Received: by 10.223.185.111 with SMTP id b44csp645447wrg; Fri, 9 Mar 2018 10:56:08 -0800 (PST) X-Google-Smtp-Source: AG47ELt7rPbZb892ZTXdRxRXkgqbdL76ljRRH/GjY2XTFMUV3W+LS8RaE14cpZoO4rzUi7X4naVB X-Received: by 10.98.171.24 with SMTP id p24mr31092746pff.71.1520621768636; Fri, 09 Mar 2018 10:56:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520621768; cv=none; d=google.com; s=arc-20160816; b=pIlfUhOJ9zqH1inoHd76tdEqhZAlPNFTvs6Ky6+OnoxNXln7Kx2r7fcdlGnQ2q9Fh1 EhcgCUGrt2xrheOpzJnc419063xWMU6FlxTojm/cffjyv5+XlfKdkdyHviQmS9hjvmCQ q8MTmBwa8VbkcR6xKZ3VZEPF+PjxeAtHlTm7jEftH0TsqPq98SdEGwa7M6WlutzExFw4 7N3S94PSyP+vtc/IgPwVlEVsFvdMmNBjU1YtzOJbUlWIFIxJxAUWGoA+DVKrc/tvREmj JNjrYHFb33GWPJ/f+ntxjQi18qOZrVa6X89gCfgrUmZgIeaFXz/EsnxvoIicXL1BwXKH rUVA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=WjreCNu+lZ9yc8NH/eKsheeUYpYrp1GxCinwGaSfF0I=; b=fIE4fGMayccdREafxNabZ2kOtpdN0wQkIUW1LXq1Cu9kz5Z9iWh8UM1BSCucugEcM2 hIt42uuP4UcaiEgnD8vNdYeQ8TX8Zui+aiQT/P7e776wHEZO4dNkkf2UUdL/9ESfZCzP 7okIxxijkEolY454TwkqGVxIQMbHlSMB9cnEfe6YnJ/a7gtpaZFgz3eUWQLPTctYxoYn puYHsGfccJy9K7oLL7H9O+iSCe4uqiSn3H9QF8uVS9HKETqZD2/7F5GwDJhnh200V9Ws Ws28fqcebIrqYoNAmCX+D8K+D4Ws9cNGbqHDKvriqJZU9tUf0GKMq0ls4jt7Wdpd0Ays 13QQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=n+u5rPtq; dkim=fail header.i=@chromium.org header.s=google header.b=E9AAlLL6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 1-v6si1303682plx.24.2018.03.09.10.55.54; Fri, 09 Mar 2018 10:56:08 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=n+u5rPtq; dkim=fail header.i=@chromium.org header.s=google header.b=E9AAlLL6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932581AbeCISyW (ORCPT + 99 others); Fri, 9 Mar 2018 13:54:22 -0500 Received: from mail-ua0-f196.google.com ([209.85.217.196]:42152 "EHLO mail-ua0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932551AbeCISyM (ORCPT ); Fri, 9 Mar 2018 13:54:12 -0500 Received: by mail-ua0-f196.google.com with SMTP id b23so2906000uak.9 for ; Fri, 09 Mar 2018 10:54:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=WjreCNu+lZ9yc8NH/eKsheeUYpYrp1GxCinwGaSfF0I=; b=n+u5rPtq5Rybi7hldQ5Kk+Nhb+6wN21AF0WbQRyqEkJm0/PNLAPG6ziqq0lx0OJVYB eayXKEifK7W5haCJSLuCmR+eQMq/gBPXp+JGQX0nBLBZYp6W0V0QgkLiYasrgSzYX84g /tcLbd9/f7NcfLxyglMIrAe1hpsl4RTeUH//OpDr8kH6/5oVLoOO/sgR+MkxtbYLonmt Wi1sNfJOHP232Sos3ZQc1v6fAm1/s6T2y464AwjFA2u3jqM7SsrgfqpWYonlvMwBFTMG 6ptn2rYTg7pEIP80bYoLQl21EfiMem85x+fqeMPm5YRPM7uAOb2aF+pK8D7N2cZihcK2 gzCQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=WjreCNu+lZ9yc8NH/eKsheeUYpYrp1GxCinwGaSfF0I=; b=E9AAlLL6B2WaJT32WcM63grzrsnFa2YOJ7MW6AV6Oe8VKeIL2L1oeIozDDOgJLYQYe RF7vg3br1w5vQdn611d3MaQic8Hc2eznzF+F3rIZhbYrgWezhrDUfQUSS+neJVyG2NLq QCQT7kkvIGcGS7vXvm/2KF3hQBc2+zdk2TkUc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=WjreCNu+lZ9yc8NH/eKsheeUYpYrp1GxCinwGaSfF0I=; b=R/aA09EBaujeWcQe5MsLmmI5hDwEKnfxqK+ohdBpvYMl+Trh14ddbAKbKrOJhXbvt/ Yxwv426Caypn611WoZ1Zyq62GiSDhnxVJyfN7eHCRbi7+ypvKYnvQ4Pmx6prN7b/uos/ HUrK8IbRJE7kN7SSutYxXHl6MHmID/C1FSQTUxSF6/IF6AbvkHruRfy9OCrkdTG1ZW5e Xq7ofItjPU6l0FkCzoGT4JcHmqqAriB+baoQhiNdTl+PLedQSN4Ht0Y9qHw1e8gFU00S 3PJ6AgdgcT2UYPNLe6pqKphR4LVEskIbvGrvKklh8VNFEBaBjViKZTPjsJHCM+ZtoqqO CG6Q== X-Gm-Message-State: APf1xPBWc8xWpvFnZxoIzsIa1m2q9JaUTxKdPvfYAlNUMKmUUIkP9Cyb dR2CLCE5BkWaKPfwoOnJ+lo3yUQwJ/gIrBygddopLw== X-Received: by 10.176.74.90 with SMTP id r26mr23139036uae.164.1520621651180; Fri, 09 Mar 2018 10:54:11 -0800 (PST) MIME-Version: 1.0 Received: by 10.31.242.140 with HTTP; Fri, 9 Mar 2018 10:54:10 -0800 (PST) In-Reply-To: References: <87478c51-59a7-f6ac-1fb2-f3ca2dcf658b@fb.com> <20180309.133509.1275903267249306409.davem@davemloft.net> From: Kees Cook Date: Fri, 9 Mar 2018 10:54:10 -0800 X-Google-Sender-Auth: 2v0TFcJuFVGk-vCxVyRqJPr07_k Message-ID: Subject: Re: [PATCH net-next] modules: allow modprobe load regular elf binaries To: Linus Torvalds Cc: David Miller , Alexei Starovoitov , Andy Lutomirski , Alexei Starovoitov , Djalal Harouni , Al Viro , Daniel Borkmann , Greg KH , "Luis R. Rodriguez" , Network Development , LKML , kernel-team , Linux API Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Mar 9, 2018 at 10:50 AM, Linus Torvalds wrote: > On Fri, Mar 9, 2018 at 10:43 AM, Kees Cook wrote: >> >> Module loading (via kernel_read_file()) already uses >> deny_write_access(), and so does do_open_execat(). As long as module >> loading doesn't call allow_write_access() before the execve() has >> started in the new implementation, I think we'd be covered here. > > No. kernel_read_file() only does it *during* the read. Ah, true. And looking at this again, shouldn't deny_write_access() happen _before_ the LSM check in kernel_read_file()? That looks like a problem... -Kees -- Kees Cook Pixel Security