From: ebiederm@xmission.com (Eric W. Biederman)
To: Kees Cook <keescook@chromium.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>,
Andrew Morton <akpm@linux-foundation.org>,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
Eric Biggers <ebiggers3@gmail.com>,
Dmitry Vyukov <dvyukov@google.com>,
linux-fsdevel@vger.kernel.org,
linux-security-module@vger.kernel.org, linux-api@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 0/4] Relocate execve() sanity checks
Date: Tue, 19 May 2020 13:42:28 -0500 [thread overview]
Message-ID: <87sgfvrckr.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <202005191052.0A6B1D5843@keescook> (Kees Cook's message of "Tue, 19 May 2020 10:56:08 -0700")
Kees Cook <keescook@chromium.org> writes:
> On Tue, May 19, 2020 at 12:41:27PM -0500, Eric W. Biederman wrote:
>> Kees Cook <keescook@chromium.org> writes:
>> > and given the LSM hooks, I think the noexec check is too late as well.
>> > (This is especially true for the coming O_MAYEXEC series, which will
>> > absolutely need those tests earlier as well[1] -- the permission checking
>> > is then in the correct place: during open, not exec.) I think the only
>> > question is about leaving the redundant checks in fs/exec.c, which I
>> > think are a cheap way to retain a sense of robustness.
>>
>> The trouble is when someone passes through changes one of the permission
>> checks for whatever reason (misses that they are duplicated in another
>> location) and things then fail in some very unexpected way.
>
> Do you think this series should drop the "late" checks in fs/exec.c?
> Honestly, the largest motivation for me to move the checks earlier as
> I've done is so that other things besides execve() can use FMODE_EXEC
> during open() and receive the same sanity-checking as execve() (i.e the
> O_MAYEXEC series -- the details are still under discussion but this
> cleanup will be needed regardless).
I think this series should drop the "late" checks in fs/exec.c It feels
less error prone, and it feels like that would transform this into
something Linus would be eager to merge because series becomes a cleanup
that reduces line count.
I haven't been inside of open recently enough to remember if the
location you are putting the check fundamentally makes sense. But the
O_MAYEXEC bits make a pretty strong case that something of the sort
needs to happen.
I took a quick look but I can not see clearly where path_noexec
and the regular file tests should go.
I do see that you have code duplication with faccessat which suggests
that you haven't put the checks in the right place.
I am wondering if we need something distinct to request the type of the
file being opened versus execute permissions.
All I know is being careful and putting the tests in a good logical
place makes the code more maintainable, whereas not being careful
results in all kinds of sharp corners that might be exploitable.
So I think it is worth digging in and figuring out where those checks
should live. Especially so that code like faccessat does not need
to duplicate them.
Eric
next prev parent reply other threads:[~2020-05-19 18:46 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-18 5:54 [PATCH 0/4] Relocate execve() sanity checks Kees Cook
2020-05-18 5:54 ` [PATCH 1/4] exec: Change uselib(2) IS_SREG() failure to EACCES Kees Cook
2020-05-18 13:02 ` Christian Brauner
2020-05-18 14:43 ` Jann Horn
2020-05-18 14:46 ` Christian Brauner
2020-05-18 23:57 ` Eric W. Biederman
2020-05-19 8:11 ` Christian Brauner
2020-05-19 8:37 ` Andreas Schwab
2020-05-19 11:56 ` Eric W. Biederman
2020-05-19 12:12 ` Andreas Schwab
2020-05-19 12:28 ` Eric W. Biederman
2020-05-19 13:29 ` Christian Brauner
2020-05-19 14:49 ` Eric W. Biederman
2020-05-19 13:13 ` Christian Brauner
2020-05-19 14:32 ` Geert Uytterhoeven
2020-05-19 14:47 ` Christian Brauner
2020-05-18 5:54 ` [PATCH 2/4] exec: Relocate S_ISREG() check Kees Cook
[not found] ` <20200525091420.GI12456@shao2-debian>
2020-06-04 22:45 ` [exec] 166d03c9ec: ltp.execveat02.fail Kees Cook
2020-06-05 2:57 ` Kees Cook
2020-05-18 5:54 ` [PATCH 3/4] exec: Relocate path_noexec() check Kees Cook
2020-05-18 5:54 ` [PATCH 4/4] fs: Include FMODE_EXEC when converting flags to f_mode Kees Cook
2020-05-19 15:06 ` [PATCH 0/4] Relocate execve() sanity checks Eric W. Biederman
2020-05-19 16:26 ` Kees Cook
2020-05-19 17:41 ` Eric W. Biederman
2020-05-19 17:56 ` Kees Cook
2020-05-19 18:42 ` Eric W. Biederman [this message]
2020-05-19 21:17 ` Kees Cook
2020-05-19 22:58 ` John Johansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87sgfvrckr.fsf@x220.int.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=akpm@linux-foundation.org \
--cc=dvyukov@google.com \
--cc=ebiggers3@gmail.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox