Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp3437431yba; Sat, 11 May 2019 10:36:49 -0700 (PDT) X-Google-Smtp-Source: APXvYqw1Efg+cccVb1QtGO2n1IGmUXoXufE/p91JrhsOP+TIS6ZgtoY7hKX5NJhs+PGDrzSKmKkc X-Received: by 2002:a17:902:968b:: with SMTP id n11mr21313658plp.118.1557596209119; Sat, 11 May 2019 10:36:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557596209; cv=none; d=google.com; s=arc-20160816; b=RlMi4bHKtmhIb8VNRkDdfdAnjg8xlOBXPTB/a2H2CH1Yjs5IWhOCyZAyI8UFEP8OLq Sg3Knus527DDxIVBVFUm5YlYro2bQuCdyLbzEixSgTdhu06HJD0BOanmZgVb9rDaH0fH MOsRB71VFpc7pnGujJWagNXgtkla8yFrCPJucG9twbLGm7HI6ZTxuf1QnGUF0ffHplRp zX2IjmjVMs8i0tJkVOeUGUVPpx5RKdICq1HpUOlQi63RMO0dsqxqgYJceorvkM7pg9xf EynfOPt82T8oisQhtqKLYkU1HaopJdL7P1Px4mbwVpYiubJqSnGZF9+bCiKLIrh4reQ6 bnRg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=D4GLGKJGBr1goNxWtth5dS3A9rH5i7tbT3DW+t/vUZM=; b=GOGyMcORu/kr0lB2ySTEk0DtCsEIHloA+AHWIcq4n5VIU4PU7T+JyIeR6XKcwpKbRd 4LsatGv/ZoBdlpKGifbxxWEpOK+i1HUMO1oMygcALDeUY/JOGtC4atqU0kSxAX4lUBzZ T5RpiOGBV7KIEXE+05axv9pNzu61ESjpjbiRyVO4RH6JC6f59NigK3NaoO5wZDoIpUIK gHBag2iRVW0kbOhv0Rks2WjOOrblcLqetR2diAlSXD0p8Qi3MMJOJU0URaArDuOJlbBW fpiLonDSRx3HOZP5OsaX9uU6znQ9eV4TwsyRvn38RQEjxnek1gbtdEzmly8/YnGmlsZh DUUA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=RiMckZqa; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c193si13760881pfb.71.2019.05.11.10.36.32; Sat, 11 May 2019 10:36:49 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=RiMckZqa; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726136AbfEKReJ (ORCPT + 99 others); Sat, 11 May 2019 13:34:09 -0400 Received: from mail-lj1-f195.google.com ([209.85.208.195]:45546 "EHLO mail-lj1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725879AbfEKReJ (ORCPT ); Sat, 11 May 2019 13:34:09 -0400 Received: by mail-lj1-f195.google.com with SMTP id r76so7605718lja.12 for ; Sat, 11 May 2019 10:34:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=D4GLGKJGBr1goNxWtth5dS3A9rH5i7tbT3DW+t/vUZM=; b=RiMckZqa7Pv2uJ6Jmq8WdsP1tgxvuMAA1KBrEXFSuTYRZg0dss6QUXLstX+qPl0cvi kW8HRPGc+o9zzUTLZU0Mhh/HlnQjlbSLAThZ8m9T+v+XaeUReplqMDf56AEvKd5qKIy7 GzSd2O/qDYd43VAL+FXerAe7FQ27GBViWurwE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=D4GLGKJGBr1goNxWtth5dS3A9rH5i7tbT3DW+t/vUZM=; b=eN5VlgxC9wik8tANhTPeUhtdIhvJapITSxZKTP/o+ZwqHKyMPBKJzvqS8FA+HIBeuJ uDceFOZzkwm06iEHjtliN6/58uFpDMKyeJyRMWnuclLhpZCgCbRUTeJlW6D60Mg6cxnZ vSM6lltN0G8lDvl1PzH5FThBgHDsaI+haFQ6HyuNwnSTQVpIVaxLUDlcSwg13Ecfsd1o gpuKt5WGZHFCCVRMy/Ys60oStJNbSu8ZIwdUL+gMN+0pZ1BnAc91g8vNSYbbmNPap41J EGrVcIaXy4SC+5zlRHkk9SsVCMjf/WsrHXwkqZCcH1CB1Vt0lMFTPnR7r0PRDz8EoNXc EZeA== X-Gm-Message-State: APjAAAVKozOSg2Rlp+IUuV5tXaZFgevCq0I7JTC/NBmyQOJxuMCv+C3w aP+/UEnkuBjb/T2pi+64+TDsmhfEBOE= X-Received: by 2002:a2e:97d8:: with SMTP id m24mr73259ljj.52.1557596047290; Sat, 11 May 2019 10:34:07 -0700 (PDT) Received: from mail-lf1-f44.google.com (mail-lf1-f44.google.com. [209.85.167.44]) by smtp.gmail.com with ESMTPSA id b15sm2289103ljj.1.2019.05.11.10.34.06 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 11 May 2019 10:34:06 -0700 (PDT) Received: by mail-lf1-f44.google.com with SMTP id d8so6257111lfb.8 for ; Sat, 11 May 2019 10:34:06 -0700 (PDT) X-Received: by 2002:a19:ca02:: with SMTP id a2mr9073466lfg.88.1557595631432; Sat, 11 May 2019 10:27:11 -0700 (PDT) MIME-Version: 1.0 References: <20190506165439.9155-1-cyphar@cyphar.com> <20190506165439.9155-6-cyphar@cyphar.com> <20190506191735.nmzf7kwfh7b6e2tf@yavin> <20190510204141.GB253532@google.com> <20190510225527.GA59914@google.com> In-Reply-To: From: Linus Torvalds Date: Sat, 11 May 2019 13:26:55 -0400 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v6 5/6] binfmt_*: scope path resolution of interpreters To: Andy Lutomirski Cc: Jann Horn , Andy Lutomirski , Aleksa Sarai , Al Viro , Jeff Layton , "J. Bruce Fields" , Arnd Bergmann , David Howells , Eric Biederman , Andrew Morton , Alexei Starovoitov , Kees Cook , Christian Brauner , Tycho Andersen , David Drysdale , Chanho Min , Oleg Nesterov , Aleksa Sarai , Linux Containers , linux-fsdevel , Linux API , kernel list , linux-arch Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, May 11, 2019 at 1:21 PM Linus Torvalds wrote: > > Notice? None of the real problems are about execve or would be solved > by any spawn API. You just think that because you've apparently been > talking to too many MS people that think fork (and thus indirectly > execve()) is bad process management. Side note: a good policy has been (and remains) to make suid binaries not be dynamically linked. And in the absence of that, the dynamic linker at least resets the library path when it notices itself being dynamic, and it certainly doesn't inherit any open flags from the non-trusted environment. And by the same logic, a suid interpreter must *definitely* should not inherit any execve() flags from the non-trusted environment. So I think Aleksa's patch to use the passed-in open flags is *exactly* the wrong thing to do for security reasons. It doesn't close holes, it opens them. Linus