Received: by 10.223.185.111 with SMTP id b44csp642314wrg; Fri, 9 Mar 2018 10:52:18 -0800 (PST) X-Google-Smtp-Source: AG47ELsukfGDoTXc7beYlLwIprEmibtsmkVhbD9YWnh5p3Rm3vX/KIcRnAV/qGx+8tTI4nRrinSQ X-Received: by 2002:a17:902:6c01:: with SMTP id q1-v6mr19090965plk.142.1520621537944; Fri, 09 Mar 2018 10:52:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520621537; cv=none; d=google.com; s=arc-20160816; b=uxJUlmSoEJ31W8xIpnA8te2BRcHVp+MmPS2aMnFhA0ujwW528nJETnIiITbai3PD7K tggCGYRfaJvXXZpcCQKg+cHrRgf3rh0+Gu4OR2LHGfWBdKciL8ks2JUiTUCgwotiF/yG pCVk6hQuvU9qlXS7FAfoE9NIocMAWaYg6F0+EOUp7Iq8mOnwzk5lPIZ9Q/j7XK1eG4+B MtUZTFAB5IQI1FonO7vCCWGOEJGV72P8kHYPa9oA0nFSkZRieypIrLqh/N1YD2j51725 A13EpOtabibGjJ9CO/vmddz2dxy7BUYu9ay6sss72shV7bVgJBSyj+OOo5iUsTN5GTFz 5XJg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=cMGCEteHzsfXHuCHkuEm4GollyuT6o6Mm7rJpLfAKvk=; b=FGnRh4CHYDfFKldXVHghA/tE9GYuYreiM5eaA7tsMKsZRqW3JOvNJTsnEyPUVsLPKp ej1YB8KY0bcguWvhfAwSOiogIcv0XX6WUJ5mrb7tuTPrDbO0qQx2X0JOndDa92FC6gIj R4J9UJDwfuCS5+rlvoa9TC0atdCIlkhp00VliUeGTuEPjTVSinb3VjZGTzjsx06SoH0x IAhorfmxtOs/sOHYmaQ/zHCecL4V5PNIt3sfn5v3yelWhMNozZ0wN7n2vzqsdll/LU5x tyYUAjcI76PQ6/lSH6qyjglHYGgmjhCfMDtCY0QiKpSeD0a2Uv29Jp2MgW9jetq/QQea PSJQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=oD2bpRZ3; dkim=fail header.i=@linux-foundation.org header.s=google header.b=Yto8VYIg; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b187si1095704pgc.205.2018.03.09.10.52.02; Fri, 09 Mar 2018 10:52:17 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=oD2bpRZ3; dkim=fail header.i=@linux-foundation.org header.s=google header.b=Yto8VYIg; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932499AbeCISvD (ORCPT + 99 others); Fri, 9 Mar 2018 13:51:03 -0500 Received: from mail-it0-f68.google.com ([209.85.214.68]:38387 "EHLO mail-it0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932165AbeCISvB (ORCPT ); Fri, 9 Mar 2018 13:51:01 -0500 Received: by mail-it0-f68.google.com with SMTP id j7-v6so4020665ita.3; Fri, 09 Mar 2018 10:51:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=cMGCEteHzsfXHuCHkuEm4GollyuT6o6Mm7rJpLfAKvk=; b=oD2bpRZ3AwlNeptPh/1gmmBkJmsKEJWWFmD4L6eStfoC9SK17yVG3bkLv8CjZ64DTq I5vxliL2sm0PnoZ6VugrmBnjSp2XZinPctOGclZL7FzIuWLJUub+r9XvObV7icamn7ea dEu47wA2BV63uxYvQv1bDxxKbLsC9FXcSOAyPvtOPMpYcTE/bpPNTD6ZAcm/K5mOP2Q1 U1n3sBqKUIDXz6E1C6DzrQeJmdhgh6aiDMp5XNLjvm8J61bs2Q0hN/wYYiGfhob7W24+ GiZhCPFylbMVzg2MfcnLClZIMGos+DR8O2iXpoqIvvCI3/NF21RmHBWwZV+fXHkBpHdc G27g== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=cMGCEteHzsfXHuCHkuEm4GollyuT6o6Mm7rJpLfAKvk=; b=Yto8VYIgsncKWIiJxllG9jWMv6clOqtbppvDy0atFl3333YGSJ4jq16442kD9sNfwz Ce314mg/jQJH7b7Jn5y7VDsuzB8dEfERBEp0FmvXs2aiw+LN/PsKMP3JZg5VRJzMoDym x9I82VSzeGMsE9l3PsZlhd1Jd8A41hBdkraGU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=cMGCEteHzsfXHuCHkuEm4GollyuT6o6Mm7rJpLfAKvk=; b=OXnRYrpRTNRdDtS1NUJaGR7Y4bPxkEevFUfVRwtlQ0gP/WootXEah6sHHhntRT/pMS /R/kR6yHM4kX0R7hVIITWc1IAijd4islgGcKMh4zNxTLzWTHjqIQj1Vr/SMBAfUXf6OS vlm+mkeNAPD6gxMmsyQdFOviRaOxF179wv/XIQHrVKonfKvZARtguCLo1RxdUBJIGz/e Dz+NxSKnBJaP7aVPCRRfJxbB+Psdc8sbJF0x92kRkdVlquN5DH5yps29tmg02qNm+658 ICW1v92RAwgk+MWxcJDN5aLK5Q2X+BNn6Rh26CIHlYlj1JvTROYLxBvDL4szgTyJra0G w2OQ== X-Gm-Message-State: AElRT7EhiHq/nx2V4yc6njBguvTMNZYJtNzhQWTFAzBlXSnTN6Zsgm6M 1NgLwAAtz4kh52ixKSS+7KpjVvXrXWGpznK/Upc= X-Received: by 2002:a24:87c3:: with SMTP id f186-v6mr4954924ite.100.1520621460308; Fri, 09 Mar 2018 10:51:00 -0800 (PST) MIME-Version: 1.0 Received: by 10.107.135.221 with HTTP; Fri, 9 Mar 2018 10:50:59 -0800 (PST) In-Reply-To: References: <87478c51-59a7-f6ac-1fb2-f3ca2dcf658b@fb.com> <20180309.133509.1275903267249306409.davem@davemloft.net> From: Linus Torvalds Date: Fri, 9 Mar 2018 10:50:59 -0800 X-Google-Sender-Auth: 0eD574dZ3b_QqaATyGzOuaiRD3g Message-ID: Subject: Re: [PATCH net-next] modules: allow modprobe load regular elf binaries To: Kees Cook Cc: David Miller , Alexei Starovoitov , Andy Lutomirski , Alexei Starovoitov , Djalal Harouni , Al Viro , Daniel Borkmann , Greg KH , "Luis R. Rodriguez" , Network Development , LKML , kernel-team , Linux API Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Mar 9, 2018 at 10:43 AM, Kees Cook wrote: > > Module loading (via kernel_read_file()) already uses > deny_write_access(), and so does do_open_execat(). As long as module > loading doesn't call allow_write_access() before the execve() has > started in the new implementation, I think we'd be covered here. No. kernel_read_file() only does it *during* the read. So there's a huge big honking gap between the two. Also, the second part of my suggestion was to be entirely synchronous with the whole execution of the process, and do it within the "we do mutual exclusion fo rmodules with the same name" logic. Note that Andrei's patch uses UMH_WAIT_EXEC. That's basically "vfork+exec" - it only waits for the exec to have started, it doesn't wait for the whole thing. So I'm saying "use UMH_WAIT_PROC, do it in a different place, and make sure you cover the whole sequence with deny_write_access()". Linus