Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp4102584pxk; Tue, 8 Sep 2020 10:44:34 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwPE9bQR2J/Ti5x04BrQWGKeJbSswnNP6dmcSDG8JZC6jumlQ5ECq33rY5R5nwwqDnW4FWS X-Received: by 2002:a05:6402:164d:: with SMTP id s13mr95157edx.222.1599587074158; Tue, 08 Sep 2020 10:44:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1599587074; cv=none; d=google.com; s=arc-20160816; b=A5wus9gpYdsm7zpb6LCJnazQ/qcqzXHFL5oAAs3qt/RkvWH+8weBH8ZDJx36mw7ZfN H6RH876Me4QKfhUGvwUJoH7B34wcyfs/QWpCQ2ABv+pMtDAqYODiYk0f7bLG+AE7MQOh 2dvSUTBhJowM14gQmC+3PeHudUfI2ZOGQsyNc4Gri/8RX4aXi+c/J6saBCeTCQ9lEAkJ qAXMFjAMqLbBac3t5ZXY8SSHTvyH6kSBXZaLNdXfbKiwni9lx558ZOKos6fs9Dy0jfM3 rqdGKmsJvbsE68QrUsDzpsBSXZUOxO1vJS0GgPveQwRVQjSut9OPN6eR8fJGAEGFbTny mxMQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=xtdyDDmFLb1n/bPdUXOwa5UJMDQzkeNGV49EUd3+LOA=; b=jj+WVeVbGnUWQOnxacYhmzl8MlUm5hPr0wof2qfN+Kq2Z4EPxKm+iix8l9YHeBCtIB pwYIc0uiJPKtUTL36Y64iHsCbODOwDYGrwV7lgP+QSiPKVW6F+VT3ifhy5grjgy/hXoF Qg8W+WKf9f9tDPU0g4mbu5xZ5uHbtBUgQ7BWym/IgeIiT4NcS1CL1Yq65b9JHSe0rfWL ktnoBmi2mvaTFIF24e+EalHq6wCRR0EAOKpsJExJBTWLPkJDLd1HZntdJE2h9BmYBDRE 9HvxJbTiWBiUA7OaB8VUJd26Qxl7cNLpFeycE9lu19xw3G0jwMBB8YgL0zuv8ozwWcvL p41A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=KqsK1NT5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ss23si7858069ejb.350.2020.09.08.10.44.11; Tue, 08 Sep 2020 10:44:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=KqsK1NT5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728458AbgIHRlh (ORCPT + 99 others); Tue, 8 Sep 2020 13:41:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56834 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731623AbgIHQOE (ORCPT ); Tue, 8 Sep 2020 12:14:04 -0400 Received: from mail-ot1-x344.google.com (mail-ot1-x344.google.com [IPv6:2607:f8b0:4864:20::344]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CBB96C061379; Tue, 8 Sep 2020 05:50:25 -0700 (PDT) Received: by mail-ot1-x344.google.com with SMTP id e23so14723553otk.7; Tue, 08 Sep 2020 05:50:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=xtdyDDmFLb1n/bPdUXOwa5UJMDQzkeNGV49EUd3+LOA=; b=KqsK1NT52K0nEsZYDrIpWu/nttM49kNDxDkaTEQ41DlAcJMqFgy9wed9oAOhBOhmp9 JjWIha7WgNUYARkHfU31ZSSrWF9UpyHjc97HwVebb5O26IgiHCFN+l4d/KFWvBWtcZTv Vth5VaeiQvFW3eko41wx4jAtxw2/mg/opj2NomPN7bIdTGl/eFfj34xI+YtfoyBJLhO4 ZYaKesEZJWG9ZzXmK/OlmuV73f6uZZIja67+5/qKm7MUEk2RinVcTzcSZzgUo4ISxXyG s1WPksUe7qCIKILuYyO3eGU9gozVTrOuUEkYGUdPmjxsNt2nTuZ5m4OdpixNMvbgJDBA 7mvQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=xtdyDDmFLb1n/bPdUXOwa5UJMDQzkeNGV49EUd3+LOA=; b=lF7EuLUvOI0d50EyfDmByouOzxgf4sq1SjCTHmYfkzISCy6YEWEyBB+KtUlbkR4Pc/ wYmUwgjQncLYMo273nheXGPfs9qqOnaoE5KZST1BfrIrhybuNJIt52LeBJl7dnzyzejq