From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3D9FEC46CD2 for ; Wed, 24 Jan 2024 22:06:30 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 951E28D0003; Wed, 24 Jan 2024 17:06:29 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 9021E8D0001; Wed, 24 Jan 2024 17:06:29 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 7C9C18D0003; Wed, 24 Jan 2024 17:06:29 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 6DB078D0001 for ; Wed, 24 Jan 2024 17:06:29 -0500 (EST) Received: from smtpin16.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id 3CFFFA226C for ; Wed, 24 Jan 2024 22:06:29 +0000 (UTC) X-FDA: 81715589298.16.05ABD0F Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) by imf12.hostedemail.com (Postfix) with ESMTP id 58FDB4001D for ; Wed, 24 Jan 2024 22:06:27 +0000 (UTC) Authentication-Results: imf12.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=OD8676zF; spf=pass (imf12.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.179 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1706133987; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=GQhmzfTAsJcV9PaL7uovsChg4Yg2U/Z+yBT5DYmcULc=; b=7rNHLGZsx7aQidqh9FU2Mo9D6kFO0LGI3Utqij8Uu3ybO4VTeHC/zYpqqS+ZZCejeMb+rR wmFcVzOUWpLIYovbA7FCU0TKO8Y9fiVeXBDjonJZkZGVZ+RYTOnyIdfne+LViK+n3YnPIg 3idX8mrb51MjoS5ZLgEb1GbpyoRribc= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1706133987; a=rsa-sha256; cv=none; b=dLiObRENt3x4rzraTyB7VsaWFX4c9DboykPJReg8LL1GxPLAkMKKeo0scqGAXd/PHKkJhH 7ksyQgI/AWoMKtrUYEacdzxhYqgtKoqNUil+M3eIFgjD27apOBD9oitJplM5ZntDIFE3PI OBQP198qbIZOiFDZK+IZvqQJz5guPr0= ARC-Authentication-Results: i=1; imf12.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=OD8676zF; spf=pass (imf12.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.179 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-1d70a98c189so37476535ad.1 for ; Wed, 24 Jan 2024 14:06:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1706133986; x=1706738786; darn=kvack.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=GQhmzfTAsJcV9PaL7uovsChg4Yg2U/Z+yBT5DYmcULc=; b=OD8676zFMpMS2nDgGdBSFozxk55jxSWZgy6E45ALlEgso3I3h0w/uA5c5YOqHfYVPY 8jWMZgbgG3fDxdqkkxy45+m2sW4CmIuUKWGOqfN8LCb5Cf4u9XsxbK/ATqWC8EJs+R5W S9dcnzTFCIMxldF2mC+HMZ8dihskEVMQnN4e0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706133986; x=1706738786; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=GQhmzfTAsJcV9PaL7uovsChg4Yg2U/Z+yBT5DYmcULc=; b=fYAlhLM+C84e6tzHbeC1gNnDjNvWNWQRA+o/8ZTQP21HycnE4BWe+HT5pt3jeAD8u5 sSTM6teMhS+oqVt6UTehFkF5Qa0rbZVI/dbXHjkVhacvlYBpo9JC670lwFPs2+Rg5CJd vjYFiVj5UDzkVWQiwPsu3LD+XMikxqEktXLy+DNbSHLiAxsHLJF8OXpLKOGoRxOJ9bsI ISH/CMZGQ09i2ZSiT7xBjpQ/dk0a/Z7zfsUuEShznZibM5WB//nS+Pkp8l61YKGQ4aNA 2G+bpwXbCh19dNemUFnhD9mXGHZMItrpaGB1gkEqmQUFqHsWgZs16eGBw5VEvujLvKgx bXyg== X-Gm-Message-State: AOJu0Ywi8+L5GhMjowrvy/suigCvS5DjZbPpH1MXZhPm+1C8LRX/ESp4 