Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp383521ybz;
        Wed, 29 Apr 2020 01:53:51 -0700 (PDT)
X-Google-Smtp-Source: APiQypIFCtIXT0z3qvz1HCADM7Bi51oe7ObAoB+HITALePycUXaCU77CzpOncyF1anhggKlrvy80
X-Received: by 2002:a17:907:11de:: with SMTP id va30mr1649088ejb.121.1588150431062;
        Wed, 29 Apr 2020 01:53:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1588150431; cv=none;
        d=google.com; s=arc-20160816;
        b=s0Fv2Db5exOQKKeFxgYx5gUt9dYZzpqLBxUX9W98t1kt4Z8L9lDoaxmmdfcW54xuTD
         0DLrAURCfr2udOTRBzQuWQF1+bujbmVOYQLHw+OFoUwnuEGnsXWpV2oalwAfI5nTQzYa
         QPZcRigMAw32QFOIh7v/Jk+/GSMvXE+Lys0pEJFE0FTqYIqPc7DTOtbotlfajiLjxKiY
         Jb7tI1vAe6AA5rKpXGReAXxpDLOk6eVBqt7WRVmvwMS9sart/bKOPkzxB0MotlFwYvgg
         VfKqLccWEGI2lBYu+TLhauHlb+ZgRJsCMyH8n+xLjMJLidnQsy9aGj742XpiQYPHCaGS
         mxNg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject;
        bh=NJdd9tkpAAegYvYuXShhHPwrCHDD7Esr00BnlBj26Mo=;
        b=f7Tsxn6VABpthD1pOmopLFOoa+TNf/SZREgbC7rREbzlcmj4adZskQn5beaRvmpyyX
         IFiNOU6tTyZFRr6qRzpriaO/lHuWyQlf1Ym2YO08dzCjURUoAnXeC0rOKHaNgjeAeSHl
         iwsHnU/RJPZBztXz27UuFGoNOKY5EF2yOZ+nKcib35BumgyoMqv6YQnkaTu8C07SVBcW
         AxjhTwyIVl+6wWLBqDo1bty8rU+b9hWTPNbSnDebRdo3DwywqS51Vz/pdveehCOZDtC3
         +kVBDUrTM4hLIfOo4luq1UdSwD2ZvJTK0mFbha2ANtWhYyo+9Uz75kUnofYcobhuotYv
         sZSQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id ch10si117107edb.454.2020.04.29.01.53.27;
        Wed, 29 Apr 2020 01:53:51 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726634AbgD2Iuz (ORCPT <rfc822;ahaning.tech@gmail.com>
        + 99 others); Wed, 29 Apr 2020 04:50:55 -0400
Received: from smtp-190a.mail.infomaniak.ch ([185.125.25.10]:34883 "EHLO
        smtp-190a.mail.infomaniak.ch" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1726526AbgD2Iuz (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 29 Apr 2020 04:50:55 -0400
Received: from smtp-2-0001.mail.infomaniak.ch (unknown [10.5.36.108])
        by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 49BsfQ1WB6zlhqlx;
        Wed, 29 Apr 2020 10:50:22 +0200 (CEST)
Received: from ns3096276.ip-94-23-54.eu (unknown [94.23.54.103])
        by smtp-2-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 49BsfM4z8bzmPw5b;
        Wed, 29 Apr 2020 10:50:19 +0200 (CEST)
Subject: Re: [PATCH v3 0/5] Add support for RESOLVE_MAYEXEC
To:     Jann Horn <jannh@google.com>, Florian Weimer <fw@deneb.enyo.de>
Cc:     kernel list <linux-kernel@vger.kernel.org>,
        Aleksa Sarai <cyphar@cyphar.com>,
        Alexei Starovoitov <ast@kernel.org>,
        Al Viro <viro@zeniv.linux.org.uk>,
        Andy Lutomirski <luto@kernel.org>,
        Christian Heimes <christian@python.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Deven Bowers <deven.desai@linux.microsoft.com>,
        Eric Chiang <ericchiang@google.com>,
        James Morris <jmorris@namei.org>, Jan Kara <jack@suse.cz>,
        Jonathan Corbet <corbet@lwn.net>,
        Kees Cook <keescook@chromium.org>,
        Matthew Garrett <mjg59@google.com>,
        Matthew Wilcox <willy@infradead.org>,
        Michael Kerrisk <mtk.manpages@gmail.com>,
        =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= <mickael.salaun@ssi.gouv.fr>,
        Mimi Zohar <zohar@linux.ibm.com>,
        =?UTF-8?Q?Philippe_Tr=c3=a9buchet?= 
        <philippe.trebuchet@ssi.gouv.fr>,
        Scott Shell <scottsh@microsoft.com>,
        Sean Christopherson <sean.j.christopherson@intel.com>,
        Shuah Khan <shuah@kernel.org>,
        Steve Dower <steve.dower@python.org>,
        Steve Grubb <sgrubb@redhat.com>,
        Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr>,
        Vincent Strubel <vincent.strubel@ssi.gouv.fr>,
        Kernel Hardening <kernel-hardening@lists.openwall.com>,
        Linux API <linux-api@vger.kernel.org>,
        linux-security-module <linux-security-module@vger.kernel.org>,
        linux-fsdevel <linux-fsdevel@vger.kernel.org>
References: <20200428175129.634352-1-mic@digikod.net>
 <CAG48ez1bKzh1YvbD_Lcg0AbMCH_cdZmrRRumU7UCJL=qPwNFpQ@mail.gmail.com>
 <87blnb48a3.fsf@mid.deneb.enyo.de>
 <CAG48ez2TphTj-VdDaSjvnr0Q8BhNmT3n86xYz4bF3wRJmAMsMw@mail.gmail.com>
From:   =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= <mic@digikod.net>
Message-ID: <ece281a5-8944-65fd-2a76-e4479a0cccaf@digikod.net>
Date:   Wed, 29 Apr 2020 10:50:19 +0200
User-Agent: 
MIME-Version: 1.0
In-Reply-To: <CAG48ez2TphTj-VdDaSjvnr0Q8BhNmT3n86xYz4bF3wRJmAMsMw@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8
X-Antivirus-Code: 0x100000
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org



On 29/04/2020 00:01, Jann Horn wrote:
> On Tue, Apr 28, 2020 at 11:21 PM Florian Weimer <fw@deneb.enyo.de> wrote:
>> * Jann Horn:
>>
>>> Just as a comment: You'd probably also have to use RESOLVE_MAYEXEC in
>>> the dynamic linker.
>>
>> Absolutely.  In typical configurations, the kernel does not enforce
>> that executable mappings must be backed by files which are executable.
>> It's most obvious with using an explicit loader invocation to run
>> executables on noexec mounts.  RESOLVE_MAYEXEC is much more useful
>> than trying to reimplement the kernel permission checks (or what some
>> believe they should be) in userspace.

Indeed it makes sense to use RESOLVE_MAYEXEC for the dynamic linker too.
Only the noexec mount option is taken into account for mmap(2) with
PROT_EXEC, and if you can trick the dynamic linker with JOP as Jann
explained, it may enable to execute new code. However, a kernel which
forbids remapping memory with PROT_EXEC still enables to implement a W^X
policy. Any JOP/ROP still enables unexpected code execution though.

> 
> Oh, good point.
> 
> That actually seems like something Mickaël could add to his series? If
> someone turns on that knob for "When an interpreter wants to execute
> something, enforce that we have execute access to it", they probably
> also don't want it to be possible to just map files as executable? So
> perhaps when that flag is on, the kernel should either refuse to map
> anything as executable if it wasn't opened with RESOLVE_MAYEXEC or
> (less strict) if RESOLVE_MAYEXEC wasn't used, print a warning, then
> check whether the file is executable and bail out if not?
> 
> A configuration where interpreters verify that scripts are executable,
> but other things can just mmap executable pages, seems kinda
> inconsistent...

As it is written in the documentation patch, this RESOLVE_MAYEXEC
feature is an important missing piece, but to implement a consistent
security policy we need to enable other restrictions starting with a
noexec mount point policy. The purpose of this patch series is not to
bring a full-feature LSM with process states handling, but it brings
what is needed for LSMs such as SELinux, IMA or IPE to extend their
capabilities to reach what you would expect.