Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp2233161ybe; Sat, 7 Sep 2019 11:24:49 -0700 (PDT) X-Google-Smtp-Source: APXvYqyZNR3uCsuDHDL6V4FrBhLHOpmNAzEWCkAYi7Fxm98NKDg1//W/F8wzz2OY4cptaVKKqOsN X-Received: by 2002:a63:eb06:: with SMTP id t6mr13633797pgh.107.1567880688986; Sat, 07 Sep 2019 11:24:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1567880688; cv=none; d=google.com; s=arc-20160816; b=SNQzKrdPRyjfeB6A3cPWEFu8rWAUoPhWpdSnnQmdMhOcQSJS1AwLx1lEMCP34q7s89 9PHXMfkoasm+BigdPeWMY3vPRo+K1zIDUr6O3Har/3dVPBrIFQnj+KDaLvRDmkh1jpOz YBi5L/+va0PHQQpFhwVvPyOIAcpDCXmZo394eSLIfG4ZFlaex4ekduoeB8OT7jWVKC+4 vaTdiVALvzYhhzHGOOIRt6mFP/e8lIx89tyjkstwymW6DM2QeDr7gZ7wkf8ZW32bQlxN vRZvOoZ3JrB8Xu/Owgt6NwHX1qRGmJqkYblEB2ZZCGiJZby8psrJsLdSx4LRGqNridqk 0yyA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=wrOUeKLOBiJ84ary/XbohFbZ13Zk1ML2RYjXdtdAXc8=; b=Xfzrun8zcEmxOJ8EB8Uf4OD/F3zN4G/+luMJDf1nAbpVA1bmGWrCCKhrMbfHoP45QU 3kLFUvzsA2fpgVWT4h/HtaqONTNNDsKvfacVulhk7C6oZjmOVsWfNDM0l5qjVwWdSNCD p8Zj2D+F1rciBlERxfDBmIhjb10AmIjHot5Ps5Rz3WaR7qcqqLfaroA546vz959hHmPi 0aPX5qVaKaPGRSH1hyH3pum8j3AdPyUEZE8YFNr/fi70oUQNdHLRMU/eZQfXS4Lec57v KYNuH1nGPVpXA1JxkzvFfORKxDekKrwLCmEMb0kqDXFbsj8afuH9hJZMoLxx0gDrAagS rTAg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=r9+0Nr8W; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z17si7596293pgl.560.2019.09.07.11.24.30; Sat, 07 Sep 2019 11:24:48 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=r9+0Nr8W; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404129AbfIFV1d (ORCPT + 99 others); Fri, 6 Sep 2019 17:27:33 -0400 Received: from mail-wr1-f67.google.com ([209.85.221.67]:36490 "EHLO mail-wr1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388210AbfIFV1c (ORCPT ); Fri, 6 Sep 2019 17:27:32 -0400 Received: by mail-wr1-f67.google.com with SMTP id y19so7970255wrd.3 for ; Fri, 06 Sep 2019 14:27:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=wrOUeKLOBiJ84ary/XbohFbZ13Zk1ML2RYjXdtdAXc8=; b=r9+0Nr8WSDe0BeX/xgAvWhVEvW9tH0MuECx4aYmadpoy+3AFNgE6P9zxnYbpi57Qg7 oi8mXEOkBqQuZ1KEtgbaT+Pl2O1KbPwC6Vc3Hjpv81mmG+Dl0F6ElTIY2un5As6UNNd8 1Nr6igDyk8LhIW78BM3pgjMt6zvMStcW3LOt64HlJVN6uQhJdt6goRVp3jM5WH/6pv2S bMbj9IcbdmWNBc7L0ckUq4/u2TCeVPxp8MB/7bohTe03clXVLIJki9/BahI4idCJLobh H6szFVATb+QD+ne0aA7JwOOrYm0C5HsO4tg2YjOsgyf2nHjIT91yC15X7Jgl3N6l+cFz GTcQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=wrOUeKLOBiJ84ary/XbohFbZ13Zk1ML2RYjXdtdAXc8=; b=HEM8LeBnj7sChYWqjd7obuq6N4AQL2BsbCVmPMf6WGhxzfu/f8Tc5cQWBcl9nJCifj OE51b4kCCzfqoQH6bX3lE15ofx1jZa8CjbOmOWbDCl6es+kjKuUvd0Qmgw24j1y1N2uL 5Kkf1EYpUWskq7Mhsc3FafhZOrINKxtIcZ1SsYpg8meZTxxxhrwY++WNcZCiakOqb9Pp oon9EP7t6S3CrFLHCFqswHgFo1z9Ia+mn1n/5tA1oX6Oum1yINq8bwiTgb6Im/FhpXEg n0AXCREIth6QweolszCoXpCW6IJSZwO7Wnq5r3eFIyFO81nxicyTHFLbXwaIfejUX6KL Oc9Q== X-Gm-Message-State: APjAAAX7dHf7k5hcRx4FwPnYeqmFS1pzYnboGAJIkAau6FZf8R+e+J5Z OMNPilmChruhAV+E52fSVgS4Oto/+MT55lAtArdJFQ== X-Received: by 2002:adf:dcc4:: with SMTP id x4mr1493611wrm.221.1567805250597; Fri, 06 Sep 2019 14:27:30 -0700 (PDT) MIME-Version: 1.0 References: <20190906152455.22757-1-mic@digikod.net> <20190906152455.22757-2-mic@digikod.net> <87ef0te7v3.fsf@oldenburg2.str.redhat.com> <75442f3b-a3d8-12db-579a-2c5983426b4d@ssi.gouv.fr> <20190906171335.d7mc3no5tdrcn6r5@yavin.dot.cyphar.com> <8dc59d585a133e96f9adaf0a148334e7f19058b9.camel@kernel.org> In-Reply-To: <8dc59d585a133e96f9adaf0a148334e7f19058b9.camel@kernel.org> From: Andy Lutomirski Date: Fri, 6 Sep 2019 14:27:19 -0700 Message-ID: Subject: Re: [PATCH v2 1/5] fs: Add support for an O_MAYEXEC flag on sys_open() To: Jeff Layton Cc: Aleksa Sarai , =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= , Florian Weimer , =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= , LKML , Alexei Starovoitov , Al Viro , Andy Lutomirski , Christian Heimes , Daniel Borkmann , Eric Chiang , James Morris , Jan Kara , Jann Horn , Jonathan Corbet , Kees Cook , Matthew Garrett , Matthew Wilcox , Michael Kerrisk , Mimi Zohar , =?UTF-8?Q?Philippe_Tr=C3=A9buchet?= , Scott Shell , Sean Christopherson , Shuah Khan , Song Liu , Steve Dower , Steve Grubb , Thibaut Sautereau , Vincent Strubel , Yves-Alexis Perez , Kernel Hardening , Linux API , LSM List , Linux FS Devel Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Sep 6, 2019, at 1:51 PM, Jeff Layton wrote: > > On Fri, 2019-09-06 at 13:06 -0700, Andy Lutomirski wrote: > >> I=E2=80=99m not at all convinced that the kernel needs to distinguish al= l these, but at least upgradability should be its own thing IMO. > > Good point. Upgradability is definitely orthogonal, though the idea > there is to alter the default behavior. If the default is NOEXEC then > UPGRADE_EXEC would make sense. > > In any case, I was mostly thinking about the middle two in your list > above. After more careful reading of the patches, I now get get that > Micka=C3=ABl is more interested in the first, and that's really a differe= nt > sort of use-case. > > Most opens never result in the fd being fed to fexecve or mmapped with > PROT_EXEC, so having userland explicitly opt-in to allowing that during > the open sounds like a reasonable thing to do. > > But I get that preventing execution via script interpreters of files > that are not executable might be something nice to have. > > Perhaps we need two flags for openat2? > > OA2_MAYEXEC : test that permissions allow execution and that the file > doesn't reside on a noexec mount before allowing the open > > OA2_EXECABLE : only allow fexecve or mmapping with PROT_EXEC if the fd > was opened with this > > > We could go one step farther and have three masks: check_perms, fd_perms, and upgrade_perms. check_perms says =E2=80=9Cfail if I don=E2=80= =99t have these perms=E2=80=9D. fd_perms is the permissions on the returned fd, and upgrade_perms is the upgrade mask. (fd_perms & ~check_perms) !=3D 0 is an error. This makes it possible to say "I want to make sure the file is writable, but I don't actually want to write to it", which could plausibly be useful. I would argue that these things should have new, sane bits, e.g. FILE_READ, FILE_WRITE, and FILE_EXECUTE (or maybe FILE_MAP_EXEC and FILE_EXECVE). And maybe there should be at least 16 bits for each mask reserved. Windows has a lot more mode bits than Linux, and it's not entirely nuts. We do *not* need any direct equivalent of O_RDWR for openat2(). --Andy