Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp768408ybh;
        Wed, 22 Jul 2020 12:43:18 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzHqqjQmOUzEnBAmuCx/MvqXIyi6HithjqIifXyoybYkGw5g7nh9CvJ8Q9rysCRlSZtlBR6
X-Received: by 2002:a17:906:6dda:: with SMTP id j26mr1152569ejt.336.1595446998798;
        Wed, 22 Jul 2020 12:43:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1595446998; cv=none;
        d=google.com; s=arc-20160816;
        b=zbCZWl5LvXLiPLhU2Wn2YODfvcrioE3uqnr8SYfB7klZzQDuoVoydLqz7WKwcVBuap
         G9K+7/xJRHm3M+6rjiuGA0cmq35jd610H8n8cZPwo1QYnB4qveAehxbS7uFw0ZE+Ic3g
         nsKrRY5IwwkY3CvpeURYmdZ+DB5gdYjVfd+WBvTPHuq4Q7AVGDZt3f8YaoIh9+Cf6tHK
         ks0LlaVMBkwQ8mOjvRVl/biOFMb8RCmHoVvkfA/urUDKOi2X7GPqIJIg9qlceanjTjLR
         oTu+p/czv+0CF9fUjp/Vw+dEpfv033RhfCXxht1O2mQ6VRO61ocg+7sATEaFWcJBryrB
         +C3g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:content-transfer-encoding
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=jjUf3A9HubTVaUqe7Zad+MUemnjZyICfz18It9oZSwM=;
        b=KZmzcqkLi0iki8HOzDxozMwtAhqNZ6Ufwii6+FVRGvvMCGEAt3MsnSx9Q3GKIR3sCH
         IIsFYSSjJWM0FzTyM0B2blRMNBjhdCH7vxUbrKo49C9fZY4QFQuLbFsPXP+bzMdJTPeE
         41ys2wFrdCGvK1nv0hngISBvO23mmjcC6uR9T+mr1bWIHHFvLr2dpgFKYYDLbaP+RyCo
         OMReIUDqyeMY7xR7Njl9UXQkcz/dP/7pIaWnLmQcJR/5sfahEmNpc9NNh0vByOrUdYoR
         peo4n6Yta9tK3VjuBVHukjLxVDDpKyyTLKCuAckWoX16KDTxR09wFa44dolu+wXlqUdp
         ZltQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=BtZ9Nvf8;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id w22si574635eds.415.2020.07.22.12.42.54;
        Wed, 22 Jul 2020 12:43:18 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=BtZ9Nvf8;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731019AbgGVTkY (ORCPT
        <rfc822;ArcheFireLinuxKernelMain@gmail.com> + 99 others);
        Wed, 22 Jul 2020 15:40:24 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43924 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726535AbgGVTkV (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 22 Jul 2020 15:40:21 -0400
Received: from mail-pl1-x643.google.com (mail-pl1-x643.google.com [IPv6:2607:f8b0:4864:20::643])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 45FB5C0619E2
        for <linux-kernel@vger.kernel.org>; Wed, 22 Jul 2020 12:40:21 -0700 (PDT)
Received: by mail-pl1-x643.google.com with SMTP id t6so1504424plo.3
        for <linux-kernel@vger.kernel.org>; Wed, 22 Jul 2020 12:40:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:content-transfer-encoding:in-reply-to;
        bh=jjUf3A9HubTVaUqe7Zad+MUemnjZyICfz18It9oZSwM=;
        b=BtZ9Nvf8isLyQCQ50XpXD/ebRCdBjkHCCGnxVM0OZAVUpANRBBMkjIj06Zdw9/XpBn
         ZFD8aNoO8CrwWK2+N4nmMD0rTFkdF72k74MsJNFZWuktshu5ucg9wp2qUVlDzWfUY4Ja
         ol6MqQXlLRetbAhUkjy41VWkXgnqEDPN3tA18=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:content-transfer-encoding
         :in-reply-to;
        bh=jjUf3A9HubTVaUqe7Zad+MUemnjZyICfz18It9oZSwM=;
        b=L8qdm8+yObmrQfTFqOOwIfRkkbyRN7rpSw/oCw2icNU8CwvAIslWr8YYDbefgii7KH
         SSXTdxjC2feKVUFNmgP9kTiCxTLKZrazRHckxRjgc0zhrrC1LZ7Y6dOuS//Ga+GAxQdT
         96/0vNgf44tq8rSD5cxlxQn/x7mqEjlLlG/iqvhC8vMsuOFAxt2HUjiVA/GEVC87/eA2
         WP3ygsGm3JvsS+HChoPdFoQudVPTW1N8b+tGEP+FaU0+Y0tj8UpoeainoiFFmRgJUX42
         531y8o5L8bfo8PYfM89ma69du9yS57rXtqP2PI0wOv4E6zA+1U9OMrZXgRfTVey2m9TQ
         NOXw==
X-Gm-Message-State: AOAM53131sUpm7Zzw/Amqci0Lp0CTFe00h1oJwJxb1rWZBmDl4DxF0Wu
        m5LMMQ6HjxooksTK9MkGUnlo7w==
X-Received: by 2002:a17:90b:338d:: with SMTP id ke13mr906409pjb.60.1595446820815;
        Wed, 22 Jul 2020 12:40:20 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
        by smtp.gmail.com with ESMTPSA id 38sm420287pgu.61.2020.07.22.12.40.19
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 22 Jul 2020 12:40:19 -0700 (PDT)
Date:   Wed, 22 Jul 2020 12:40:19 -0700
From:   Kees Cook <keescook@chromium.org>
To:     =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= <mic@digikod.net>
Cc:     Thibaut Sautereau <thibaut.sautereau@clip-os.org>,
        linux-kernel@vger.kernel.org, Aleksa Sarai <cyphar@cyphar.com>,
        Alexei Starovoitov <ast@kernel.org>,
        Al Viro <viro@zeniv.linux.org.uk>,
        Andrew Morton <akpm@linux-foundation.org>,
        Andy Lutomirski <luto@kernel.org>,
        Christian Brauner <christian.brauner@ubuntu.com>,
        Christian Heimes <christian@python.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Deven Bowers <deven.desai@linux.microsoft.com>,
