Received: by 2002:a25:23cc:0:0:0:0:0 with SMTP id j195csp976364ybj; Tue, 5 May 2020 10:42:28 -0700 (PDT) X-Google-Smtp-Source: APiQypJyoGQhuv6dCBhkWtR5Fy2Lm42CZWnb7fApu83tCqpoMMYLiBTFyhx5peiWSJXOHm58GyhJ X-Received: by 2002:a50:a985:: with SMTP id n5mr3649566edc.338.1588700547922; Tue, 05 May 2020 10:42:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588700547; cv=none; d=google.com; s=arc-20160816; b=LTUEq3ZXYs7bW2eAVjAG89GFwNW7YjV1wumPRfzLzX0q8qI/PdJ+cItYYbzEDHH0mz /xcutPNq4p5Q6Pa4Wax30l9DoGVJkbRufmZxBYb7Sv54IbzNJmFBJPqlAfUOvCo7nWRN DnSVGHiTOgw4SE8U5HdBqgaICObMy1ZqXV12Az/fbh0W+jcbdGji7DJFxiT2i5AtkQHR jSEwefTXn2zW7zoOlG2+TH+uOVOkLPFHbAHWoigzaPnYyLqobQy2UfoqsKCoOxAfU+Ll wF8cZbf0g46oRbNyhJikTEahnaqMUrVwbebCzXuzdVWohWc1UdzImb0ZSO/XF/kIoRAB brwA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=+xKysGAdhf/irwW/OUccg7CXNaBzgyUUi6WNfDZAgIs=; b=sKVSce6qjEZRnuD7f/9y7WZn396NzdZi9ev9ca0+fL2WEJoU4swPiaEcpvsRxa6RSx grZPqFiuTyRX6ziMKH8cfpSXF9Q3w+tRnIkHnZC10V3MwBu0yXfmsShTv3/7JuwU/8wS 41OtEiy+9rV7tfcGpFG7QL2g8iY3PluhRFibjAgG7HtvjnfRTWojpGAex2uESPRDETwN Xzooqz5SC4QnjUPcuGMJ7SURU89Ra6h/trU8tU7GceMCibQlGj/JKquCOK2//eq/Eto7 fOnd2Z+RCbs/KtFtnkvT9/U+wokwBIJQkDixVzKy/4GhKbUv3G84pntd+5IdUV3fsOL3 tDBQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b=pzz9Y2va; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id va12si1454767ejb.227.2020.05.05.10.42.03; Tue, 05 May 2020 10:42:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=fail header.i=@infradead.org header.s=bombadil.20170209 header.b=pzz9Y2va; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730518AbgEERkl (ORCPT + 99 others); Tue, 5 May 2020 13:40:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53160 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1728804AbgEERkl (ORCPT ); Tue, 5 May 2020 13:40:41 -0400 Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4F3DDC061A0F; Tue, 5 May 2020 10:40:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20170209; h=Content-Transfer-Encoding: Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:References:Cc:To: Subject:Sender:Reply-To:Content-ID:Content-Description; bh=+xKysGAdhf/irwW/OUccg7CXNaBzgyUUi6WNfDZAgIs=; b=pzz9Y2va31nko2N6/Sd/aAdmjx 11wG4XS7B/vo1wmHvyi3AFEd0zfPTEKsKen7bxEghsLS74BaQbKY01v1JfH3xwGat+/KNFwZDIwp4 /aDKWkwFByer7OhgWm9/PL6eP0EQ61MWoI4qJeXAROCPhhIxPL7EDhjJb6zhjYvrA4omRhDOlcXjq QXqgN7v/sjP+qH40Vhfb71Xok/cS5MqQ14q+s7zAsFTAwk0iUF3gE/hqWYnvyifWpe4FRFO/WwY6k oBjhGo1wwmn4PzG9WByt+gnbe2jdgrjeZ2VCpyEQHAIIdaE1yKHTmOpY4M2gUEzmgJBl1+nbicnfi +akUAe6w==; Received: from [2601:1c0:6280:3f0::19c2] by bombadil.infradead.org with esmtpsa (Exim 4.92.3 #3 (Red Hat Linux)) id 1jW1YX-0003GE-34; Tue, 05 May 2020 17:40:33 +0000 Subject: Re: [PATCH v5 3/6] fs: Enable to enforce noexec mounts or file exec through O_MAYEXEC To: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= , linux-kernel@vger.kernel.org Cc: Aleksa Sarai , Alexei Starovoitov , Al Viro , Andy Lutomirski , Christian Heimes , Daniel Borkmann , Deven Bowers , Eric Chiang , Florian Weimer , James Morris , Jan Kara , Jann Horn , Jonathan Corbet , Kees Cook , Lakshmi Ramasubramanian , Matthew Garrett , Matthew Wilcox , Michael Kerrisk , =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= , Mimi Zohar , =?UTF-8?Q?Philippe_Tr=c3=a9buchet?