From: Roberto Sassu <roberto.sassu@huaweicloud.com>
To: "Aleksa Sarai" <cyphar@cyphar.com>, "Mickaël Salaün" <mic@digikod.net>
Cc: Christian Brauner <brauner@kernel.org>,
Al Viro <viro@zeniv.linux.org.uk>,
Kees Cook <keescook@chromium.org>,
Paul Moore <paul@paul-moore.com>, Serge Hallyn <serge@hallyn.com>,
Andy Lutomirski <luto@kernel.org>, Arnd Bergmann <arnd@arndb.de>,
Christian Heimes <christian@python.org>,
Dmitry Vyukov <dvyukov@google.com>,
Elliott Hughes <enh@google.com>,
Fan Wu <wufan@linux.microsoft.com>,
Florian Weimer <fweimer@redhat.com>, Jann Horn <jannh@google.com>,
Jeff Xu <jeffxu@google.com>, Jonathan Corbet <corbet@lwn.net>,
Jordan R Abrahams <ajordanr@google.com>,
Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
Luca Boccassi <bluca@debian.org>,
Matt Bobrowski <mattbobrowski@google.com>,
Miklos Szeredi <mszeredi@redhat.com>,
Mimi Zohar <zohar@linux.ibm.com>,
Nicolas Bouchinet <nicolas.bouchinet@oss.cyber.gouv.fr>,
Robert Waite <rowait@microsoft.com>,
Roberto Sassu <roberto.sassu@huawei.com>,
Scott Shell <scottsh@microsoft.com>,
Steve Dower <steve.dower@python.org>,
Steve Grubb <sgrubb@redhat.com>,
kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-integrity@vger.kernel.org,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [RFC PATCH v1 0/2] Add O_DENY_WRITE (complement AT_EXECVE_CHECK)
Date: Mon, 01 Sep 2025 11:24:17 +0200 [thread overview]
Message-ID: <54e27d05bae55749a975bc7cbe109b237b2b1323.camel@huaweicloud.com> (raw)
In-Reply-To: <2025-08-27-obscene-great-toy-diary-X1gVRV@cyphar.com>
On Thu, 2025-08-28 at 10:14 +1000, Aleksa Sarai wrote:
> On 2025-08-26, Mickaël Salaün <mic@digikod.net> wrote:
> > On Tue, Aug 26, 2025 at 11:07:03AM +0200, Christian Brauner wrote:
> > > Nothing has changed in that regard and I'm not interested in stuffing
> > > the VFS APIs full of special-purpose behavior to work around the fact
> > > that this is work that needs to be done in userspace. Change the apps,
> > > stop pushing more and more cruft into the VFS that has no business
> > > there.
> >
> > It would be interesting to know how to patch user space to get the same
> > guarantees... Do you think I would propose a kernel patch otherwise?
>
> You could mmap the script file with MAP_PRIVATE. This is the *actual*
> protection the kernel uses against overwriting binaries (yes, ETXTBSY is
> nice but IIRC there are ways to get around it anyway). Of course, most
> interpreters don't mmap their scripts, but this is a potential solution.
> If the security policy is based on validating the script text in some
> way, this avoids the TOCTOU.
>
> Now, in cases where you have IMA or something and you only permit signed
> binaries to execute, you could argue there is a different race here (an
> attacker creates a malicious script, runs it, and then replaces it with
> a valid script's contents and metadata after the fact to get
> AT_EXECVE_CHECK to permit the execution). However, I'm not sure that
Uhm, let's consider measurement, I'm more familiar with.
I think the race you wanted to express was that the attacker replaces
the good script, verified with AT_EXECVE_CHECK, with the bad script
after the IMA verification but before the interpreter reads it.
Fortunately, IMA is able to cope with this situation, since this race
can happen for any file open, where of course a file can be not read-
locked.
If the attacker tries to concurrently open the script for write in this
race window, IMA will report this event (called violation) in the
measurement list, and during remote attestation it will be clear that
the interpreter did not read what was measured.
We just need to run the violation check for the BPRM_CHECK hook too
(then, probably for us the O_DENY_WRITE flag or alternative solution
would not be needed, for measurement).
Please, let us know when you apply patches like 2a010c412853 ("fs:
don't block i_writecount during exec"). We had a discussion [1], but
probably I missed when it was decided to be applied (I saw now it was
in the same thread, but didn't get that at the time). We would have
needed to update our code accordingly. In the future, we will try to
clarify better our expectations from the VFS.
Thanks
Roberto
[1]: https://lore.kernel.org/linux-fsdevel/88d5a92379755413e1ec3c981d9a04e6796da110.camel@huaweicloud.com/#t
> this is even possible with IMA (can an unprivileged user even set
> security.ima?). But even then, I would expect users that really need
> this would also probably use fs-verity or dm-verity that would block
> this kind of attack since it would render the files read-only anyway.
>
> This is why a more detailed threat model of what kinds of attacks are
> relevant is useful. I was there for the talk you gave and subsequent
> discussion at last year's LPC, but I felt that your threat model was
> not really fleshed out at all. I am still not sure what capabilities you
> expect the attacker to have nor what is being used to authenticate
> binaries (other than AT_EXECVE_CHECK). Maybe I'm wrong with my above
> assumptions, but I can't know without knowing what threat model you have
> in mind, *in detail*.
>
> For example, if you are dealing with an attacker that has CAP_SYS_ADMIN,
> there are plenty of ways for an attacker to execute their own code
> without using interpreters (create a new tmpfs with fsopen(2) for
> instance). Executable memfds are even easier and don't require
> privileges on most systems (yes, you can block them with vm.memfd_noexec
> but CAP_SYS_ADMIN can disable that -- and there's always fsopen(2) or
> mount(2)).
>
> (As an aside, it's a shame that AT_EXECVE_CHECK burned one of the
> top-level AT_* bits for a per-syscall flag -- the block comment I added
> in b4fef22c2fb9 ("uapi: explain how per-syscall AT_* flags should be
> allocated") was meant to avoid this happening but it seems you and the
> reviewers missed that...)
>
next prev parent reply other threads:[~2025-09-01 9:41 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-22 17:07 [RFC PATCH v1 0/2] Add O_DENY_WRITE (complement AT_EXECVE_CHECK) Mickaël Salaün
2025-08-22 17:07 ` [RFC PATCH v1 1/2] fs: Add O_DENY_WRITE Mickaël Salaün
2025-08-22 19:45 ` Jann Horn
2025-08-24 11:03 ` Mickaël Salaün
2025-08-24 18:04 ` Andy Lutomirski
2025-08-25 9:31 ` Mickaël Salaün
2025-08-25 9:39 ` Florian Weimer
2025-08-26 12:35 ` Mickaël Salaün
2025-08-25 16:43 ` Andy Lutomirski
2025-08-25 18:10 ` Jeff Xu
2025-08-25 17:57 ` Jeff Xu
2025-08-26 12:39 ` Mickaël Salaün
2025-08-26 20:29 ` Jeff Xu
2025-08-27 8:19 ` Mickaël Salaün
2025-08-28 20:17 ` Jeff Xu
2025-08-27 10:18 ` Aleksa Sarai
2025-08-27 10:29 ` Aleksa Sarai
2025-08-22 17:08 ` [RFC PATCH v1 2/2] selftests/exec: Add O_DENY_WRITE tests Mickaël Salaün
2025-08-26 9:07 ` [RFC PATCH v1 0/2] Add O_DENY_WRITE (complement AT_EXECVE_CHECK) Christian Brauner
2025-08-26 11:23 ` Mickaël Salaün
2025-08-26 12:30 ` Theodore Ts'o
2025-08-26 17:47 ` Mickaël Salaün
2025-08-26 20:50 ` Theodore Ts'o
2025-08-27 8:19 ` Mickaël Salaün
2025-08-27 17:35 ` Andy Lutomirski
2025-08-27 19:07 ` Mickaël Salaün
2025-08-27 20:35 ` Andy Lutomirski
2025-08-28 0:14 ` Aleksa Sarai
2025-08-28 0:32 ` Andy Lutomirski
2025-08-28 0:52 ` Aleksa Sarai
2025-08-28 21:01 ` Serge E. Hallyn
2025-09-01 11:05 ` Jann Horn
2025-09-01 13:18 ` Serge E. Hallyn
2025-09-01 16:01 ` Andy Lutomirski
2025-09-01 9:24 ` Roberto Sassu [this message]
2025-09-01 16:25 ` Andy Lutomirski
2025-09-01 17:01 ` Roberto Sassu
2025-09-02 8:57 ` Roberto Sassu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54e27d05bae55749a975bc7cbe109b237b2b1323.camel@huaweicloud.com \
--to=roberto.sassu@huaweicloud.com \
--cc=ajordanr@google.com \
--cc=arnd@arndb.de \
--cc=bluca@debian.org \
--cc=brauner@kernel.org \
--cc=christian@python.org \
--cc=corbet@lwn.net \
--cc=cyphar@cyphar.com \
--cc=dvyukov@google.com \
--cc=enh@google.com \
--cc=fweimer@redhat.com \
--cc=jannh@google.com \
--cc=jeffxu@google.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mattbobrowski@google.com \
--cc=mic@digikod.net \
--cc=mszeredi@redhat.com \
--cc=nicolas.bouchinet@oss.cyber.gouv.fr \
--cc=nramas@linux.microsoft.com \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=rowait@microsoft.com \
--cc=scottsh@microsoft.com \
--cc=serge@hallyn.com \
--cc=sgrubb@redhat.com \
--cc=steve.dower@python.org \
--cc=viro@zeniv.linux.org.uk \
--cc=wufan@linux.microsoft.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).