Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp4622195ybz;
        Tue, 28 Apr 2020 15:04:46 -0700 (PDT)
X-Google-Smtp-Source: APiQypJ1RUUKn0mMI/jQBhiDn4KTXBuB/fNchLbRLcfWb7v3vH4Q6aLL+Ktgzorn+Jm68XVDWbeQ
X-Received: by 2002:a17:906:a418:: with SMTP id l24mr26420530ejz.362.1588111485903;
        Tue, 28 Apr 2020 15:04:45 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1588111485; cv=none;
        d=google.com; s=arc-20160816;
        b=wRZgwaKgCH49NgYRm1tb8DM+S2nm/wJOWdEQv7ot4RUvlidyFwMuOGcuYQS3yqq/qA
         5THgsQAhmncAQyZQcX8zLeRFalqNwPNeVWZwukwvsqrF6+xJ/MFeBhwvYgof9jrSCl+i
         q6v2jBaxrFr0J2cUd/sjaFS983jR6PWDF3cAq5dl/xSRWEt/YuUyEoedSwBZQZdax2yU
         fpXutKFAu01EMc8XWdXEN6jShazKA68c+d6bkwG4uozVuRw7a8UvFVq20o5XrxYTgvwu
         a9q5ycriaRSPfBCluZfR0hZKsomeTWKZ8sTSA9HWBqBcMcWvGE8GdtqjPsatb6HuYrC8
         25gA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version
         :dkim-signature;
        bh=qgsuGKbVjYSeRuT0TDuIXexAYzlpaF3ybirX/bZdq/M=;
        b=tYPdtQ764o3qkNgk9YOCsA3MPm3PKzZaR/5O2+BPZZXzL7JXml8YtvSV4D7dVVvj7x
         V3scCI9N0Idnu1uOwbjRsA6tp3AU/Vv8MXjPxEyDwbIII6ee5SWSs1fLmqQADL7sRrpc
         ESZ0ijk6OYqRS7S2oXL7+4ERFEEtWtf6d6HWuxm391MSyUYe/cjmlRNUExHApfhVPEFB
         Q/ilYGg+OB32rqNe8gMol5fDsX+4IXO3tRr8KaZdyI0+vsHa8e3Lc42U2jNN6HfQWOi0
         A9JzJTO0zlmtNhTIiG9rJ3ZqL1AEs5eql3WXLxh56fDjY4foRODijhaWrT/D117B0Sxz
         06qg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b="Nb6/Li2p";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id j23si2481462ejt.284.2020.04.28.15.04.12;
        Tue, 28 Apr 2020 15:04:45 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b="Nb6/Li2p";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726384AbgD1WCI (ORCPT <rfc822;luigi.mantellini.ml@gmail.com>
        + 99 others); Tue, 28 Apr 2020 18:02:08 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48674 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-FAIL-OK-FAIL)
        by vger.kernel.org with ESMTP id S1726381AbgD1WCG (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 28 Apr 2020 18:02:06 -0400
Received: from mail-lj1-x243.google.com (mail-lj1-x243.google.com [IPv6:2a00:1450:4864:20::243])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8DC1FC03C1AC
        for <linux-kernel@vger.kernel.org>; Tue, 28 Apr 2020 15:02:06 -0700 (PDT)
Received: by mail-lj1-x243.google.com with SMTP id a21so461089ljb.9
        for <linux-kernel@vger.kernel.org>; Tue, 28 Apr 2020 15:02:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=qgsuGKbVjYSeRuT0TDuIXexAYzlpaF3ybirX/bZdq/M=;
        b=Nb6/Li2pKgIuauzZc2N7D4986KwsAReiq+tNfzAVNQVdh/FoY66ln1u7c/OYs5nAIQ
         5UN/eOvHcUkIcP4q9blPXT94fH+WWdxswwCB5DKULdEHPi1YqR1dvk2z6PvlWWeAQAcm
         wQwwSDA8HHbq+YgMhNTWRBM/CImHC0LY9UotCwM0UgXh0tABr3MbTh+50pfQ0KbVJKi8
         cg4w5xhIpzuG6Bd892VjlS1HnODoa4vjODLOrKsg/dV5ZzXRX6o13x78TwXT7LaG0BJE
         xgEIremOXnl4KN3PAUhl/lbPEuA27Zm/tMJk1F0bDyX0J3fzcmWjvKcuxbldGRhUrvwA
         AVzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=qgsuGKbVjYSeRuT0TDuIXexAYzlpaF3ybirX/bZdq/M=;
        b=GCBQcBFVJcMfnWDjctmUa7ZMStNut6uGsFe52ukzAZCC3J2aQpKH/eHsrvIk32zSYR
         BKpL8xk0CQTtrP+4uGVAUxX63+qeh4ZylUqb7mU59Oo9NULBJKRusxizCSGZPakb5tq/
         ZRtxYxfI0bCVFpT+Z+zpMjef3nJl4CInVr4eBHTbjWx7ZgGgw/sX7mJZamIH2fBtT0R8
         9fKAbRGrbakKhr6NOsThbh6MZJmHdSz82j+IKvsSRIQNbxTo+7JXw9cTAEfE61idww8L
         1Y3gxZyI1F4sGI3ZTe9nLPVhHxVk+g6IQ3UGof02jRXDXTIM1x32dJM+KK33P5aZx3Bv
         GrzA==
X-Gm-Message-State: AGi0PuYQ2m6sewsGf7o1ygq+OpNW37ltBbWnCHU1owuAV4hfL4vj7UjS
        y4E0CM3xbXVAKw20LQ5w4k8unbjgY9yG9M4zKbQydAkjxzHe5A==
X-Received: by 2002:a2e:b249:: with SMTP id n9mr18998872ljm.221.1588111324730;
 Tue, 28 Apr 2020 15:02:04 -0700 (PDT)
MIME-Version: 1.0
References: <20200428175129.634352-1-mic@digikod.net> <CAG48ez1bKzh1YvbD_Lcg0AbMCH_cdZmrRRumU7UCJL=qPwNFpQ@mail.gmail.com>
 <87blnb48a3.fsf@mid.deneb.enyo.de>
In-Reply-To: <87blnb48a3.fsf@mid.deneb.enyo.de>
From:   Jann Horn <jannh@google.com>
Date:   Wed, 29 Apr 2020 00:01:38 +0200
Message-ID: <CAG48ez2TphTj-VdDaSjvnr0Q8BhNmT3n86xYz4bF3wRJmAMsMw@mail.gmail.com>
Subject: Re: [PATCH v3 0/5] Add support for RESOLVE_MAYEXEC
To:     Florian Weimer <fw@deneb.enyo.de>
Cc:     =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= <mic@digikod.net>,
        kernel list <linux-kernel@vger.kernel.org>,
        Aleksa Sarai <cyphar@cyphar.com>,
        Alexei Starovoitov <ast@kernel.org>,
        Al Viro <viro@zeniv.linux.org.uk>,
        Andy Lutomirski <luto@kernel.org>,
        Christian Heimes <christian@python.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Deven Bowers <deven.desai@linux.microsoft.com>,
        Eric Chiang <ericchiang@google.com>,
        James Morris <jmorris@namei.org>, Jan Kara <jack@suse.cz>,
        Jonathan Corbet <corbet@lwn.net>,
        Kees Cook <keescook@chromium.org>,
        Matthew Garrett <mjg59@google.com>,
        Matthew Wilcox <willy@infradead.org>,
        Michael Kerrisk <mtk.manpages@gmail.com>,
        =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= <mickael.salaun@ssi.gouv.fr>,
        Mimi Zohar <zohar@linux.ibm.com>,
        =?UTF-8?Q?Philippe_Tr=C3=A9buchet?= 
        <philippe.trebuchet@ssi.gouv.fr>,
        Scott Shell <scottsh@microsoft.com>,
        Sean Christopherson <sean.j.christopherson@intel.com>,
        Shuah Khan <shuah@kernel.org>,
        Steve Dower <steve.dower@python.org>,
        Steve Grubb <sgrubb@redhat.com>,
        Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr>,
        Vincent Strubel <vincent.strubel@ssi.gouv.fr>,
        Kernel Hardening <kernel-hardening@lists.openwall.com>,
        Linux API <linux-api@vger.kernel.org>,
        linux-security-module <linux-security-module@vger.kernel.org>,
        linux-fsdevel <linux-fsdevel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Apr 28, 2020 at 11:21 PM Florian Weimer <fw@deneb.enyo.de> wrote:
> * Jann Horn:
>
> > Just as a comment: You'd probably also have to use RESOLVE_MAYEXEC in
> > the dynamic linker.
>
> Absolutely.  In typical configurations, the kernel does not enforce
> that executable mappings must be backed by files which are executable.
> It's most obvious with using an explicit loader invocation to run
> executables on noexec mounts.  RESOLVE_MAYEXEC is much more useful
> than trying to reimplement the kernel permission checks (or what some
> believe they should be) in userspace.

Oh, good point.

That actually seems like something Micka=C3=ABl could add to his series? If
someone turns on that knob for "When an interpreter wants to execute
something, enforce that we have execute access to it", they probably
also don't want it to be possible to just map files as executable? So
perhaps when that flag is on, the kernel should either refuse to map
anything as executable if it wasn't opened with RESOLVE_MAYEXEC or
(less strict) if RESOLVE_MAYEXEC wasn't used, print a warning, then
check whether the file is executable and bail out if not?

A configuration where interpreters verify that scripts are executable,
but other things can just mmap executable pages, seems kinda
inconsistent...