Received: by 10.223.185.111 with SMTP id b44csp693601wrg; Fri, 9 Mar 2018 11:55:15 -0800 (PST) X-Google-Smtp-Source: AG47ELu2oIbKPXCPhUo4WwupDXgMRFT6hN0YsfMMTjbiHgNcRHzdiLjNglb7WGwgSW+KNWmQGexH X-Received: by 2002:a17:902:6041:: with SMTP id a1-v6mr28378138plt.225.1520625315520; Fri, 09 Mar 2018 11:55:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520625315; cv=none; d=google.com; s=arc-20160816; b=VdV53dqXUTu9PJpSB23cjOSCVfih6qxMUv0b2jpaIys4MvRIQTdQSQrcBYHBAaz/1B MRVmrn2rvSNQKcTeryz001VygLFqWCQ3ro4fhrKHPknWtbREv0Bp3Kp2qByD6vGjqyZh 5C/VuXMdLD79vYQ2iQWyyuAI8HTD5lNbzEZjptfUpHa5d0R24WStY9qJJBG2nmlSPhMM BoXr4bylOHTDqJQU8ip3elfPWnRvqf6ulHg08Z9AacXQCoXrAHyUv4T3mvJxyC1+sbWR EjWQ3niUb4fknunkBCYjGH8JWbLxGR73u6K6vvyABZjpCQBP69db8nRRKIjxWRVmFzxs YRKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=usEG3AePlnAZor61LJSS9THVDuo8Lf+7biNzW5IrgVU=; b=MIbF5nn/LCwDrccg43MU9W230t6bxiPxZP72qSnKpG4OeEsZWVQmvnrqCw+qnAsJP6 goO2Ox0iiwhgjcfELF5aw9JPXMrthRs42NVXj+Y7zvU62/Z5SMvl8o8Hps8Wr6Fhyzsw KjqCEtWIZvGcVNOnnAIMVSqR4D8cHfz7XvCI3Zd+ihb3SYLb4N2N+29W2XXDCiFIwJX5 8EDXdgupwHlGvTaznwl6RbqbsIaIdMMKGkG84ja1tZa3jelP2FlIn57ZMkiOSzucjqrq 9bNp3XEsnfQJx4HJYg5+CqZFyeaI7yWx7A/xR+CaF1Qcm6Bogi/JJqK10ZL4sqglisvT LfJw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=E7qJt3qK; dkim=fail header.i=@chromium.org header.s=google header.b=mWgbCO7C; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l3-v6si1401453plt.146.2018.03.09.11.55.00; Fri, 09 Mar 2018 11:55:15 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=E7qJt3qK; dkim=fail header.i=@chromium.org header.s=google header.b=mWgbCO7C; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932432AbeCITyJ (ORCPT + 99 others); Fri, 9 Mar 2018 14:54:09 -0500 Received: from mail-vk0-f54.google.com ([209.85.213.54]:40057 "EHLO mail-vk0-f54.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751192AbeCITyG (ORCPT ); Fri, 9 Mar 2018 14:54:06 -0500 Received: by mail-vk0-f54.google.com with SMTP id n82so2844931vkf.7 for ; Fri, 09 Mar 2018 11:54:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=usEG3AePlnAZor61LJSS9THVDuo8Lf+7biNzW5IrgVU=; b=E7qJt3qKxNeajOI3bXyB17gAgETCP1nHgvcX/aOaaL5GueFCiwg+aijoEcrqTzgcjQ Qm2tYrM7k4xX/BeH690pbxDKz8368DN8McXE6rHgAxP7xdtFSGsPuca/rhN9tZP+jp9X 0LOuRMr7ZUcNOBQvCYOla6kQSZoxRx6MNxWtdktbJdM2DMP1hRZ5KtVb8pdT0V2cYYL7 1ntgavNUbXDdfHpgMkxhoFDytY+7lJ/QE/PoohZmZmWuHmFTW1+5KLNXAmt7nm5y4tjk YcwmlOtYO1gU9Zo3SgwccXHantbmt/tn1D+9Iqy4H6NDa85UxR57qUvvq/KDTMFuqCtr xhnQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=usEG3AePlnAZor61LJSS9THVDuo8Lf+7biNzW5IrgVU=; b=mWgbCO7CdJ5izOmu7oXyqvr4DxNKhG3HjeUkNWSMQyqV3hqm/xWCqGifBsQW1jCSBi zJvdOpYQHZnSUuiEkM3CCdqFf1StJNHBdN4qUJhTzW1lj9qi31Nkf3Asj+nambLxB72B 