Received: by 10.223.185.111 with SMTP id b44csp688830wrg; Fri, 9 Mar 2018 11:48:53 -0800 (PST) X-Google-Smtp-Source: AG47ELsAjfbNBljZEE3JNBQkBvA8JAZVVq95h3Cnw0zjWx+uXtfGdCtbGRWPVRr822oDjuIBfbp9 X-Received: by 2002:a17:902:b691:: with SMTP id c17-v6mr2107433pls.308.1520624933589; Fri, 09 Mar 2018 11:48:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520624933; cv=none; d=google.com; s=arc-20160816; b=fJpthq+F3IxysqvytguT/Y9drdxbCw4wDry0j+j2CA+OCIVGPAI6ZRUsbMfel8ljkg +qX5/cFDia7+G1RgZehawbj4MfXnZaWp/QtUkrXim7OG1zAIjZqI40GyCO7mS7AEq+RL IScIdG6RGx6UaQ1wrJEMO3fEadc2l9ulnbg+J8DYnZJ8KcchlcK1pekUcH6/MLqgVru/ VjbT3msoVg+pgTwUDQSvTLV8husmQnA6kKcg2Ey3jKB/cXxSd+mIq+5dMpDl4Y6CT3LN whcPkWxPzjFGYpcWfq0J28snVKsbj+Nrz5ENjXln3FxOAOhftliVNOUKh1HvvM1t125O GD4w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=jnsnfHp3YLaEMBTp7UWC6Hitzi6W639SN6OQI0aIAyY=; b=YD6EN+2WsSQ7Sh91q3g7X+OfW7xZr6YmhZErNWoXoMPHn7e8KD5OHqnIKcuZzzcu+v QAxkvpF5eemY049lhzMuf5ASEI+AIXs264R5V3Leqj2eDf/AJFef3cc4mpQTK7nxdaXo wLNcm3FHzlXHx9zKRrNBphtSqFN7XRrasdJGnoZoLPQReXSdMtxhFkXiwgzYCU/FYu1+ Rqu6OoMnA0BckjouXVT0jNujw4yaldKa5ggQgppHNJnUr0y4ZQ3hisTWRulf2T0YeNL3 LINoKAz8KbdaeRci+X1tx5jma3rwmMR5L7TFm69f0k2viySAZGDx1tMJh0Q6zqIhpeCO b83Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=EUzHyDtW; dkim=fail header.i=@linux-foundation.org header.s=google header.b=LuUCqUva; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 97-v6si1380484plb.23.2018.03.09.11.48.38; Fri, 09 Mar 2018 11:48:53 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=EUzHyDtW; dkim=fail header.i=@linux-foundation.org header.s=google header.b=LuUCqUva; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932458AbeCITrr (ORCPT + 99 others); Fri, 9 Mar 2018 14:47:47 -0500 Received: from mail-io0-f177.google.com ([209.85.223.177]:32845 "EHLO mail-io0-f177.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932183AbeCITro (ORCPT ); Fri, 9 Mar 2018 14:47:44 -0500 Received: by mail-io0-f177.google.com with SMTP id f1so4779662iob.0; Fri, 09 Mar 2018 11:47:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=jnsnfHp3YLaEMBTp7UWC6Hitzi6W639SN6OQI0aIAyY=; b=EUzHyDtWYowy2gCIB+ubn77KVHOSZfmu51LZ49wuBQmPTPrIr7VKkja26j4Vr8AEuo yfAFvJtGbCUsaZgwyEC4AXFAU8i65JzdFAnbisMqENbZMhAPIvXCowJTUSs35TPl80NG Q8vK3aRfwE21azf2lRKK917kxzUtVLMHU895N4T6BAiH0v8yZuD9Tuw9tNNYaeDvnxCi Nr5S1QCZ3hWh3tFC9LC+l5M2AVT/HXTrXJ9g+tv97zZyHpIn5yeGySPCelLM9dBCrci9 IJgfkM8yH/4lHZ6HEqWIOAcyfnqY2FU96pEpQ9P/ZazANpRn+U+QEEMM9yHYX6/9LEBO +mMQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=jnsnfHp3YLaEMBTp7UWC6Hitzi6W639SN6OQI0aIAyY=; b=LuUCqUvaUizDZ73PhOvBgit1lEsKZgkbhG2NKZG3L4SRd/rbZxKF8b+Pb6sSdc+cX3 u42JPkuS48rR5YC/r702RIiHptQXCElXhZUhBWyKYIO4DeB7r9qoiWcZDdePWHcMvDx0 WPlydet6nOIrMwUXBDyeRwNzV2wWfN73FQCqo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=jnsnfHp3YLaEMBTp7UWC6Hitzi6W639SN6OQI0aIAyY=; b=NT6fBzoQz6aaxIxZKyxLiLxn85ZpVAfR7mnNDoZFgcwk14XZy4Ie0qFi0JX/x82E6/ xLY59V+hGA2KQfJSiAB0coDlQ+iYgmiDyMPbt4OqaEwf4J8f9yF+l97Wjjm7UhqZcxjc 95TwiWy0oQMPkll4ax/nDI97ziV/UJ/PHXkqCxv/RvnhMJ7e/71FXLxW8J2Qw0m4U3kn dMI6ANUikhR1FMkjNIalz5bNZS1RzP3q+m5T8YPaDtLKmaPPddQcvj3xuvfcbnplnr3w VsyhlTolgea/M/ZzvJEBYUmJKrWU9VSKhxXn2iyoJ5+542pdf+XqpouS0Hk/yhNbY1G8 tL2Q== X-Gm-Message-State: APf1xPBgpY9oPGQxX8w64rqhxIJr+BlSFN2gDrRUo7g7/ZFAqNCTTRjO uTHkUv7RK8TJ8zdur4bDnOC0h5ahNbT5iQ4HWEE= X-Received: by 10.107.10.155 with SMTP id 27mr38851983iok.259.1520624863981; Fri, 09 Mar 2018 11:47:43 -0800 (PST) MIME-Version: 1.0 Received: by 10.107.135.221 with HTTP; Fri, 9 Mar 2018 11:47:43 -0800 (PST) In-Reply-To: <20180309193020.GA5149@beast> References: <20180309193020.GA5149@beast> From: Linus Torvalds Date: Fri, 9 Mar 2018 11:47:43 -0800 X-Google-Sender-Auth: 1L1s7qshL6RHBxDma6iS1bN5OEI Message-ID: Subject: Re: [PATCH v2] exec: Set file unwritable before LSM check To: Kees Cook Cc: James Morris , Linux Kernel Mailing List , LSM List , "Serge E. Hallyn" , Mimi Zohar , linux-integrity , Paul Moore , Stephen Smalley Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Mar 9, 2018 at 11:30 AM, Kees Cook wrote: > The LSM check should happen after the file has been confirmed to be > unchanging. Without this, we could have a race between the Time of Check > (the call to security_kernel_read_file() which could read the file and > make access policy decisions) and the Time of Use (starting with > kernel_read_file()'s reading of the file contents). In theory, file > contents could change between the two. I'm going to assume I get this for 4.17 from the security tree. Because I'm guessing there are actually no existing users that care? selinux seems to just look at file state, not actually at contents or anything that write access denial would care about. And the only other security module that even registers this is loadpin, and again it just seems to check things like "on the right filesystem" that aren't actually impacted by write access (in fact, the documented reason is to check that it's a read-only filesystem so that write access is simply _irrelevant_). So this issue seems to be mainly a cleanliness thing, not an actual bug. Linus