Received: by 10.223.185.111 with SMTP id b44csp642314wrg;
        Fri, 9 Mar 2018 10:52:18 -0800 (PST)
X-Google-Smtp-Source: AG47ELsukfGDoTXc7beYlLwIprEmibtsmkVhbD9YWnh5p3Rm3vX/KIcRnAV/qGx+8tTI4nRrinSQ
X-Received: by 2002:a17:902:6c01:: with SMTP id q1-v6mr19090965plk.142.1520621537944;
        Fri, 09 Mar 2018 10:52:17 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1520621537; cv=none;
        d=google.com; s=arc-20160816;
        b=uxJUlmSoEJ31W8xIpnA8te2BRcHVp+MmPS2aMnFhA0ujwW528nJETnIiITbai3PD7K
         tggCGYRfaJvXXZpcCQKg+cHrRgf3rh0+Gu4OR2LHGfWBdKciL8ks2JUiTUCgwotiF/yG
         pCVk6hQuvU9qlXS7FAfoE9NIocMAWaYg6F0+EOUp7Iq8mOnwzk5lPIZ9Q/j7XK1eG4+B
         MtUZTFAB5IQI1FonO7vCCWGOEJGV72P8kHYPa9oA0nFSkZRieypIrLqh/N1YD2j51725
         A13EpOtabibGjJ9CO/vmddz2dxy7BUYu9ay6sss72shV7bVgJBSyj+OOo5iUsTN5GTFz
         5XJg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature:dkim-signature
         :arc-authentication-results;
        bh=cMGCEteHzsfXHuCHkuEm4GollyuT6o6Mm7rJpLfAKvk=;
        b=FGnRh4CHYDfFKldXVHghA/tE9GYuYreiM5eaA7tsMKsZRqW3JOvNJTsnEyPUVsLPKp
         ej1YB8KY0bcguWvhfAwSOiogIcv0XX6WUJ5mrb7tuTPrDbO0qQx2X0JOndDa92FC6gIj
         R4J9UJDwfuCS5+rlvoa9TC0atdCIlkhp00VliUeGTuEPjTVSinb3VjZGTzjsx06SoH0x
         IAhorfmxtOs/sOHYmaQ/zHCecL4V5PNIt3sfn5v3yelWhMNozZ0wN7n2vzqsdll/LU5x
         tyYUAjcI76PQ6/lSH6qyjglHYGgmjhCfMDtCY0QiKpSeD0a2Uv29Jp2MgW9jetq/QQea
         PSJQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=oD2bpRZ3;
       dkim=fail header.i=@linux-foundation.org header.s=google header.b=Yto8VYIg;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b187si1095704pgc.205.2018.03.09.10.52.02;
        Fri, 09 Mar 2018 10:52:17 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=oD2bpRZ3;
       dkim=fail header.i=@linux-foundation.org header.s=google header.b=Yto8VYIg;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932499AbeCISvD (ORCPT <rfc822;kernelgary@gmail.com> + 99 others);
        Fri, 9 Mar 2018 13:51:03 -0500
Received: from mail-it0-f68.google.com ([209.85.214.68]:38387 "EHLO
        mail-it0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932165AbeCISvB (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 9 Mar 2018 13:51:01 -0500
Received: by mail-it0-f68.google.com with SMTP id j7-v6so4020665ita.3;
        Fri, 09 Mar 2018 10:51:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=cMGCEteHzsfXHuCHkuEm4GollyuT6o6Mm7rJpLfAKvk=;
        b=oD2bpRZ3AwlNeptPh/1gmmBkJmsKEJWWFmD4L6eStfoC9SK17yVG3bkLv8CjZ64DTq
         I5vxliL2sm0PnoZ6VugrmBnjSp2XZinPctOGclZL7FzIuWLJUub+r9XvObV7icamn7ea
         dEu47wA2BV63uxYvQv1bDxxKbLsC9FXcSOAyPvtOPMpYcTE/bpPNTD6ZAcm/K5mOP2Q1
         U1n3sBqKUIDXz6E1C6DzrQeJmdhgh6aiDMp5XNLjvm8J61bs2Q0hN/wYYiGfhob7W24+
         GiZhCPFylbMVzg2MfcnLClZIMGos+DR8O2iXpoqIvvCI3/NF21RmHBWwZV+fXHkBpHdc
         G27g==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linux-foundation.org; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=cMGCEteHzsfXHuCHkuEm4GollyuT6o6Mm7rJpLfAKvk=;
        b=Yto8VYIgsncKWIiJxllG9jWMv6clOqtbppvDy0atFl3333YGSJ4jq16442kD9sNfwz
         Ce314mg/jQJH7b7Jn5y7VDsuzB8dEfERBEp0FmvXs2aiw+LN/PsKMP3JZg5VRJzMoDym