        Dmitry Vyukov <dvyukov@google.com>,
        Eric Biggers <ebiggers@kernel.org>,
        Eric Chiang <ericchiang@google.com>,
        Florian Weimer <fweimer@redhat.com>,
        James Morris <jmorris@namei.org>, Jan Kara <jack@suse.cz>,
        Jann Horn <jannh@google.com>, Jonathan Corbet <corbet@lwn.net>,
        Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
        Matthew Garrett <mjg59@google.com>,
        Matthew Wilcox <willy@infradead.org>,
        Michael Kerrisk <mtk.manpages@gmail.com>,
        =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= <mickael.salaun@ssi.gouv.fr>,
        Mimi Zohar <zohar@linux.ibm.com>,
        Philippe =?iso-8859-1?Q?Tr=E9buchet?= 
        <philippe.trebuchet@ssi.gouv.fr>,
        Scott Shell <scottsh@microsoft.com>,
        Sean Christopherson <sean.j.christopherson@intel.com>,
        Shuah Khan <shuah@kernel.org>,
        Steve Dower <steve.dower@python.org>,
        Steve Grubb <sgrubb@redhat.com>,
        Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
        Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr>,
        Vincent Strubel <vincent.strubel@ssi.gouv.fr>,
        kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org,
        linux-integrity@vger.kernel.org,
        linux-security-module@vger.kernel.org,
        linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH v6 5/7] fs,doc: Enable to enforce noexec mounts or file
 exec through O_MAYEXEC
Message-ID: <202007221239.E00125F019@keescook>
References: <20200714181638.45751-1-mic@digikod.net>
 <20200714181638.45751-6-mic@digikod.net>
 <202007151312.C28D112013@keescook>
 <35ea0914-7360-43ab-e381-9614d18cceba@digikod.net>
 <20200722161639.GA24129@gandi.net>
 <efb88aab-f9f9-4b66-e7ab-3aa054eec96e@digikod.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <efb88aab-f9f9-4b66-e7ab-3aa054eec96e@digikod.net>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Jul 22, 2020 at 09:04:28PM +0200, Micka?l Sala?n wrote:
> 
> On 22/07/2020 18:16, Thibaut Sautereau wrote:
> > On Thu, Jul 16, 2020 at 04:39:14PM +0200, Micka?l Sala?n wrote:
> >>
> >> On 15/07/2020 22:37, Kees Cook wrote:
> >>> On Tue, Jul 14, 2020 at 08:16:36PM +0200, Micka?l Sala?n wrote:
> >>>> @@ -2849,7 +2855,7 @@ static int may_open(const struct path *path, int acc_mode, int flag)
> >>>>  	case S_IFLNK:
> >>>>  		return -ELOOP;
> >>>>  	case S_IFDIR:
> >>>> -		if (acc_mode & (MAY_WRITE | MAY_EXEC))
> >>>> +		if (acc_mode & (MAY_WRITE | MAY_EXEC | MAY_OPENEXEC))
> >>>>  			return -EISDIR;
> >>>>  		break;
> >>>
> >>> (I need to figure out where "open for reading" rejects S_IFDIR, since
> >>> it's clearly not here...)
> > 
> > Doesn't it come from generic_read_dir() in fs/libfs.c?
> > 
> >>>
> >>>>  	case S_IFBLK:
> >>>> @@ -2859,13 +2865,26 @@ static int may_open(const struct path *path, int acc_mode, int flag)
> >>>>  		fallthrough;
> >>>>  	case S_IFIFO:
> >>>>  	case S_IFSOCK:
> >>>> -		if (acc_mode & MAY_EXEC)
> >>>> +		if (acc_mode & (MAY_EXEC | MAY_OPENEXEC))
> >>>>  			return -EACCES;
> >>>>  		flag &= ~O_TRUNC;
> >>>>  		break;
> >>>
> >>> This will immediately break a system that runs code with MAY_OPENEXEC
> >>> set but reads from a block, char, fifo, or socket, even in the case of
> >>> a sysadmin leaving the "file" sysctl disabled.
> >>
> >> As documented, O_MAYEXEC is for regular files. The only legitimate use
> >> case seems to be with pipes, which should probably be allowed when
> >> enforcement is disabled.
> > 
> > By the way Kees, while we fix that for the next series, do you think it
> > would be relevant, at least for the sake of clarity, to add a
> > WARN_ON_ONCE(acc_mode & MAY_OPENEXEC) for the S_IFSOCK case, since a
> > socket cannot be open anyway?

If it's a state that userspace should never be able to reach, then yes,
I think a WARN_ON_ONCE() would be nice.

> We just did some more tests (for the next patch series) and it turns out
> that may_open() can return EACCES before another part returns ENXIO.
> 
> As a reminder, the next series will deny access to block devices,
> character devices, fifo and socket when opened with O_MAYEXEC *and* if
> any policy is enforced (via the sysctl).
> 
> The question is then: do we prefer to return EACCES when a policy is
> enforced (on a socket), or do we stick to the ENXIO? The EACCES approach
> will be more consistent with devices and fifo handling, and seems safer
> (belt and suspenders) thought.

I think EACCES is correct for these cases, since it's a new flag, etc.

-- 
Kees Cook