From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 58F59C04AB1 for ; Sat, 11 May 2019 17:33:30 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 2B1F62184B for ; Sat, 11 May 2019 17:33:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1557596010; bh=q3w6HRtwLgMJIJpi/DfZr8T2FpvNZWzd4d75kZOAzhI=; h=References:In-Reply-To:From:Date:Subject:To:Cc:List-ID:From; b=D2DsIbLeTgE2DnOsK607wkuIAmJ8bQd6uiW7jjQmF1sOLArvDFM1E3Iubv5Qxo+Yq yD2j3139LXhhSf3VwNg6gac6ReFXBIg9sN3CqJMbmjGulsK0Mz0YV9HOI+z9K7ylmj L4nIzVZm0PeOwSyhQ5OeKWkPJLGuyzzF1ZG9ljUk= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725928AbfEKRd3 (ORCPT ); Sat, 11 May 2019 13:33:29 -0400 Received: from mail-lj1-f193.google.com ([209.85.208.193]:38544 "EHLO mail-lj1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725879AbfEKRd3 (ORCPT ); Sat, 11 May 2019 13:33:29 -0400 Received: by mail-lj1-f193.google.com with SMTP id 14so7637378ljj.5 for ; Sat, 11 May 2019 10:33:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=D4GLGKJGBr1goNxWtth5dS3A9rH5i7tbT3DW+t/vUZM=; b=RiMckZqa7Pv2uJ6Jmq8WdsP1tgxvuMAA1KBrEXFSuTYRZg0dss6QUXLstX+qPl0cvi kW8HRPGc+o9zzUTLZU0Mhh/HlnQjlbSLAThZ8m9T+v+XaeUReplqMDf56AEvKd5qKIy7 GzSd2O/qDYd43VAL+FXerAe7FQ27GBViWurwE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=D4GLGKJGBr1goNxWtth5dS3A9rH5i7tbT3DW+t/vUZM=; b=VLzPtL7SCt8qzTepRUOXadakM8E1XvULQC8uIF3w4Nmh74ejxYqQ/IrXzd5cMah0Xv xVvL15kVnSAsJG8H5XO/PRp3WEYlCVxhYGREvp1vs0MASu6KOim6uvbv3nPtH6NpzMlE /ti9c7vLjvBL2ElL3Ks7tuFnMdoYu2FBqnFwECUlsn7jpvpeX8iOv8YDbUSwYlevcmVm MmKkXnb1bMfXn8yq0U5tF/Ryiy/qTX/Y6/tVvXgz34BsACbN3uQdUM6o6zxqTo6ViHNq ctGrZ+M+6cOpvUoHNEw5o7A5pusgR4IUkb3Zy9Vs0YxH8+JOniHY987BC/tNzlBejk4A 8INQ== X-Gm-Message-State: APjAAAX5zKYD8HTLR1AlnzpjdtuZ4jH1kdfoKBunb3iOT0ADvZmTx2c7 KSQzW9lRCp3/d9/IBsJHJZ1zMvcOpNU= X-Google-Smtp-Source: APXvYqyKdQ3wjt2gIpYgCI8AexiZhLQ+3mHMM7+zenew7dNkypRcMQp03F+RRaY1/7ShPQBGuaPYDA== X-Received: by 2002:a2e:9d12:: with SMTP id t18mr9328896lji.163.1557596006872; Sat, 11 May 2019 10:33:26 -0700 (PDT) Received: from mail-lf1-f53.google.com (mail-lf1-f53.google.com. [209.85.167.53]) by smtp.gmail.com with ESMTPSA id 17sm2290271lji.2.2019.05.11.10.33.26 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 11 May 2019 10:33:26 -0700 (PDT) Received: by mail-lf1-f53.google.com with SMTP id w23so6260461lfc.9 for ; Sat, 11 May 2019 10:33:26 -0700 (PDT) X-Received: by 2002:a19:ca02:: with SMTP id a2mr9073466lfg.88.1557595631432; Sat, 11 May 2019 10:27:11 -0700 (PDT) MIME-Version: 1.0 References: <20190506165439.9155-1-cyphar@cyphar.com> <20190506165439.9155-6-cyphar@cyphar.com> <20190506191735.nmzf7kwfh7b6e2tf@yavin> <20190510204141.GB253532@google.com> <20190510225527.GA59914@google.com> In-Reply-To: From: Linus Torvalds Date: Sat, 11 May 2019 13:26:55 -0400 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v6 5/6] binfmt_*: scope path resolution of interpreters To: Andy Lutomirski Cc: Jann Horn , Andy Lutomirski , Aleksa Sarai , Al Viro , Jeff Layton , "J. Bruce Fields" , Arnd Bergmann , David Howells , Eric Biederman , Andrew Morton , Alexei Starovoitov , Kees Cook , Christian Brauner , Tycho Andersen , David Drysdale , Chanho Min , Oleg Nesterov , Aleksa Sarai , Linux Containers , linux-fsdevel , Linux API , kernel list , linux-arch Content-Type: text/plain; charset="UTF-8" Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org On Sat, May 11, 2019 at 1:21 PM Linus Torvalds wrote: > > Notice? None of the real problems are about execve or would be solved > by any spawn API. You just think that because you've apparently been > talking to too many MS people that think fork (and thus indirectly > execve()) is bad process management. Side note: a good policy has been (and remains) to make suid binaries not be dynamically linked. And in the absence of that, the dynamic linker at least resets the library path when it notices itself being dynamic, and it certainly doesn't inherit any open flags from the non-trusted environment. And by the same logic, a suid interpreter must *definitely* should not inherit any execve() flags from the non-trusted environment. So I think Aleksa's patch to use the passed-in open flags is *exactly* the wrong thing to do for security reasons. It doesn't close holes, it opens them. Linus