80JlN5QDvfhsF3aBevt29L503+YHUdp9H8ZNw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=usEG3AePlnAZor61LJSS9THVDuo8Lf+7biNzW5IrgVU=; b=rQgBMO4mg3bb9AaagevDMfcSp218GIcEWixHXMOrEWEzjpvmzHjTZ3mMBXdM1yIK6B CIGrs9x8a91jeyZaATjZ8FZyzZ0hBIEqhxQqAPpyv6tHyz0ST/soM8diS/IACF2KbZIR 3xL57bTlLYIY+05Qs8mZ/L9TLo6hafIi8ExwaWs6G4FM3NjoePuHXCG6dz3B+949Kf6F LLgmSle9WLPdd4I1ITLU88/UKrFvYk6f5hf60ADu/61GJ3gcA4mGovHeIh1bmuIJoeTB cotFNObyeJ+1LkqEVp8cA+9fkSIc4ZcbkxUpV3YExlXS/ezQ8z93+ZtwopwxW/1ucKu7 lQNw== X-Gm-Message-State: APf1xPBKhF4yyYxfFQSmMB9eg+u+OTU2QeWxNgq8Im/tQUQygrGPNyKd 0fLNeGkqKxJpuYH7PTfj01SO5u3JpWnxSMl/S4aH48Lt X-Received: by 10.31.83.197 with SMTP id h188mr22621449vkb.84.1520625245574; Fri, 09 Mar 2018 11:54:05 -0800 (PST) MIME-Version: 1.0 Received: by 10.31.242.140 with HTTP; Fri, 9 Mar 2018 11:54:04 -0800 (PST) In-Reply-To: References: <20180309193020.GA5149@beast> From: Kees Cook Date: Fri, 9 Mar 2018 11:54:04 -0800 X-Google-Sender-Auth: Z5ZBqJB_1Zrf3fnCrJScWnTezgc Message-ID: Subject: Re: [PATCH v2] exec: Set file unwritable before LSM check To: Linus Torvalds Cc: James Morris , Linux Kernel Mailing List , LSM List , "Serge E. Hallyn" , Mimi Zohar , linux-integrity , Paul Moore , Stephen Smalley Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Mar 9, 2018 at 11:47 AM, Linus Torvalds wrote: > On Fri, Mar 9, 2018 at 11:30 AM, Kees Cook wrote: >> The LSM check should happen after the file has been confirmed to be >> unchanging. Without this, we could have a race between the Time of Check >> (the call to security_kernel_read_file() which could read the file and >> make access policy decisions) and the Time of Use (starting with >> kernel_read_file()'s reading of the file contents). In theory, file >> contents could change between the two. > > I'm going to assume I get this for 4.17 from the security tree. > > Because I'm guessing there are actually no existing users that care? > selinux seems to just look at file state, not actually at contents or > anything that write access denial would care about. > > And the only other security module that even registers this is > loadpin, and again it just seems to check things like "on the right > filesystem" that aren't actually impacted by write access (in fact, > the documented reason is to check that it's a read-only filesystem so > that write access is simply _irrelevant_). > > So this issue seems to be mainly a cleanliness thing, not an actual bug. That is my assumption too (I left off the Cc: stable as a result). I'm much less familiar with IMA, though, but it's a caller of kernel_read_file(), not hooking it, etc. -Kees -- Kees Cook Pixel Security