Drjo9QD305YhIAkZlHzrJ4gQ1B01A0TZyEqMhrp+rgEMq2SCRkMvKi/3FeCaiA== X-Google-Smtp-Source: AGHT+IGHYywWf+5nzxcSvzbfWT3qv6YRgnr2OB0CfhQi5LwevM4tDZ29AOUbaz9SAS7N7WG6MpupWQ== X-Received: by 2002:a17:902:ea10:b0:1d6:f263:5698 with SMTP id s16-20020a170902ea1000b001d6f2635698mr61299plg.28.1706133986148; Wed, 24 Jan 2024 14:06:26 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id h17-20020a170902f7d100b001d71ae81cbbsm9398467plw.190.2024.01.24.14.06.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Jan 2024 14:06:25 -0800 (PST) From: Kees Cook To: Kevin Locke Cc: Kees Cook , Jann Horn , Linus Torvalds , Eric Biederman , Alexander Viro , Christian Brauner , Jan Kara , linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH] exec: Remove __FMODE_EXEC from uselib() Date: Wed, 24 Jan 2024 14:06:23 -0800 Message-Id: <20240124220619.work.227-kees@kernel.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1955; i=keescook@chromium.org; h=from:subject:message-id; bh=gunPgS3TJQWZsp2MxCZKzizIUB7sMDtjwQmEImgzamo=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlsYnf7Lk5Uf58mAb9lvaALksPqiA1c0eFcYWS1 pm8ae1S6IWJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZbGJ3wAKCRCJcvTf3G3A Jh3PD/wJCOZiXf2turY8NXwNDR9hOetJn5TUurzjSx1454xqWSrni13jg9kUhLD8/Q3CJ0k7QtE lkVXUafB7zj45P53AR/4/7mbdMEUdN3IkYXJuDHj9CugQLCxGx/XEdyKVm2nTancZQxdKocFuvL BKD5whC/h3YmJ/elQq+LVUoaUoQujwHs/gWUm81mrJdrjnscFhP1aFDgg4/QL/yVX8/C1lnEd8W KULt3HRcq5HRP4zoBAW3+nOTrzatET2nm9FF43sWginO9aFnXzOSqnbb36xQkBqdlg2OdIELrUs HEmanv/2AURU4BEjz2DIMfC5O3P2u2hfeDxtTvcGKCK0WhFkJcXQ4+2PoOsUXkdbVtzQJrZJlrv zXFmWXLVdwYPZlYWePXATpqmiR5csemrnL87mZtP7lPcz0uShL4ThhOh8ZEEWj28vUfttd/k6ff 0ztAdSJFTWpRKG0ziU/UP3olgu9Rn6VSr7OcEj0kbeA2RAq/lgM1YECuIk/UL7aG2A3UFXjlpBX 1jfOmvDoaEfzKrpXM15eNkiWQ8OiMXxxkmqZqFPE2bntN8h41Nk1IlTisaVVdOusbm2usWcYVYZ /QCUMcvHCjm3Jxzo3pqMx39ax/dNE2k7R28V13HwSO1gG4FF44qH95KgUZHNt19WB6tb56+Q0al eHBAz9g maHQEgNQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: 8bit X-Stat-Signature: ow4gk14uddhe4kgkwy8kq91xkcs7x4x4 X-Rspamd-Server: rspam10 X-Rspamd-Queue-Id: 58FDB4001D X-Rspam-User: X-HE-Tag: 1706133987-551939 X-HE-Meta: U2FsdGVkX19ssLNm9mRal8JR78fj4eAmCL7dl7R3hbID67WShXhQxv5Py9CMCVhKhhSsEygbHrTcAdZ+yNsVUa2Vu5LA+v2klIV9gOrU1sMexQnCHEnRGQBHn3HhYyxrdVS3/QrNSxXtBwHsW435L9rcr2PVP8PC0/P504XfT+V8xxrtOkbN/+vA9aTr7UteG7jwQyQc2GrK0X9OoK0UAM+iX+2OVY+cfoeHVBBLrvNxlZ4pcBmQZZoFRACulk26DJSIe8GtfJaF8PCH8RCgs9zCe5GUfuA3JUkyQab715ly1ZAr8nyzWnJA6rdWq6My18uYzgEVtO7TuntnxBFu973y8lljrUa40EZ5kjutHAp68gMH6m+tF+c3cwPaMAxA+Q+DfelTNHTkhRarN+BGtt4kVJJzbgIbLzmmCGuOherOtNMNAXJ5Fq6Nks8xw1PgpGmBTPtT8PW9MMYb42wZA9AU9Hh0nmAHS/sVe7cHD1kxldGkzLLr6cO0iPXWxgOspa/B3R/9/cwzaEQVPBjAixqahgj1/Ue8IjilIfo/aASanjmA6XZmQmKKbr58dCHh3xODW73YmwL3RS/CKZgP89CiRrEJIGLB9tLqOFGdUuei8hnOxuTF/CV6TUsuBmf6KarCcJBuRwvsVv2CaK3WPtSgjce4Ssblqkfb96tDI9gsdkB2U1uFftUrrPOuSQ/uQiD2bB0FHs7n/qLQF4gU9b4cPtRAxwP1ImXqoG3jOCNxDgB/Y+xWDikzwKVDVWu76Tj6f25AjX6wnw0bGqGPHMqYZrTRZ4YTvuwff7zZZsNG8T7ZNDeye209fdpmDMO6bkkB2k+7ui2ZP8vRHe2G6VLEJiFpgntaDx+Ic1+dwpBxOBeGU66jvjkiuem8V7yiXBErHUjbJ711gcULmF0n9dwPNOHeZ1i3yXdNTyxwB96u2KyKIHxUBkVsgpbJsIuMKrmBumslhVR+cp3tpg2 