Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp3436231yba; Sat, 11 May 2019 10:35:08 -0700 (PDT) X-Google-Smtp-Source: APXvYqxY+8UNE2lcUShzbH+gyhof2pbwqMGia+hnP+aOqpokd3ViGhActIm8RgBQPp5XFLVtcZhJ X-Received: by 2002:a17:902:e086:: with SMTP id cb6mr21383408plb.237.1557596108264; Sat, 11 May 2019 10:35:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557596108; cv=none; d=google.com; s=arc-20160816; b=kLZG93xrx4qYg8slmBIBgJfYG0dmdnCzSOeWiJub5xmgyFbRxq6q1iGxW9P0xhf0D/ ZfEq7JriMm5jPPmBNJUWh9TnDgoV78zAcx6zzZjKC91jPb1GicxlPX7IRxYvVnEXVW9C hz3L560PsA3Ltxy2vjozZv9L3VWB15wXl1nbGHYyf/b9zZtmB6EbZG9qz0IMPaNcfrfH STkf8mEdkrW0SnSZItVC9QQrh4Te1dpkTIQxWWj4bbMfOyXj6CEQq33QgW8oOPCxaICt w+p3fl7rxupamjm1OGnjR5J5yD5PoLXF3G96UmoEoDFnP8NicsoXIWykwcOqt1gEdJbn l+3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=/KXVrXCOoOJzYs9luHiRMdkROvz6GYngOgjcnMA4n3A=; b=Z9DYIXfYwRP/gTwHYO9v1dQBpFLCNk+NEcsDJTvGx4lyew89TgIxqWXyquBaGTSItP ay0jhHLlMoftCnO8xSVDONqV/eqfXYj6+y1NSZYECopEL0xunpl5AquH5kCSG6NegVgo Hyp4pOmTE0ZVwZ2dtzqv2uQawty3jo0KKPsAehB8HarYHEdITOL2Ivi500Ff3Hg/5/0A 9HrqqjxKMiX03HK24nsBU+0YMQXNR23P3mlqQOmnXJdCLh63l/4Cu1RZl0EnOsdC91nZ jQQFx2qKV4A79F5r67sd4pjH+FeHD29S3+ws+hy4lWZwlKW97k4lNxqH7HtPCvpfYhdJ vN+w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=Hety9aPl; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p15si11496860plo.310.2019.05.11.10.34.52; Sat, 11 May 2019 10:35:08 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=Hety9aPl; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728028AbfEKR2F (ORCPT + 99 others); Sat, 11 May 2019 13:28:05 -0400 Received: from mail-lj1-f194.google.com ([209.85.208.194]:39085 "EHLO mail-lj1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727047AbfEKR2F (ORCPT ); Sat, 11 May 2019 13:28:05 -0400 Received: by mail-lj1-f194.google.com with SMTP id q10so7634824ljc.6 for ; Sat, 11 May 2019 10:28:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=/KXVrXCOoOJzYs9luHiRMdkROvz6GYngOgjcnMA4n3A=; b=Hety9aPlucNn5YIwnDgl8T3xjH+kXuoGBPFuY/OFtMOJcXBxT9yY1dN0jhbCAtXCK0 Fa6aOPlBmmvU40A7F6POImQufHmWg9Vb9DX0ym6/HYmPb7jC+B4zImEGQr9edmzZr+8E D7AZsufzimvvqZsX7ErQ2Z7DvHrgK4oj1AIJI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=/KXVrXCOoOJzYs9luHiRMdkROvz6GYngOgjcnMA4n3A=; b=tL59STHlG7KvxthADOomAYvJB4kUae69/1ayg///TD2z2nC8hNBQv3/KwCk6g/W0xs q/FqxycDbiTNbjPqna07X9FLR9mT0G43kpeRGilRNR+/fYD4VFhEfq8dbc0vDnOrX4RB KU65908uviUY72JjuYA/tDDnOWjcguv7Dcz0+b5MgCUaU1FgRsfA1oSRaywVyWypvFgT T0zwLLF26tZIGFagVkFOX6Y1eTdItM1BliLZZD9HnOv65ZZNlQFwXDYqIFj5yR/NpZyd vf2yiU1lOfQ7lO8Y+b/za9/UBrqvkJo01OtPs0qzypRTazVbbSgvbEhYwNhM5SzsIpOA 7nag== X-Gm-Message-State: APjAAAWHrnHIQCbXlKMUFIh+ug9JTPnd/cpXlpgqPQCRFB7MS6eFZZCd FtirHJwbzRUEJlx8udY/BSKc6R7y+Ks= X-Received: by 2002:a2e:801a:: with SMTP id j26mr9153479ljg.2.1557595682015; Sat, 11 May 2019 10:28:02 -0700 (PDT) Received: from mail-lj1-f178.google.com (mail-lj1-f178.google.com. [209.85.208.178]) by smtp.gmail.com with ESMTPSA id w17sm1498713ljj.31.2019.05.11.10.28.01 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 11 May 2019 10:28:01 -0700 (PDT) Received: by mail-lj1-f178.google.com with SMTP id w1so5064263ljw.0 for ; Sat, 11 May 2019 10:28:01 -0700 (PDT) X-Received: by 2002:a2e:9d86:: with SMTP id c6mr9078356ljj.135.1557595287924; Sat, 11 May 2019 10:21:27 -0700 (PDT) MIME-Version: 1.0 References: <20190506165439.9155-1-cyphar@cyphar.com> <20190506165439.9155-6-cyphar@cyphar.com> <20190506191735.nmzf7kwfh7b6e2tf@yavin> <20190510204141.GB253532@google.com> <20190510225527.GA59914@google.com> In-Reply-To: From: Linus Torvalds Date: Sat, 11 May 2019 13:21:11 -0400 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v6 5/6] binfmt_*: scope path resolution of interpreters To: Andy Lutomirski Cc: Jann Horn , Andy Lutomirski , Aleksa Sarai , Al Viro , Jeff Layton , "J. Bruce Fields" , Arnd Bergmann , David Howells , Eric Biederman , Andrew Morton , Alexei Starovoitov , Kees Cook , Christian Brauner , Tycho Andersen , David Drysdale , Chanho Min , Oleg Nesterov , Aleksa Sarai , Linux Containers , linux-fsdevel , Linux API , kernel list , linux-arch Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, May 11, 2019 at 1:00 PM Andy Lutomirski wrote= : > > A better =E2=80=9Cspawn=E2=80=9D API should fix this. Andy, stop with the "spawn would be better". Spawn is garbage. It's garbage because it's fundamentally too inflexible, and it's garbage because it is quite complex to try to work around the inflexibility by having those complex "action pointer arrays" to make up for its failings. And spawn() would fundamentally have all the same permission issues that you now point to execve() as having, so it doesn't even *solve* anything. You've said this whole "spawn would fix things" thing before, and it's wrong. Spawn isn't better. Really. If fixes absolutely zero things, and the only reason for spawn existing is because VMS and NT had that broken and inflexible model. There's at least one paper from some MS people about how "spawn()" is wonderful, and maybe you bought into the garbage from that. But that paper is about how they hate fork(), not because of execve(). And if you hate fork, use "vfork()" instead (preferably with an immediate call to a non-returning function in the child to avoid the stack re-use issue that makes it so simple to screw up vfork() in hard to debug ways). execve() is a _fine_ model. That's not the problem in this whole issue at all - never was, and never will be. The problem in this discussion is (a) having privileges you shouldn't have and (b) having other interfaces that make it easyish to change the filesystem layout to confuse those entities with privileges. So the reason the open flags can be problematic is exactly because they effectively change filesystem layout. And no, it's not just AT_THIS_ROOT, although that's the obvious one. Things like "you can't follow symlinks" can also effectively change the layout: imagine if you have a PATH-like lookup model, and you end up having symlinks as part of the standard filesystem layout.. Now a "don't follow symlinks" can turn the *standard* executable into something that isn't found, and then you might end up executing something else instead (think root having '.' as the last entry in path, which some people used to suggest as the fix for the completely bad "first entry" case).. Notice? None of the real problems are about execve or would be solved by any spawn API. You just think that because you've apparently been talking to too many MS people that think fork (and thus indirectly execve()) is bad process management. Linus