         x9I82VSzeGMsE9l3PsZlhd1Jd8A41hBdkraGU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=cMGCEteHzsfXHuCHkuEm4GollyuT6o6Mm7rJpLfAKvk=;
        b=OXnRYrpRTNRdDtS1NUJaGR7Y4bPxkEevFUfVRwtlQ0gP/WootXEah6sHHhntRT/pMS
         /R/kR6yHM4kX0R7hVIITWc1IAijd4islgGcKMh4zNxTLzWTHjqIQj1Vr/SMBAfUXf6OS
         vlm+mkeNAPD6gxMmsyQdFOviRaOxF179wv/XIQHrVKonfKvZARtguCLo1RxdUBJIGz/e
         Dz+NxSKnBJaP7aVPCRRfJxbB+Psdc8sbJF0x92kRkdVlquN5DH5yps29tmg02qNm+658
         ICW1v92RAwgk+MWxcJDN5aLK5Q2X+BNn6Rh26CIHlYlj1JvTROYLxBvDL4szgTyJra0G
         w2OQ==
X-Gm-Message-State: AElRT7EhiHq/nx2V4yc6njBguvTMNZYJtNzhQWTFAzBlXSnTN6Zsgm6M
        1NgLwAAtz4kh52ixKSS+7KpjVvXrXWGpznK/Upc=
X-Received: by 2002:a24:87c3:: with SMTP id f186-v6mr4954924ite.100.1520621460308;
 Fri, 09 Mar 2018 10:51:00 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.135.221 with HTTP; Fri, 9 Mar 2018 10:50:59 -0800 (PST)
In-Reply-To: <CAGXu5jJcuSojm_KN5+JQ3fV6J09V6dmNB6haqu11xkXTq=nxog@mail.gmail.com>
References: <C94A45E9-54A0-446D-86D6-82D06E2A35CD@amacapital.net>
 <87478c51-59a7-f6ac-1fb2-f3ca2dcf658b@fb.com> <CA+55aFwfcXzD+pzjN=vTcvscpK97pSztUZ2JK7pABs+rMtM7BQ@mail.gmail.com>
 <20180309.133509.1275903267249306409.davem@davemloft.net> <CAGXu5jJcuSojm_KN5+JQ3fV6J09V6dmNB6haqu11xkXTq=nxog@mail.gmail.com>
From:   Linus Torvalds <torvalds@linux-foundation.org>
Date:   Fri, 9 Mar 2018 10:50:59 -0800
X-Google-Sender-Auth: 0eD574dZ3b_QqaATyGzOuaiRD3g
Message-ID: <CA+55aFzJEkUGfRkKqc8twaDSdSH_r_OWnFm-e4uNQf4SrJy7-A@mail.gmail.com>
Subject: Re: [PATCH net-next] modules: allow modprobe load regular elf binaries
To:     Kees Cook <keescook@chromium.org>
Cc:     David Miller <davem@davemloft.net>,
        Alexei Starovoitov <ast@fb.com>,
        Andy Lutomirski <luto@amacapital.net>,
        Alexei Starovoitov <ast@kernel.org>,
        Djalal Harouni <tixxdz@gmail.com>,
        Al Viro <viro@zeniv.linux.org.uk>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Greg KH <gregkh@linuxfoundation.org>,
        "Luis R. Rodriguez" <mcgrof@kernel.org>,
        Network Development <netdev@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        kernel-team <kernel-team@fb.com>,
        Linux API <linux-api@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Mar 9, 2018 at 10:43 AM, Kees Cook <keescook@chromium.org> wrote:
>
> Module loading (via kernel_read_file()) already uses
> deny_write_access(), and so does do_open_execat(). As long as module
> loading doesn't call allow_write_access() before the execve() has
> started in the new implementation, I think we'd be covered here.

No. kernel_read_file() only does it *during* the read.

So there's a huge big honking gap between the two.

Also, the second part of my suggestion was to be entirely synchronous
with the whole execution of the process, and do it within the "we do
mutual exclusion fo rmodules with the same name" logic.

Note that Andrei's patch uses UMH_WAIT_EXEC. That's basically
"vfork+exec" - it only waits for the exec to have started, it doesn't
wait for the whole thing.

So I'm saying "use UMH_WAIT_PROC, do it in a different place, and make
sure you cover the whole sequence with deny_write_access()".

              Linus