
>
> If you aren't going to change your design your new hook should be:
> security_execve_revert(current);
> Or maybe:
> security_execve_abort(current);
>
> At least then it is based upon the reality that you plan to revert
> changes to current->security. Saying anything about creds or bprm when
> you don't touch them, makes no sense at all. Causing people to
> completely misunderstand what is going on, and making it more likely
> they will change the code in ways that will break TOMOYO.
>
> at https://lkml.kernel.org/r/8734ug9fbt.fsf@email.froward.int.ebiederm.org .
Yeah, I'd agree with Eric on this: it's not about bprm freeing, it's
catching the execve failure. I think the name is accurate -- it mirrors
the abort_creds() call.
-Kees
--
Kees Cook
next prev parent reply other threads:[~2024-02-07 14:34 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-06 13:58 [PATCH v3 0/3] fs/exec: remove current->in_execve flag Tetsuo Handa
2024-02-06 13:59 ` [PATCH v3 1/3] LSM: add security_execve_abort() hook Tetsuo Handa
2024-02-07 0:00 ` Paul Moore
2024-02-07 11:10 ` Tetsuo Handa
2024-02-07 14:34 ` Kees Cook [this message]
2024-02-07 16:01 ` Paul Moore
2024-02-14 21:46 ` Paul Moore
2024-02-15 14:33 ` Tetsuo Handa
2024-02-15 23:47 ` Paul Moore
2024-05-01 20:04 ` Kees Cook
2024-06-10 20:44 ` Paul Moore
2024-06-11 13:10 ` Tetsuo Handa
2024-06-11 17:19 ` Paul Moore
2024-02-06 13:59 ` [PATCH v3 2/3] tomoyo: replace current->in_execve flag with " Tetsuo Handa
2024-02-06 13:59 ` [PATCH v3 3/3] fs/exec: remove current->in_execve flag Tetsuo Handa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202402070631.7B39C4E8@keescook \
--to=keescook@chromium.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox