Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp2390182ybe; Sat, 7 Sep 2019 14:44:25 -0700 (PDT) X-Google-Smtp-Source: APXvYqxVViQfBzptqT4EX/Q2KR+MT7HA1+Su8NWFi168wNfrK+REYUlYw6hjzvPapoKtUIXBOJYG X-Received: by 2002:a17:90a:c597:: with SMTP id l23mr17534645pjt.62.1567892665495; Sat, 07 Sep 2019 14:44:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1567892665; cv=none; d=google.com; s=arc-20160816; b=edmX+8O63KfKAi/WlhO3W+AO+u/8J+1RBp+EWSzS1iYA+AWzDOWIH2SywrZLzRm4ym lEAH/ujF2N8nJe6rbcqr5AwAHNwV8aQ85+AvqkW9boWoZreBAMeBq1tzKK6qLT9tPQ1U aDklXhOMeDetHOyS+5DTv2vVwqxeP86iXe7fKFfEOahATHzA/ssw2qeSmzUZv2FDCYxZ KR65NwDvl9t2NgPUrKR3V66/LEaqBSj5F+NyENlINaq1bA2On36HNsvUw5YAQ2m9s/4a Q8Yp1S8tqylpZBEj2yGNmw99FRb1FYjF4klM3mea31R2t3+erN6hksfPayWJXkIvI0TW 2RbQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:dkim-signature; bh=sT4y3CTgBYYtNnGarz3x+6thexIZIH7G3cYm8cMIUKQ=; b=WrHqAWStVp+zhjKK2HNCzytCiobaSHfEXRQsSCiMgvNuni8Kx6psMcDmbsJNRKWg6L gzuuTmMpKSG6BeCZXuzc+1AHVUaPA5fHKh8WkLSR0wADqv3izil7oT7K7k/5cPwXGnTI tX2amkcX4BP+RjBFJhsSvHpuFyKeEBK4wHyE2JSVhSf1qksIJCdS/eBDu2WIv6MQ65NP Xj4Y/Vzm64adILiuD3BTIPYIrK6NHkWc3/jZZE8bl+cRkAwZQOPsUE98DKazlLPOeKsj l3BWzu+gTUf6XDSpZOWPsRv5ZjohwNQQnbkh7IB3lwV9kME9HDq548m1ppMxeaMBShjb 5gfQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=PUlerU1r; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y63si8011536pgd.403.2019.09.07.14.44.10; Sat, 07 Sep 2019 14:44:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=PUlerU1r; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2393273AbfIFT0z (ORCPT + 99 others); Fri, 6 Sep 2019 15:26:55 -0400 Received: from mail-pf1-f195.google.com ([209.85.210.195]:42334 "EHLO mail-pf1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726931AbfIFT0y (ORCPT ); Fri, 6 Sep 2019 15:26:54 -0400 Received: by mail-pf1-f195.google.com with SMTP id w22so5151980pfi.9 for ; Fri, 06 Sep 2019 12:26:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=sT4y3CTgBYYtNnGarz3x+6thexIZIH7G3cYm8cMIUKQ=; b=PUlerU1rm1o41pTmV5KAjMoYKrczJxdkqqAsYNlzY/Wa7eDBmqtvItMFE46WtBKToZ VCuPteRT1/rLy1ZK/CfMMuPbVYP1YrDhyNNizNk2L4Lw6AsY1/Lwj8B48tdeCSlHjVzh HINtmovfAV2mhmzF/o1/nnnIdCulL5I31kes91DyNiGM4mL7gfcI3wPSmMPO7h0mz8Mx EcNxB9eMznHeWd1Rw1tSxIWsdL3hu/XZikw4QFp+8c1Tk2u4JF2DXDZLQmg7YTxvat9G mDAhYwckpcH1lKPwGZAs4Hptn/2a7GlooykTvhZ5MrxgjuAHKTgai4E4SF62vDJ7AHZu S81Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=sT4y3CTgBYYtNnGarz3x+6thexIZIH7G3cYm8cMIUKQ=; b=mMg4bS/P8I3EDwMoH5IJxX70/B/NPu91gLub4Ms/Uk11jYzqnVk+6ahEcOgp6K5r8K OZsCbZELO/qFldqkKkEsGEkGrJtn3j7CAyKoSik/BbkFLKDBvvz2KN4Xqmm/Ps0QBHVp 0n7kglf4aL/ozP5rRqPHS60sDgCiEw40m8iMctmN/4NCtD6YU7jQc1rMQF/OJXD7kj3e LITfPw/7jLtabWygPllAKo6aEBp/FGFZsxvIZ+TD5sAAL2ivIA7Z9E5j1PfINevDgTHN 4c2bdUWl+H0AiBJNXW9UPtU+HVFQYZTCex8Y3S/xdDkISpSzwi+sUqmyuHiaOsErUTRi