Received: by 10.213.65.68 with SMTP id h4csp144939imn;
        Mon, 12 Mar 2018 22:17:50 -0700 (PDT)
X-Google-Smtp-Source: AG47ELs6SVELlE3Lu+D7ybv9wjN+WEg3H81xpIXWWxNbse6HCCZFLRahtL5wa9agL6/E317+P+nb
X-Received: by 2002:a17:902:127:: with SMTP id 36-v6mr6780918plb.194.1520918270409;
        Mon, 12 Mar 2018 22:17:50 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1520918270; cv=none;
        d=google.com; s=arc-20160816;
        b=J7NiDlZxqdLTdShBrtlAmXIuuFKI+/n7HL7Kwj+mIBI2tPaU2IDNRbCePrLXpe6G4O
         nsRZGpnvqPTJtOo8d2mXX8uyav3CD0OLXtKlyR/b89VyW1W8j3cpoubcyh6rMWJIO/aI
         k1yf56Sk/5dKuHkP0tqQ58Wwc9pCB8hom5nQ+YWF+pVlfzqWC+SISOBoG+WFuBDXF9Os
         CeZ1GkLAoAqTGcthQuvkeDWwvJcOzTXtimdsSb1DwUj8IgD606Z6AGJqzh/NUK45nFFU
         DmU+dL+kHsdlAPQjHpWt5IKQ5dbN6O3THKUISnult98ef4jUIO7dP2sI/kOEPFjPwbTO
         y7rw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :message-id:in-reply-to:subject:cc:to:from:date
         :arc-authentication-results;
        bh=KDvk8OHiFiCh0Ves9LGOLmNEWn22psH+77I5yvTcxvU=;
        b=nfMZHN7ZutRUGFg7lX515DJTMTdPyRTqhmzC+56ivzy8LZqrv5lPwhqwbE8jlX0KRq
         Zi5sB0RQZ3i/5QpeaaTxw8K4Qf9GHCRMtBuoX6Q4xLLhp0s3WU3Fgc/y9YK5PgKaVK2N
         7N3PfsuGE+FOuWOgN5mZXs7NL8d80/gnygvnNnQtcIusdKj8lhrgGGmxHKcNXnSeyG9/
         j8rueXTrSnp+en1MiaWkzA98LJfHvGJXa5jnGLK8eio8Q9A91afoQm5JMEuPzDYE6zQS
         4MEHgNC7nds6FSWlA3jLPDTpRQV02CvrqDrueCvIh3c3tW93jhcCF94z5hC4c3bCubyq
         FPGQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d7-v6si4376829pls.21.2018.03.12.22.17.35;
        Mon, 12 Mar 2018 22:17:50 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751383AbeCMFQn (ORCPT <rfc822;morganleezd2003@gmail.com>
        + 99 others); Tue, 13 Mar 2018 01:16:43 -0400
Received: from namei.org ([65.99.196.166]:52738 "EHLO namei.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1750861AbeCMFQm (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 13 Mar 2018 01:16:42 -0400
Received: from localhost (localhost [127.0.0.1])
        by namei.org (8.14.4/8.14.4) with ESMTP id w2D5G4mO022212;
        Tue, 13 Mar 2018 05:16:04 GMT
Date:   Tue, 13 Mar 2018 16:16:04 +1100 (AEDT)
From:   James Morris <jmorris@namei.org>
To:     Kees Cook <keescook@chromium.org>, Al Viro <viro@ftp.linux.org.uk>
cc:     linux-kernel@vger.kernel.org,
        Linus Torvalds <torvalds@linux-foundation.org>,
        LSM List <linux-security-module@vger.kernel.org>,
        "Serge E. Hallyn" <serge@hallyn.com>,
        Mimi Zohar <zohar@linux.vnet.ibm.com>,
        linux-integrity <linux-integrity@vger.kernel.org>,
        Paul Moore <paul@paul-moore.com>,
        Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: [PATCH v2] exec: Set file unwritable before LSM check
In-Reply-To: <20180309193020.GA5149@beast>
Message-ID: <alpine.LRH.2.21.1803131615390.21929@namei.org>
References: <20180309193020.GA5149@beast>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, 9 Mar 2018, Kees Cook wrote:

> The LSM check should happen after the file has been confirmed to be
> unchanging. Without this, we could have a race between the Time of Check
> (the call to security_kernel_read_file() which could read the file and
> make access policy decisions) and the Time of Use (starting with
> kernel_read_file()'s reading of the file contents). In theory, file
> contents could change between the two.
> 
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> v2: Clarify the ToC/ToU race (Linus)


I'll merge this unless Al objects (cc'd).

> 
> Only loadpin and SELinux currently implement this hook. From what
> I can see, this won't change anything for either of them. IMA calls
> kernel_read_file(), but looking there it seems those callers won't be
> negatively impacted either. Can folks double-check this and send an
> Ack please?
> ---
>  fs/exec.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/fs/exec.c b/fs/exec.c
> index 7eb8d21bcab9..a919a827d181 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -895,13 +895,13 @@ int kernel_read_file(struct file *file, void **buf, loff_t *size,
>  	if (!S_ISREG(file_inode(file)->i_mode) || max_size < 0)
>  		return -EINVAL;
>  
> -	ret = security_kernel_read_file(file, id);
> +	ret = deny_write_access(file);
>  	if (ret)
>  		return ret;
>  
> -	ret = deny_write_access(file);
> +	ret = security_kernel_read_file(file, id);
>  	if (ret)
> -		return ret;
> +		goto out;
>  
>  	i_size = i_size_read(file_inode(file));
>  	if (max_size > 0 && i_size > max_size) {
> 

-- 
James Morris
<jmorris@namei.org>