= , Scott Shell , Sean Christopherson , Shuah Khan , Steve Dower , Steve Grubb , Thibaut Sautereau , Vincent Strubel , kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org References: <20200505153156.925111-1-mic@digikod.net> <20200505153156.925111-4-mic@digikod.net> <3555aab7-f4e0-80eb-0dfc-a87cfcba5e68@digikod.net> From: Randy Dunlap Message-ID: <9e3ec812-128d-cc46-5206-ab72b737b274@infradead.org> Date: Tue, 5 May 2020 10:40:31 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 MIME-Version: 1.0 In-Reply-To: <3555aab7-f4e0-80eb-0dfc-a87cfcba5e68@digikod.net> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 5/5/20 9:55 AM, Mickaël Salaün wrote: > > > On 05/05/2020 17:44, Randy Dunlap wrote: >> On 5/5/20 8:31 AM, Mickaël Salaün wrote: >>> diff --git a/security/Kconfig b/security/Kconfig >>> index cd3cc7da3a55..d8fac9240d14 100644 >>> --- a/security/Kconfig >>> +++ b/security/Kconfig >>> @@ -230,6 +230,32 @@ config STATIC_USERMODEHELPER_PATH >>> If you wish for all usermode helper programs to be disabled, >>> specify an empty string here (i.e. ""). >>> >>> +menuconfig OMAYEXEC_STATIC >>> + tristate "Configure O_MAYEXEC behavior at build time" >>> + ---help--- >>> + Enable to enforce O_MAYEXEC at build time, and disable the dedicated >>> + fs.open_mayexec_enforce sysctl. >> >> That help message is a bit confusing IMO. Does setting/enabling OMAYEXEC_STATIC >> both enforce O_MAYEXEC at build time and also disable the dedicated sysctl? > > Yes. What about this? > "Define the O_MAYEXEC policy at build time only. As a side effect, this > also disables the fs.open_mayexec_enforce sysctl." > Yes, much better. Thanks. >> >> Or are these meant to be alternatives, one for what Enabling this kconfig symbol >> does and the other for what Disabling this symbol does? If so, it doesn't >> say that. >> >>> + >>> + See Documentation/admin-guide/sysctl/fs.rst for more details. >>> + >>> +if OMAYEXEC_STATIC >>> + >>> +config OMAYEXEC_ENFORCE_MOUNT >>> + bool "Mount restriction" >>> + default y >>> + ---help--- >>> + Forbid opening files with the O_MAYEXEC option if their underlying VFS is >>> + mounted with the noexec option or if their superblock forbids execution >>> + of its content (e.g., /proc). >>> + >>> +config OMAYEXEC_ENFORCE_FILE >>> + bool "File permission restriction" >>> + ---help--- >>> + Forbid opening files with the O_MAYEXEC option if they are not marked as >>> + executable for the current process (e.g., POSIX permissions). >>> + >>> +endif # OMAYEXEC_STATIC >>> + >>> source "security/selinux/Kconfig" >>> source "security/smack/Kconfig" >>> source "security/tomoyo/Kconfig" >> >> -- ~Randy