From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp-bc0a.mail.infomaniak.ch (smtp-bc0a.mail.infomaniak.ch [45.157.188.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C3C731527B6 for ; Tue, 9 Jul 2024 20:42:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.157.188.10 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720557762; cv=none; b=O8RQlw9QVvVwtXy3IbKQWUYMrW3gKqAJFB5igRDMkuUyMjAyOdDm/0fWGvtWMiI9QLYmDYerOiAqT7WaV0WNZ+0VeosAef4ud8D2kV9HB9lmnzgmKFnT0iv7xnsDXn8ArUa3jMjylkrht13DQihCYLGhXpgV6xnM9gQsaH4hn5s= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720557762; c=relaxed/simple; bh=4E6D9pAiCi2RY9ka7qkuscXPvLR3w0RSeZF0twwnVeg=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=iO+7tSYzLjcP2FL4D6JjrPaNzpFz8bxNfcaGkQhYZ44y57EEwoUWr4R4nC9EAP6JvlAkeBsrpB+fDFfIbCu8nOI0mLfZoqxktQDVncaHS4ZkBc0G3QJngEdzRmjVtxfYhfJkOP2DQIMtbo42NQ0Wt1Fv3OptuwGVslJb48AC5BY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=qBhszl/J; arc=none smtp.client-ip=45.157.188.10 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="qBhszl/J" Received: from smtp-4-0000.mail.infomaniak.ch (smtp-4-0000.mail.infomaniak.ch [10.7.10.107]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4WJXx35Qyfz5QY; Tue, 9 Jul 2024 22:42:31 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1720557751; bh=zJhS7of/CAzAVW6Q59+RaHwwypnLdu6BBXvJ+or8B1M=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=qBhszl/JKbeRElfW9FNgl6e0YtKN0eXAABvDYpCkPxvHKO6FYUnOCU+NSyU5Vk/Bq SKoFzFVP5RewPlBZEWP6/sCwGbLP4G82aZve9Pz856jfAr3qWb074ap4csT0oj6F8o 0B/tm4NzPlpNRodzi04GFH2QnJGO/DLLZ89Tjhng= Received: from unknown by smtp-4-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4WJXx16BPRz22D; Tue, 9 Jul 2024 22:42:29 +0200 (CEST) Date: Tue, 9 Jul 2024 22:42:26 +0200 From: =?utf-8?Q?Micka=C3=ABl_Sala=C3=BCn?= To: Florian Weimer Cc: Jeff Xu , Al Viro , Christian Brauner , Kees Cook , Linus Torvalds , Paul Moore , Theodore Ts'o , Alejandro Colomar , Aleksa Sarai , Andrew Morton , Andy Lutomirski , Arnd Bergmann , Casey Schaufler , Christian Heimes , Dmitry Vyukov , Eric Biggers , Eric Chiang , Fan Wu , Geert Uytterhoeven , James Morris , Jan Kara , Jann Horn , Jonathan Corbet , Jordan R Abrahams , Lakshmi Ramasubramanian , Luca Boccassi , Luis Chamberlain , "Madhavan T . Venkataraman" , Matt Bobrowski , Matthew Garrett , Matthew Wilcox , Miklos Szeredi , Mimi Zohar , Nicolas Bouchinet , Scott Shell , Shuah Khan , Stephen Rothwell , Steve Dower , Steve Grubb , Thibaut Sautereau , Vincent Strubel , Xiaoming Ni , Yin Fengwei , kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: Re: [RFC PATCH v19 1/5] exec: Add a new AT_CHECK flag to execveat(2) Message-ID: <20240709.aa5ahChoo7No@digikod.net> References: <20240704190137.696169-1-mic@digikod.net> <20240704190137.696169-2-mic@digikod.net> <87bk3bvhr1.fsf@oldenburg.str.redhat.com> <87ed83etpk.fsf@oldenburg.str.redhat.com> <87r0c3dc1c.fsf@oldenburg.str.redhat.com> <20240709.gae4cu4Aiv6s@digikod.net> <87ed82283l.fsf@oldenburg.str.redhat.com> Precedence: bulk X-Mailing-List: linux-fsdevel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <87ed82283l.fsf@oldenburg.str.redhat.com> X-Infomaniak-Routing: alpha On Tue, Jul 09, 2024 at 12:05:50PM +0200, Florian Weimer wrote: > * Mickaël Salaün: > > >> > If we want to avoid that, we could have an agreed-upon error code which > >> > the LSM can signal that it'll never fail AT_CHECK checks, so we only > >> > have to perform the extra system call once. > > > > I'm not sure to follow. Either we check executable code or we don't, > > but it doesn't make sense to only check some parts (except for migration > > of user space code in a system, which is one purpose of the securebits > > added with the next patch). > > > > The idea with AT_CHECK is to unconditionnaly check executable right the > > same way it is checked when a file is executed. User space can decide > > to check that or not according to its policy (i.e. securebits). > > I meant it purely as a performance optimization, to skip future system > calls if we know they won't provide any useful information for this > process. In the grand scheme of things, the extra system call probably > does not matter because we already have to do costly things like mmap. Indeed, the performance impact of execveat+AT_CHECK should be negligible compared to everything else needed to interpret a script or spawn a process. Moreover, these checks should only be performed when SECBIT_SHOULD_EXEC_CHECK is set for the caller.