Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp4702259pxa;
        Mon, 10 Aug 2020 16:13:35 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwRoHxFUm4PTIRv2Ancylfs1J2YC8xkj7/Ovr/s1lL7cVizOcmdWJ1e1i8ZM/gFfl7TYPNo
X-Received: by 2002:a17:906:2296:: with SMTP id p22mr23292981eja.510.1597101214732;
        Mon, 10 Aug 2020 16:13:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1597101214; cv=none;
        d=google.com; s=arc-20160816;
        b=JaeRDWTQ03El9ikMJ9P60jiKtS9LM1kBUCwqufD7OsdQlG72y2NxZj4t3HE0iKLLJq
         JargJziWzb+AdJuRn3KUOsX2m3ZXkqYWdFRiw8nisLQy2As15OPxjQSftowTqj3JtmZ8
         sCYvRAjahfPGp7i0vaNLdGGPNW8AH6ZzVHljZQVkow0KhtwC6F8ybmjh61DxNkzlhIHS
         eBRXCT28q0UpXRUxBDVIxg6ItErd4j6nYLwpX0OhoyXoBFNklS41biLrMzy5SO5Qgduc
         9ViVyvUmE03kG1cUyE9HdrULF3+qL6Ig9rD3Btj13Z3/oB/4s4bMIiocruEdauMAh2JY
         v4Rw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:content-transfer-encoding
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=ijUJfSRK6BqpG4N4UqpRd04cbRUaqppixDumUkLiVJA=;
        b=Z4YAeHCxnr1g76Y7Co6aoIe03y9Z0I11//u6IbEdaOJThBKxvPUHvzblUWsJ5IGGOe
         MC0D4qrmP+h64NUNan+0eqlTc1+ug2ZyDfKphc6A5W9aoYpyNeikKKxejaYLXpFTHAZx
         bM7LllsX4X6/gN/97OaWI28KU4tVOOYIm2k6SBgIXHt1YCFWOvtmXkqfdbLT/t/cVbg/
         S/YTAFza45vm3jdOjKgFiOm9O9riWi74blm5LtRGagtY6N6qBchZsOu6OtQt621ImkOh
         9O/fOuCiNut05YYfxD7D15GgIw6zygYfzbr89DdNSiC4SW4ubd/DamB0eRyjddRO/lfT
         hs8A==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id u24si12642113edb.159.2020.08.10.16.12.52;
        Mon, 10 Aug 2020 16:13:34 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727871AbgHJXFa (ORCPT <rfc822;ivid.suvarna@gmail.com>
        + 99 others); Mon, 10 Aug 2020 19:05:30 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50094 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726722AbgHJXF3 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 10 Aug 2020 19:05:29 -0400
Received: from ZenIV.linux.org.uk (zeniv.linux.org.uk [IPv6:2002:c35c:fd02::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2515DC06174A;
        Mon, 10 Aug 2020 16:05:29 -0700 (PDT)
Received: from viro by ZenIV.linux.org.uk with local (Exim 4.92.3 #3 (Red Hat Linux))
        id 1k5Gr3-00DImD-1Q; Mon, 10 Aug 2020 23:05:21 +0000
Date:   Tue, 11 Aug 2020 00:05:21 +0100
From:   Al Viro <viro@zeniv.linux.org.uk>
To:     =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= <mic@digikod.net>
Cc:     Kees Cook <keescook@chromium.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        linux-kernel@vger.kernel.org, Aleksa Sarai <cyphar@cyphar.com>,
        Alexei Starovoitov <ast@kernel.org>,
        Andy Lutomirski <luto@kernel.org>,
        Christian Brauner <christian.brauner@ubuntu.com>,
        Christian Heimes <christian@python.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Deven Bowers <deven.desai@linux.microsoft.com>,
        Dmitry Vyukov <dvyukov@google.com>,
        Eric Biggers <ebiggers@kernel.org>,
        Eric Chiang <ericchiang@google.com>,
        Florian Weimer <fweimer@redhat.com>,
        James Morris <jmorris@namei.org>, Jan Kara <jack@suse.cz>,
        Jann Horn <jannh@google.com>, Jonathan Corbet <corbet@lwn.net>,
        Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
        Matthew Garrett <mjg59@google.com>,
        Matthew Wilcox <willy@infradead.org>,
        Michael Kerrisk <mtk.manpages@gmail.com>,
        Mimi Zohar <zohar@linux.ibm.com>,
        Philippe =?iso-8859-1?Q?Tr=E9buchet?= 
        <philippe.trebuchet@ssi.gouv.fr>,
        Scott Shell <scottsh@microsoft.com>,
        Sean Christopherson <sean.j.christopherson@intel.com>,
        Shuah Khan <shuah@kernel.org>,
        Steve Dower <steve.dower@python.org>,
        Steve Grubb <sgrubb@redhat.com>,
        Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
        Thibaut Sautereau <thibaut.sautereau@clip-os.org>,
        Vincent Strubel <vincent.strubel@ssi.gouv.fr>,
        kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org,
        linux-integrity@vger.kernel.org,
        linux-security-module@vger.kernel.org,
        linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH v7 0/7] Add support for O_MAYEXEC
Message-ID: <20200810230521.GG1236603@ZenIV.linux.org.uk>
References: <20200723171227.446711-1-mic@digikod.net>
 <202007241205.751EBE7@keescook>
 <0733fbed-cc73-027b-13c7-c368c2d67fb3@digikod.net>
 <20200810202123.GC1236603@ZenIV.linux.org.uk>
 <917bb071-8b1a-3ba4-dc16-f8d7b4cc849f@digikod.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <917bb071-8b1a-3ba4-dc16-f8d7b4cc849f@digikod.net>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Aug 11, 2020 at 12:43:52AM +0200, Micka?l Sala?n wrote:

> Hooking on open is a simple design that enables processes to check files
> they intend to open, before they open them.

Which is a good thing, because...?

> From an API point of view,
> this series extends openat2(2) with one simple flag: O_MAYEXEC. The
> enforcement is then subject to the system policy (e.g. mount points,
> file access rights, IMA, etc.).

That's what "unspecified" means - as far as the kernel concerned, it's
"something completely opaque, will let these hooks to play, semantics is
entirely up to them".
 
> Checking on open enables to not open a file if it does not meet some
> requirements, the same way as if the path doesn't exist or (for whatever
> reasons, including execution permission) if access is denied. It is a
> good practice to check as soon as possible such properties, and it may
> enables to avoid (user space) time-of-check to time-of-use (TOCTOU)
> attacks (i.e. misuse of already open resources).

?????  You explicitly assume a cooperating caller.  If it can't be trusted
to issue the check between open and use, or can be manipulated (ptraced,
etc.) into not doing so, how can you rely upon the flag having been passed
in the first place?  And TOCTOU window is definitely not wider that way.

If you want to have it done immediately after open(), bloody well do it
immediately after open.  If attacker has subverted your control flow to the
extent that allows them to hit descriptor table in the interval between
these two syscalls, you have already lost - they'll simply prevent that
flag from being passed.

What's the point of burying it inside openat2()?  A convenient multiplexor
to hook into?  We already have one - it's called do_syscall_...