Received: by 10.213.65.68 with SMTP id h4csp1255446imn; Sun, 18 Mar 2018 21:53:58 -0700 (PDT) X-Google-Smtp-Source: AG47ELtrlbuBZoFNuUVizQEiwNTChTV0JlDoBbvhNYm7comVTFNz96Ha9nTMfz2qFhl7HOUxcIXr X-Received: by 2002:a17:902:6103:: with SMTP id t3-v6mr11076658plj.76.1521435238249; Sun, 18 Mar 2018 21:53:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521435238; cv=none; d=google.com; s=arc-20160816; b=WPmWBRXBQz7XoljD44EAIscVTvWevhhbkrweoQIWquPacDJapNaYmxp5I3BhKclOKS que3SIOFgIwCc/TULvP3ssEWF24N10Y9Y5YeftF0wy1Z3ZnfYAjCyBbbVK9mityeqsWW o3yf6HHPbYNRELq0qW1PbCmtHDjYsm2boGtYW8K/BolGcTTxNUB5XJkzWoukl7ZgEXz4 R3IZv/o5Y96J7lpwMEXxvh8ptbNDkQLayuN8Ilgzku172jtRjc5HOuIycVVDgKI5+yfh ItG0Pv4RSuTzQdX9gMV8wqDZK7HkFSvYRtezgH6Lk3LUntpGn0U3MkhBCvqNY9H5Y/SU ALgA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date :arc-authentication-results; bh=Q/+hendz7rCjng16S/VmX5olmyEhkGHR12znmNNF32U=; b=ESgGrm/423/c0hhnopghYHmExFLUvgeRrpdCRaOwMDxgE898x10mbkg8xd23dQ+Xwp oKJe+o26jY8zLJZHgOc7hj6tWH+dUBM7dlkqnbDIkKahTvw5BGkzTwRw3A+x9B4+/u5e jrP/GqrB5jRfEimJd201A5cD701BoxpCj32CHaXYaOQrdaLpfz6k4hmt6pGwUmhKBQGN gOvn/1LMU51jOnW3DxNE68ZkTjkemG/9uw1INFPrNUjp3NRL9yVHkiR1MwD1eb7c+8qE kCTMdd1nFOyQWWeipVKolMKkBvgXJQa/1OPo3euJtKwpnz75R7Q+mw7hz4Mh0ruZeJer k/mg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d6si9087355pgt.558.2018.03.18.21.53.44; Sun, 18 Mar 2018 21:53:58 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755100AbeCSEwb (ORCPT + 99 others); Mon, 19 Mar 2018 00:52:31 -0400 Received: from namei.org ([65.99.196.166]:53460 "EHLO namei.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752273AbeCSEwa (ORCPT ); Mon, 19 Mar 2018 00:52:30 -0400 Received: from localhost (localhost [127.0.0.1]) by namei.org (8.14.4/8.14.4) with ESMTP id w2J4qIP8006323; Mon, 19 Mar 2018 04:52:18 GMT Date: Mon, 19 Mar 2018 15:52:18 +1100 (AEDT) From: James Morris To: Kees Cook cc: linux-kernel@vger.kernel.org, Linus Torvalds , LSM List , "Serge E. Hallyn" , Mimi Zohar , linux-integrity , Paul Moore , Stephen Smalley Subject: Re: [PATCH v2] exec: Set file unwritable before LSM check In-Reply-To: <20180309193020.GA5149@beast> Message-ID: References: <20180309193020.GA5149@beast> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 9 Mar 2018, Kees Cook wrote: > The LSM check should happen after the file has been confirmed to be > unchanging. Without this, we could have a race between the Time of Check > (the call to security_kernel_read_file() which could read the file and > make access policy decisions) and the Time of Use (starting with > kernel_read_file()'s reading of the file contents). In theory, file > contents could change between the two. > > Signed-off-by: Kees Cook > --- > v2: Clarify the ToC/ToU race (Linus) Applied to git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next-general and next-testing -- James Morris