Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp2258517ybe; Sat, 7 Sep 2019 12:00:00 -0700 (PDT) X-Google-Smtp-Source: APXvYqz82CyqD9yebcXvSYzvwtVX9MXoOyN1Pj+1+qKQGCkQarGaek1oKFOT195PsGqcp6inXMhr X-Received: by 2002:a17:902:8210:: with SMTP id x16mr3717929pln.292.1567882800529; Sat, 07 Sep 2019 12:00:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1567882800; cv=none; d=google.com; s=arc-20160816; b=QluK1cG4/8LLXGO3MCrrPkYAoqMIwb1YDBkjLEj8VwMDl5XJJktS9digY6k2YUkxCR bODF4xyGyA/kqASHCdULcGz7VkkpSYrmIT7yCM66OiI8851/dr/cWpGZoYEiPSnt7q9O s9IuZpuifwl6Ci6OxVB2Bo9kNg8h1Ot+mt+NCmxMCOlURmWZXj6hJ13TAjRcsdW0+jvP L2g3wQOOODmNP/avaCbIqQx0Jb/yvRIDzQOFhRwV4Dqf9BTRDJOshdoScMQ/FhZUzzcj Eq11aIk1xxT17VWt0dRKHj3ktX30CU4WOO4ELkNBE2tV5ApI0fB9QbSdc9VErUhdvPBh VMPg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=QRnJITRgtGPLg2irBHffabraOH6qFTHyLeWEmn2CG4k=; b=Sfd4RCSnGU2XgARNiaaB6zQX4H2QWkQbDL7MRVRwFva4LEXTLTriWzXwp82/Xul2Wz cHGE0in8YwdyPt99aMzjgVzL6Uc4+LwMTRYLOiz1h1v6HPLN4u4/lV9p30WLLCFAH1Sr k1Gp4HtkkdWyZkWijM9A5fNqvD2zyqoA512EzsHQ8pKQcqZkY7/PT0L09JSGUr/O2QJK /Xjgz2f9bCNb7H5eNiriMT1/cO1tZV5ahiCwAOh3v48923KFGA5J3MrYn4sGGYPzQUUJ V8kwr5aYzhz8NXD05EPeZ75arqjBVtlxElkU4wdh9ti7u21ZuCmm/nD/RceQSgfR0+8Z fXuA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@tycho-ws.20150623.gappssmtp.com header.s=20150623 header.b=fW9yI0r5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b2si8459248plx.266.2019.09.07.11.59.30; Sat, 07 Sep 2019 12:00:00 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@tycho-ws.20150623.gappssmtp.com header.s=20150623 header.b=fW9yI0r5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2436625AbfIFSq2 (ORCPT + 99 others); Fri, 6 Sep 2019 14:46:28 -0400 Received: from mail-io1-f65.google.com ([209.85.166.65]:33475 "EHLO mail-io1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2436615AbfIFSqZ (ORCPT ); Fri, 6 Sep 2019 14:46:25 -0400 Received: by mail-io1-f65.google.com with SMTP id m11so15054635ioo.0 for ; Fri, 06 Sep 2019 11:46:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tycho-ws.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=QRnJITRgtGPLg2irBHffabraOH6qFTHyLeWEmn2CG4k=; b=fW9yI0r5PaavEuDpO3wqhc1PKV3gT7W2PHr0YvMv8yeRB3SF0rAwRE2BkG1RKIldB5 pk0J20GIWh4t241wQZQAl1zHWNJxStYwy5kxUtaiwtqqhZ1ozaqrys8TEuTqNPhLzMt5 Zm7do94cFWUwupAl/AOKTQpMgaVyhyVNN+4sksBHKSxv/0mSVTnzzbyVyIbnqt1snF5t iguQSIF5qEqKP9/56X/CjyzTRl1ktsNgpb3jvd0i/WW+d9og8BLCwLR8APIzc18T/0uR OlizzA0soMA5t0+LMz3QvB2o7vOuygMelmEjFL6nD4NQrfX5rILFVMakZMg0djTuN2a5 pLkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to:user-agent; bh=QRnJITRgtGPLg2irBHffabraOH6qFTHyLeWEmn2CG4k=; b=YjFD+PhxaeN4kKFgBNiYeygJ9ugCD44AoIb/V/2sw04Mtp6bKF2MGyQKGxT1MAJJFt 3sMceYTVlg4JUmnCBWG8a5P/mPwOmNzz8+Zx3FiX/FQ61IuQxSulVmpO4x9NMArrcL0f zRYt8MjhDzHYqn69qhVZJsaJwkO8/14M2fbBSRlItEalCYZVtlpZlzk+UJQlEY40VTdd 6QrJQE6lZRY/WeJYzmU03cNjLSXxbT45QTAr1FyWb9sU9Stc2u1AxMrZtiBDY9xwwu3N yBh10Ch25W9KjNmccBX598UAjA/Kr9UErI1YVLv/q5Jyloo84tlMGd25Rcvvm8kjstln 9eFQ== X-Gm-Message-State: APjAAAUe+yL1rKOgFsyvFr0GpbLFXWaFt4TaKSdO+bLtY9EemOVlGoiN KPucV8b02EOdOcvAiPznni4oFg== X-Received: by 2002:a02:ab90:: with SMTP id t16mr12092436jan.110.1567795583168; Fri, 06 Sep 2019 11:46:23 -0700 (PDT) Received: from cisco ([2601:282:901:dd7b:49a:5f6f:e06:3c33]) by smtp.gmail.com with ESMTPSA id h4sm5578707iok.1.2019.09.06.11.46.