From: Kees Cook <keescook@chromium.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: "Mickaël Salaün" <mic@digikod.net>,
"Al Viro" <viro@zeniv.linux.org.uk>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Christian Heimes" <christian@python.org>,
"Geert Uytterhoeven" <geert@linux-m68k.org>,
"James Morris" <jmorris@namei.org>,
"Luis Chamberlain" <mcgrof@kernel.org>,
"Mimi Zohar" <zohar@linux.ibm.com>,
"Muhammad Usama Anjum" <usama.anjum@collabora.com>,
"Paul Moore" <paul@paul-moore.com>,
"Philippe Trébuchet" <philippe.trebuchet@ssi.gouv.fr>,
"Shuah Khan" <skhan@linuxfoundation.org>,
"Steve Dower" <steve.dower@python.org>,
"Thibaut Sautereau" <thibaut.sautereau@ssi.gouv.fr>,
"Vincent Strubel" <vincent.strubel@ssi.gouv.fr>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
linux-integrity <linux-integrity@vger.kernel.org>,
"Linux Kernel Mailing List" <linux-kernel@vger.kernel.org>,
"LSM List" <linux-security-module@vger.kernel.org>,
"Christian Brauner" <brauner@kernel.org>
Subject: Re: [GIT PULL] Add trusted_for(2) (was O_MAYEXEC)
Date: Mon, 4 Apr 2022 15:25:19 -0700 [thread overview]
Message-ID: <202204041451.CC4F6BF@keescook> (raw)
In-Reply-To: <CAHk-=wjPuRi5uYs9SuQ2Xn+8+RnhoKgjPEwNm42+AGKDrjTU5g@mail.gmail.com>
On Mon, Apr 04, 2022 at 02:28:19PM -0700, Linus Torvalds wrote:
> Now, what I *think* you mean is
>
> (1) user-space executable loaders want to be able to test the *same*
> policy as the kernel does for execve()
Right. The script interpreter wants to ask "if this file were actually
an ELF going through execve(), would the kernel allow it?"
> (2) access(path, EXECVE_OK) will do the same permission checks as
> "execve()" would do for that path
Maybe. I defer to Mickaël here, but my instinct is to avoid creating an
API that can be accidentally misused. I'd like this to be fd-only based,
since that removes path name races. (e.g. trusted_for() required an fd.)
> (3) if you already have the fd open, use "faccess(fd, NULL,
> F_OK_TO_EXECUTE, AT_EMPTY_PATH)"
Yes, specifically faccessat2(). (And continuing the race thought above,
yes, there could still be races if the content of the file could be
changed, but that case is less problematic under real-world conditions.)
> (4) maybe we want to add a flag for the "euid vs real uid", and that
> would be in the "flags" field, since that changes the actual *lookup*
> semantics
>
> Note that that (4) is something that some normal user space has wanted
> in the past too (GNU libcs has a "eaccess()" thing for "effective uid
> access").
I think this already exists as AT_EACCESS? It was added with
faccessat2() itself, if I'm reading the history correctly.
And I just need to say that the thought of setuid script interpreters
still makes me sad. :)
> - I really want the exact semantics very clearly defined. I think
> it's ok to say "exact same security check as for 'execve()'", but even
> then we need to have that discussion about
>
> (a) "what about suid bits that user space cannot react to"
What do you mean here? Do you mean setid bits on the file itself?
> (b) that whole "effective vs real" discussion
I think this is handled with AT_EACCESS?
--
Kees Cook
next prev parent reply other threads:[~2022-04-04 23:02 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-21 16:15 [GIT PULL] Add trusted_for(2) (was O_MAYEXEC) Mickaël Salaün
2022-03-21 17:38 ` Luis Chamberlain
2022-03-21 18:05 ` Mickaël Salaün
2022-03-21 23:32 ` Luis Chamberlain
2022-03-30 16:06 ` Mickaël Salaün
2022-04-04 18:40 ` Kees Cook
2022-04-04 18:47 ` Linus Torvalds
2022-04-04 20:30 ` Mickaël Salaün
2022-04-04 21:28 ` Linus Torvalds
2022-04-04 21:40 ` Linus Torvalds
2022-04-04 22:25 ` Kees Cook [this message]
2022-04-04 23:26 ` Linus Torvalds
2022-04-05 16:09 ` Mickaël Salaün
2022-04-05 16:17 ` Linus Torvalds
2023-02-08 19:32 ` Kees Cook
2023-02-09 15:43 ` Mickaël Salaün
2022-04-05 22:21 ` Theodore Ts'o
2022-04-05 15:55 ` Mickaël Salaün
2022-04-05 15:38 ` Mickaël Salaün
2022-04-05 14:54 ` Theodore Ts'o
2022-04-05 16:14 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202204041451.CC4F6BF@keescook \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=brauner@kernel.org \
--cc=christian@python.org \
--cc=geert@linux-m68k.org \
--cc=jmorris@namei.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mcgrof@kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=philippe.trebuchet@ssi.gouv.fr \
--cc=skhan@linuxfoundation.org \
--cc=steve.dower@python.org \
--cc=thibaut.sautereau@ssi.gouv.fr \
--cc=torvalds@linux-foundation.org \
--cc=usama.anjum@collabora.com \
--cc=vincent.strubel@ssi.gouv.fr \
--cc=viro@zeniv.linux.org.uk \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).