Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp2093722ybk; Sun, 17 May 2020 10:00:58 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy63IzMSYw/xan1VhpcLGmkj4H2xD1wPycQFer3E7VBik7xmRCS5qmn+ntA3QZYvddMUlWS X-Received: by 2002:a50:f391:: with SMTP id g17mr5442899edm.102.1589734858106; Sun, 17 May 2020 10:00:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1589734858; cv=none; d=google.com; s=arc-20160816; b=UGY3GCeYXs3uYcqk5J1KHrxf0O7wO9mecjlgGNVB9KoxByAnG/oIk+t8Pu8/BUPNhD T7l6leyQOtoUdY1TtoDZ5fqeNYk2TE3QWNh3eK9zortQRP1yH8Er3ViMBcTOZw/AvQBv gP5Rn6DGTaei8SNI/2R+PCjZjft6VM3iAP4UYnNC/5EyjIzNn/sfyU2zFvatJ+CHYcWt Z/PTat5rqdUJ/tDJpp5nKdznL9d2z84c9Lrh3WoiQtW2Lu5ySdIw8Au7QtgKFLbwUSn/ ub9NnDAcJ0knihLZIR2rB8hPhZvY+9A6ww2Y2rbdjXhj6Dy1cN/q5nj3upIHVtpLV1jx qV5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=altgAbX5kmqCSE/VnAq/k8WHhDiX7o4bWc9rHmz5wOo=; b=HqfVJQD5uD9yZgXBazVzziXsVPgJdIY94+8VNwnm15B3JQXQ2J+9TL4LbVxIeOpOH5 2A7hM05IH4C2Q4zLWpClVPb4Dd1LRm/As4mYUChx4XoY7uYo2ldGaKVtkWB7MHO+Zr+/ jFoGUANBq+Zl3GsQ6LkQDqkUUdCbtJVDBTTAlmzvwB5Bs2MLcGQ09KwKaBxsZ0URjuXk 8Y1V/vXW0+y3asqrvsY40D+za2JGYpYc9cDs2esheshwz59TjtNhnfgixOsJOH6BoBG+ IocKQZyJH4feW9TcwFl71jVViZ7EmuZnayvp5mCUuZNGQ5/bb7D8CpF9uBzQ8xeCtNIp WhTg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=oFbmdXoJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o12si5403242edq.34.2020.05.17.10.00.18; Sun, 17 May 2020 10:00:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=oFbmdXoJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726254AbgEQQ6D (ORCPT + 99 others); Sun, 17 May 2020 12:58:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54620 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726031AbgEQQ6D (ORCPT ); Sun, 17 May 2020 12:58:03 -0400 Received: from mail-io1-xd44.google.com (mail-io1-xd44.google.com [IPv6:2607:f8b0:4864:20::d44]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 548C6C061A0C; Sun, 17 May 2020 09:58:03 -0700 (PDT) Received: by mail-io1-xd44.google.com with SMTP id j8so7974983iog.13; Sun, 17 May 2020 09:58:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=altgAbX5kmqCSE/VnAq/k8WHhDiX7o4bWc9rHmz5wOo=; b=oFbmdXoJ7IKhXz/adk3cWUH02iVLEMbiWPS3oYco9rZQ/I26wyRUSLKaWf24g+fmgM 0qhq7O2DIUF1Fhk8wDI097fDcjaHjfzIJizUGrWQRXS+4abA7AQP8BA28vbJbHrmAfGO XkSjfV7rVvsmFLSl+e1PMrZMYMEMTFax3aKxcsTGkJU3tfeUC9DAiPBYb2u7Xg2ypZuk MA4Zpt1cTWT2dI3a0VrQkrK2A89zZAnM1zaEULhYiV+MmlR4kaxnEiXDq+hnDNnofPzl F44myrooS17gGNTOq4w+l9JADdcPZhQ1Cb2mWVBLxhNG8vgwHIJ3wPBunDL4edBhA2KH 4DOw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=altgAbX5kmqCSE/VnAq/k8WHhDiX7o4bWc9rHmz5wOo=; b=divN88/HSl9WAnLfCx3T21WIpG4yE4j9iEgDrmn3Bb6H/npHxwpP6gRN8n9dQ3HYF+ NL6CdI3F/04dUF4cxg5x2O/njhPsX9HRLhFMCqsePT3cMSLFZr9Ggun1j+oC1spw6eih RnG6gvYBp0aWkfx1yonuqQtDs+f5w2jQ4nv1OO+NbC/1NclCmZRLT6uOn7r/HenEXuZO