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 Sep 2019 11:46:22 -0700 (PDT) Date: Fri, 6 Sep 2019 12:46:20 -0600 From: Tycho Andersen To: Florian Weimer Cc: Christian Brauner , Aleksa Sarai , =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= , =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= , linux-kernel@vger.kernel.org, Alexei Starovoitov , Al Viro , Andy Lutomirski , Christian Heimes , Daniel Borkmann , Eric Chiang , James Morris , Jan Kara , Jann Horn , Jonathan Corbet , Kees Cook , Matthew Garrett , Matthew Wilcox , Michael Kerrisk , Mimi Zohar , Philippe =?iso-8859-1?Q?Tr=E9buchet?= , Scott Shell , Sean Christopherson , Shuah Khan , Song Liu , Steve Dower , Steve Grubb , Thibaut Sautereau , Vincent Strubel , Yves-Alexis Perez , kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org Subject: Re: [PATCH v2 1/5] fs: Add support for an O_MAYEXEC flag on sys_open() Message-ID: <20190906184620.GI7627@cisco> References: <20190906152455.22757-1-mic@digikod.net> <20190906152455.22757-2-mic@digikod.net> <87ef0te7v3.fsf@oldenburg2.str.redhat.com> <75442f3b-a3d8-12db-579a-2c5983426b4d@ssi.gouv.fr> <20190906170739.kk3opr2phidb7ilb@yavin.dot.cyphar.com> <20190906172050.v44f43psd6qc6awi@wittgenstein> <20190906174041.GH7627@cisco> <87v9u5cmb0.fsf@oldenburg2.str.redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <87v9u5cmb0.fsf@oldenburg2.str.redhat.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Sep 06, 2019 at 08:27:31PM +0200, Florian Weimer wrote: > * Tycho Andersen: > > > On Fri, Sep 06, 2019 at 07:20:51PM +0200, Christian Brauner wrote: > >> On Sat, Sep 07, 2019 at 03:07:39AM +1000, Aleksa Sarai wrote: > >> > On 2019-09-06, Micka?l Sala?n wrote: > >> > > > >> > > On 06/09/2019 17:56, Florian Weimer wrote: > >> > > > Let's assume I want to add support for this to the glibc dynamic loader, > >> > > > while still being able to run on older kernels. > >> > > > > >> > > > Is it safe to try the open call first, with O_MAYEXEC, and if that fails > >> > > > with EINVAL, try again without O_MAYEXEC? > >> > > > >> > > The kernel ignore unknown open(2) flags, so yes, it is safe even for > >> > > older kernel to use O_MAYEXEC. > >> > > >> > Depends on your definition of "safe" -- a security feature that you will > >> > silently not enable on older kernels doesn't sound super safe to me. > >> > Unfortunately this is a limitation of open(2) that we cannot change -- > >> > which is why the openat2(2) proposal I've been posting gives -EINVAL for > >> > unknown O_* flags. > >> > > >> > There is a way to probe for support (though unpleasant), by creating a > >> > test O_MAYEXEC fd and then checking if the flag is present in > >> > /proc/self/fdinfo/$n. > >> > >> Which Florian said they can't do for various reasons. > >> > >> It is a major painpoint if there's no easy way for userspace to probe > >> for support. Especially if it's security related which usually means > >> that you want to know whether this feature works or not. > > > > What about just trying to violate the policy via fexecve() instead of > > looking around in /proc? Still ugly, though. > > How would we do this? This is about opening the main executable as part > of an explicit loader invocation. Typically, an fexecve will succeed > and try to run the program, but with the wrong dynamic loader. Yeah, fexecve() was a think-o, sorry, you don't need to go that far. I was thinking do what the tests in this series do: create a tmpfs with MS_NOEXEC, put an executable file in it, and try and open it with O_MAYEXEC. If that works, the kernel doesn't support the flag, and it should give you -EACCES if the kernel does support the flag. Still a lot of work, though. Seems better to just use openat2. Tycho