bySpKihr g8fd0+1Onp6pZMbbmZemAIWh5GnYi31vPMHfOu6Le7JD338wbf2Hl4h8llfae4svwlFxbtj3Tg7vi1uFvJxGA0DM8tLQ3QDN2+woqZOFwhq7ZSbCRQqDgg5X5wjcdMdjbtjT/wdXk7d/uUaJOhcW4gnABR+tW0C5j0M1Vn2hDOMMDDxv39tVr26RdSUgdGe0jLsICE7KFX7vEH88MMKGQQqek8WZtBO6/tkDozXdIAU0+EDr3QNDX5qOZZFL3WTq15d2AMYSF1budcrk5hjzliHbBezJMxZBmPVs7WW97+enwG4eknuKinl5Jf0BVWQV72edliHYp/3zQLLxDO7ESSYX4poGvqZbR/7lGn/jNam9eLN5GxKvH/t/fJ5RZxAPWMD3b2KPG8YBNZr/2BO/w1hcGEHv5zVbjuxYs/ZXjZSHsNlKeHEFkvXowMeTLv58f9iFrEt2tXPBofbNEHaZBp6r9D+eToRUj5TCUCnhVwVGS7NcGZFAMLu2nmp7SI6ytEh8yx7vl6cqB8AJRnRGSFca+ko5giUbfdHVCR4Hjv+ULwlopdmkkQeFdzJZn3nHe5/BMGpua5PwyackOw6ua/Y80co7QaARIGT9lnUcjcTC7SIeipvaRK5KlO6+rOXgZr2FWBszE2oZOjnZSt0GqIIwzixAGpU8kLzmR4pZDaNr8i++Y3TPjkpOhFSJK6KXzNfaNKKg1OBni1BmhkRLA1+4eUgw8llsy9Dbnq0Bus5TxdREgZhQRin69WA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Path-based LSMs will bypass uselib() "open" checks since commit 4759ff71f23e ("exec: Check __FMODE_EXEC instead of in_execve for LSMs"), so don't set __FMODE_EXEC during uselib(). The LSM "open" and eventual "mmap" hooks will be restored. (uselib() never set current->in_execve.) Other things that checked __FMODE_EXEC: - fs/fcntl.c is just doing a bitfield sanity check. - nfs_open_permission_mask() is only checking for the "unreadable exec" case, which is not an issue for uselib(), which sets MAY_READ, unlike execve(). - fsnotify would no longer see uselib() as FS_OPEN_EXEC_PERM, but rather as FS_OPEN_PERM, but this is likely a bug fix, as uselib() isn't an exec: it's more like mmap(), which fsnotify doesn't intercept. Reported-by: Jann Horn Closes: https://lore.kernel.org/lkml/CAG48ez017tTwxXbxdZ4joVDv5i8FLWEjk=K_z1Vf=pf0v1=cTg@mail.gmail.com/ Fixes: 4759ff71f23e ("exec: Check __FMODE_EXEC instead of in_execve for LSMs") Suggested-by: Linus Torvalds Cc: Kevin Locke Cc: Eric Biederman Cc: Alexander Viro Cc: Christian Brauner Cc: Jan Kara Cc: linux-mm@kvack.org Cc: linux-fsdevel@vger.kernel.org Signed-off-by: Kees Cook --- fs/exec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/exec.c b/fs/exec.c index d179abb78a1c..af4fbb61cd53 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -128,7 +128,7 @@ SYSCALL_DEFINE1(uselib, const char __user *, library) struct filename *tmp = getname(library); int error = PTR_ERR(tmp); static const struct open_flags uselib_flags = { - .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC, + .open_flag = O_LARGEFILE | O_RDONLY, .acc_mode = MAY_READ | MAY_EXEC, .intent = LOOKUP_OPEN, .lookup_flags = LOOKUP_FOLLOW, -- 2.34.1