NajDGSPiBhgQnWq0geZGfrUSluT9n/d/grJ0hUieN3MkpQGFIm2k2G9Smgdjv2shDz/6 9y6KKSgKdQ1g5GN0KU+vytGkRsIEa0X4NpYWzoNEBCHsYo0Mmz9rZ94JtZF0iFIpHwwU JTdQ== X-Gm-Message-State: AOAM531cPSXvOBg6z4l8udqgzLJ8+1Z0u40nXFE3cIE1iGP3AqgALZpF T2cAwi9Qad7JrGXTst0DFqpzQqz+4R1DDBVpBmQ= X-Received: by 2002:a02:a58b:: with SMTP id b11mr11916189jam.56.1589734682438; Sun, 17 May 2020 09:58:02 -0700 (PDT) MIME-Version: 1.0 References: <20200505153156.925111-1-mic@digikod.net> <20200505153156.925111-3-mic@digikod.net> <202005121407.A339D31A@keescook> <202005140845.16F1CDC@keescook> In-Reply-To: <202005140845.16F1CDC@keescook> From: "Lev R. Oshvang ." Date: Sun, 17 May 2020 19:57:51 +0300 Message-ID: Subject: Re: [PATCH v5 2/6] fs: Add a MAY_EXECMOUNT flag to infer the noexec mount property To: Kees Cook Cc: =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= , linux-kernel@vger.kernel.org, Aleksa Sarai , Alexei Starovoitov , Al Viro , Andy Lutomirski , Christian Heimes , Daniel Borkmann , Deven Bowers , Eric Chiang , Florian Weimer , James Morris , Jan Kara , Jann Horn , Jonathan Corbet , Lakshmi Ramasubramanian , Matthew Garrett , Matthew Wilcox , Michael Kerrisk , =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= , Mimi Zohar , =?UTF-8?Q?Philippe_Tr=C3=A9buchet?= , Scott Shell , Sean Christopherson , Shuah Khan , Steve Dower , Steve Grubb , Thibaut Sautereau , Vincent Strubel , kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-integrity@vger.kernel.org, LSM List , linux-fsdevel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 14, 2020 at 6:48 PM Kees Cook wrote: > > On Thu, May 14, 2020 at 11:14:04AM +0300, Lev R. Oshvang . wrote: > > New sysctl is indeed required to allow userspace that places scripts > > or libs under noexec mounts. > > But since this is a not-uncommon environment, we must have the sysctl > otherwise this change would break those systems. > But I proposed sysctl on a line below. > > fs.mnt_noexec_strict =1 (allow, e) , 1 (deny any file with --x > > permission), 2 (deny when O_MAYEXEC absent), for any file with ---x > > permissions) > > I don't think we want another mount option -- this is already fully > expressed with noexec and the system-wide sysctl. > > -- The intended use of proposed sysctl is to ebable sysadmin to decide whar is desired semantics mount with NO_EXEC option. fs.mnt_noexec_scope =0 |1|2|3 0 - means old behaviour i.e do nor run executables and scripts (default) 1 - deny any file with --x permissions, i.e executables , script and libs 2 - deny any file when O_MAYEXEC is present. I think this is enough to handle all use cases and to not break current sysadmin file mounts setting I oppose the new O_MAY_EXECMOUNT flag, kernel already has MNT_NO_EXEC, SB_NOEXEC and SB_I_NOEXEC and I frankly do not understand why so many variants exist. Lev