Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp383521ybz; Wed, 29 Apr 2020 01:53:51 -0700 (PDT) X-Google-Smtp-Source: APiQypIFCtIXT0z3qvz1HCADM7Bi51oe7ObAoB+HITALePycUXaCU77CzpOncyF1anhggKlrvy80 X-Received: by 2002:a17:907:11de:: with SMTP id va30mr1649088ejb.121.1588150431062; Wed, 29 Apr 2020 01:53:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588150431; cv=none; d=google.com; s=arc-20160816; b=s0Fv2Db5exOQKKeFxgYx5gUt9dYZzpqLBxUX9W98t1kt4Z8L9lDoaxmmdfcW54xuTD 0DLrAURCfr2udOTRBzQuWQF1+bujbmVOYQLHw+OFoUwnuEGnsXWpV2oalwAfI5nTQzYa QPZcRigMAw32QFOIh7v/Jk+/GSMvXE+Lys0pEJFE0FTqYIqPc7DTOtbotlfajiLjxKiY Jb7tI1vAe6AA5rKpXGReAXxpDLOk6eVBqt7WRVmvwMS9sart/bKOPkzxB0MotlFwYvgg VfKqLccWEGI2lBYu+TLhauHlb+ZgRJsCMyH8n+xLjMJLidnQsy9aGj742XpiQYPHCaGS mxNg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=NJdd9tkpAAegYvYuXShhHPwrCHDD7Esr00BnlBj26Mo=; b=f7Tsxn6VABpthD1pOmopLFOoa+TNf/SZREgbC7rREbzlcmj4adZskQn5beaRvmpyyX IFiNOU6tTyZFRr6qRzpriaO/lHuWyQlf1Ym2YO08dzCjURUoAnXeC0rOKHaNgjeAeSHl iwsHnU/RJPZBztXz27UuFGoNOKY5EF2yOZ+nKcib35BumgyoMqv6YQnkaTu8C07SVBcW AxjhTwyIVl+6wWLBqDo1bty8rU+b9hWTPNbSnDebRdo3DwywqS51Vz/pdveehCOZDtC3 +kVBDUrTM4hLIfOo4luq1UdSwD2ZvJTK0mFbha2ANtWhYyo+9Uz75kUnofYcobhuotYv sZSQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ch10si117107edb.454.2020.04.29.01.53.27; Wed, 29 Apr 2020 01:53:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726634AbgD2Iuz (ORCPT + 99 others); Wed, 29 Apr 2020 04:50:55 -0400 Received: from smtp-190a.mail.infomaniak.ch ([185.125.25.10]:34883 "EHLO smtp-190a.mail.infomaniak.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726526AbgD2Iuz (ORCPT ); Wed, 29 Apr 2020 04:50:55 -0400 Received: from smtp-2-0001.mail.infomaniak.ch (unknown [10.5.36.108]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 49BsfQ1WB6zlhqlx; Wed, 29 Apr 2020 10:50:22 +0200 (CEST) Received: from ns3096276.ip-94-23-54.eu (unknown [94.23.54.103]) by smtp-2-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 49BsfM4z8bzmPw5b; Wed, 29 Apr 2020 10:50:19 +0200 (CEST) Subject: Re: [PATCH v3 0/5] Add support for RESOLVE_MAYEXEC To: Jann Horn , Florian Weimer Cc: kernel list , Aleksa Sarai , Alexei Starovoitov , Al Viro , Andy Lutomirski , Christian Heimes , Daniel Borkmann , Deven Bowers , Eric Chiang , James Morris , Jan Kara , Jonathan Corbet , Kees Cook , Matthew Garrett , Matthew Wilcox , Michael Kerrisk , =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= , Mimi Zohar , =?UTF-8?Q?Philippe_Tr=c3=a9buchet?= , Scott Shell , Sean Christopherson , Shuah Khan , Steve Dower , Steve Grubb , Thibaut Sautereau , Vincent Strubel , Kernel Hardening , Linux API , linux-security-module , linux-fsdevel References: <20200428175129.634352-1-mic@digikod.net> <87blnb48a3.fsf@mid.deneb.enyo.de> From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= Message-ID: Date: Wed, 29 Apr 2020 10:50:19 +0200 User-Agent: MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8 X-Antivirus-Code: 0x100000 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 29/04/2020 00:01, Jann Horn wrote: > On Tue, Apr 28, 2020 at 11:21 PM Florian Weimer wrote: >> * Jann Horn: >> >>> Just as a comment: You'd probably also have to use RESOLVE_MAYEXEC in >>> the dynamic linker. >> >> Absolutely. In typical configurations, the kernel does not enforce >> that executable mappings must be backed by files which are executable. >> It's most obvious with using an explicit loader invocation to run >> executables on noexec mounts. RESOLVE_MAYEXEC is much more useful >> than trying to reimplement the kernel permission checks (or what some >> believe they should be) in userspace. Indeed it makes sense to use RESOLVE_MAYEXEC for the dynamic linker too. Only the noexec mount option is taken into account for mmap(2) with PROT_EXEC, and if you can trick the dynamic linker with JOP as Jann explained, it may enable to execute new code. However, a kernel which forbids remapping memory with PROT_EXEC still enables to implement a W^X policy. Any JOP/ROP still enables unexpected code execution though. > > Oh, good point. > > That actually seems like something Mickaƫl could add to his series? If > someone turns on that knob for "When an interpreter wants to execute > something, enforce that we have execute access to it", they probably > also don't want it to be possible to just map files as executable? So > perhaps when that flag is on, the kernel should either refuse to map > anything as executable if it wasn't opened with RESOLVE_MAYEXEC or > (less strict) if RESOLVE_MAYEXEC wasn't used, print a warning, then > check whether the file is executable and bail out if not? > > A configuration where interpreters verify that scripts are executable, > but other things can just mmap executable pages, seems kinda > inconsistent... As it is written in the documentation patch, this RESOLVE_MAYEXEC feature is an important missing piece, but to implement a consistent security policy we need to enable other restrictions starting with a noexec mount point policy. The purpose of this patch series is not to bring a full-feature LSM with process states handling, but it brings what is needed for LSMs such as SELinux, IMA or IPE to extend their capabilities to reach what you would expect.