auxw== X-Gm-Message-State: APjAAAWa0uomd1hCKmqiepOIyFN/ouYw7X/K0vT+W/iiPkkvu53dA/An UoerrsozKKEoPj1iFpaVeGl2Ew== X-Received: by 2002:a63:c006:: with SMTP id h6mr9243639pgg.290.1567798013573; Fri, 06 Sep 2019 12:26:53 -0700 (PDT) Received: from ?IPv6:2600:100f:b121:da37:bc66:d4de:83c7:e0cd? ([2600:100f:b121:da37:bc66:d4de:83c7:e0cd]) by smtp.gmail.com with ESMTPSA id n66sm9546860pfn.90.2019.09.06.12.26.52 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 06 Sep 2019 12:26:52 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (1.0) Subject: Re: [PATCH v2 0/5] Add support for O_MAYEXEC From: Andy Lutomirski X-Mailer: iPhone Mail (16G102) In-Reply-To: <1802966.yheqmZt8Si@x2> Date: Fri, 6 Sep 2019 12:26:51 -0700 Cc: Florian Weimer , =?utf-8?Q?Micka=C3=ABl_Sala=C3=BCn?= , linux-kernel@vger.kernel.org, Aleksa Sarai , Alexei Starovoitov , Al Viro , Andy Lutomirski , Christian Heimes , Daniel Borkmann , Eric Chiang , James Morris , Jan Kara , Jann Horn , Jonathan Corbet , Kees Cook , Matthew Garrett , Matthew Wilcox , Michael Kerrisk , =?utf-8?Q?Micka=C3=ABl_Sala=C3=BCn?= , Mimi Zohar , =?utf-8?Q?Philippe_Tr=C3=A9buchet?= , Scott Shell , Sean Christopherson , Shuah Khan , Song Liu , Steve Dower , Thibaut S autereau , Vincent Strubel , Yves-Alexis Perez , kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <20190906152455.22757-1-mic@digikod.net> <2989749.1YmIBkDdQn@x2> <87mufhckxv.fsf@oldenburg2.str.redhat.com> <1802966.yheqmZt8Si@x2> To: Steve Grubb Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Sep 6, 2019, at 12:07 PM, Steve Grubb wrote: >=20 >> On Friday, September 6, 2019 2:57:00 PM EDT Florian Weimer wrote: >> * Steve Grubb: >>> Now with LD_AUDIT >>> $ LD_AUDIT=3D/home/sgrubb/test/openflags/strip-flags.so.0 strace ./test >>> 2>&1 | grep passwd openat(3, "passwd", O_RDONLY) =3D 4 >>>=20 >>> No O_CLOEXEC flag. >>=20 >> I think you need to explain in detail why you consider this a problem. >=20 > Because you can strip the O_MAYEXEC flag from being passed into the kernel= .=20 > Once you do that, you defeat the security mechanism because it never gets=20= > invoked. The issue is that the only thing that knows _why_ something is be= ing=20 > opened is user space. With this mechanism, you can attempt to pass this=20= > reason to the kernel so that it may see if policy permits this. But you ca= n=20 > just remove the flag. I=E2=80=99m with Florian here. Once you are executing code in a process, you= could just emulate some other unapproved code. This series is not intended t= o provide the kind of absolute protection you=E2=80=99re imagining. What the kernel *could* do is prevent mmapping a non-FMODE_EXEC file with PR= OT_EXEC, which would indeed have a real effect (in an iOS-like world, for ex= ample) but would break many, many things.=