From: Kees Cook <keescook@chromium.org>
To: Christoph Hellwig <hch@infradead.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Jan Kara <jack@suse.cz>, yalin wang <yalin.wang2010@gmail.com>,
Willy Tarreau <w@1wt.eu>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
Linux-MM <linux-mm@kvack.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v5] fs: clear file privilege bits when mmap writing
Date: Wed, 9 Dec 2015 19:25:26 -0800 [thread overview]
Message-ID: <CAGXu5jL0Zv6mCoEw6pyZsgHjo8BdcF0B-xM_EkMtp7TRB94dKQ@mail.gmail.com> (raw)
In-Reply-To: <20151210012130.GA17673@infradead.org>
On Wed, Dec 9, 2015 at 5:21 PM, Christoph Hellwig <hch@infradead.org> wrote:
>> Changing the bits requires holding inode->i_mutex, so it cannot be done
>> during the page fault (due to mmap_sem being held during the fault). We
>> could do this during vm_mmap_pgoff, but that would need coverage in
>> mprotect as well, but to check for MAP_SHARED, we'd need to hold mmap_sem
>> again. We could clear at open() time, but it's possible things are
>> accidentally opening with O_RDWR and only reading. Better to clear on
>> close and error failures (i.e. an improvement over now, which is not
>> clearing at all).
>>
>> Instead, detect the need to clear the bits during the page fault, and
>> actually remove the bits during final fput. Since the file was open for
>> writing, it wouldn't have been possible to execute it yet.
>
>
>>
>> Signed-off-by: Kees Cook <keescook@chromium.org>
>> ---
>> I think this is the best we can do; everything else is blocked by mmap_sem.
>
> It should be done at mmap time, before even taking mmap_sem.
>
> Adding a new field for this to strut file isn't really acceptable.
I already covered this: there's no way to handle the mprotect case --
checking for MAP_SHARED is under mmap_sem still.
-Kees
--
Kees Cook
Chrome OS & Brillo Security
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2015-12-10 3:25 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-09 22:51 [PATCH v5] fs: clear file privilege bits when mmap writing Kees Cook
2015-12-10 1:21 ` Christoph Hellwig
2015-12-10 3:25 ` Kees Cook [this message]
2015-12-10 4:14 ` Al Viro
2015-12-10 7:06 ` Willy Tarreau
2015-12-10 7:10 ` Willy Tarreau
2015-12-10 18:05 ` Kees Cook
2015-12-10 18:16 ` Willy Tarreau
2015-12-10 18:18 ` Kees Cook
2015-12-10 19:33 ` Al Viro
2015-12-10 19:47 ` Kees Cook
2015-12-10 20:27 ` Al Viro
2015-12-10 21:45 ` Kees Cook
2015-12-10 21:56 ` Al Viro
2015-12-10 22:00 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAGXu5jL0Zv6mCoEw6pyZsgHjo8BdcF0B-xM_EkMtp7TRB94dKQ@mail.gmail.com \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=hch@infradead.org \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=viro@zeniv.linux.org.uk \
--cc=w@1wt.eu \
--cc=yalin.wang2010@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).