paAlzDICfBebFXs9lEmrNp6u7FrJ4sBvIkZjgnIeyx4DpLPJqciutF60GD54Ar+trhrB 0VGWGDUV+aPym7jLVv1IYzWQIurGSHAaeG56/wRP0PiVHWyOSUlT9wEHbe3npzTreKgW ClJVbz7OXY/6IjDTNm02eyAZ/TKhWeUF53dit4aOKYCNX0fc7iGViR/5JYEZbYJ2ASZh qQ5g== X-Gm-Message-State: AOAM5329Lt9WlVWVERfGbmmuLfj1q4FARf2K45Mj6q59YtmQ9HYW0888 Z8T/9cZoKGQUMiG8ZR7Nc98Z5AIi+QVFKkij8eY= X-Received: by 2002:a05:6830:1be7:: with SMTP id k7mr17851789otb.162.1599569425234; Tue, 08 Sep 2020 05:50:25 -0700 (PDT) MIME-Version: 1.0 References: <20200908075956.1069018-1-mic@digikod.net> <20200908075956.1069018-2-mic@digikod.net> <75451684-58f3-b946-dca4-4760fa0d7440@digikod.net> In-Reply-To: <75451684-58f3-b946-dca4-4760fa0d7440@digikod.net> From: Stephen Smalley Date: Tue, 8 Sep 2020 08:50:14 -0400 Message-ID: Subject: Re: [RFC PATCH v8 1/3] fs: Introduce AT_INTERPRETED flag for faccessat2(2) To: =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= Cc: Mimi Zohar , linux-kernel , Aleksa Sarai , Alexei Starovoitov , Al Viro , Andrew Morton , Andy Lutomirski , Christian Brauner , Christian Heimes , Daniel Borkmann , Deven Bowers , Dmitry Vyukov , Eric Biggers , Eric Chiang , Florian Weimer , James Morris , Jan Kara , Jann Horn , Jonathan Corbet , Kees Cook , Lakshmi Ramasubramanian , Matthew Garrett , Matthew Wilcox , Michael Kerrisk , Miklos Szeredi , =?UTF-8?Q?Philippe_Tr=C3=A9buchet?= , Scott Shell , Sean Christopherson , Shuah Khan , Steve Dower , Steve Grubb , Tetsuo Handa , Thibaut Sautereau , Vincent Strubel , kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-integrity@vger.kernel.org, LSM List , Linux FS Devel , Thibaut Sautereau , =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= , John Johansen Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Sep 8, 2020 at 8:43 AM Micka=C3=ABl Sala=C3=BCn w= rote: > > > On 08/09/2020 14:28, Mimi Zohar wrote: > > Hi Mickael, > > > > On Tue, 2020-09-08 at 09:59 +0200, Micka=C3=ABl Sala=C3=BCn wrote: > >> + mode |=3D MAY_INTERPRETED_EXEC; > >> + /* > >> + * For compatibility reasons, if the system-wide = policy > >> + * doesn't enforce file permission checks, then > >> + * replaces the execute permission request with a= read > >> + * permission request. > >> + */ > >> + mode &=3D ~MAY_EXEC; > >> + /* To be executed *by* user space, files must be = readable. */ > >> + mode |=3D MAY_READ; > > > > After this change, I'm wondering if it makes sense to add a call to > > security_file_permission(). IMA doesn't currently define it, but > > could. > > Yes, that's the idea. We could replace the following inode_permission() > with file_permission(). I'm not sure how this will impact other LSMs thou= gh. They are not equivalent at least as far as SELinux is concerned. security_file_permission() was only to be used to revalidate read/write permissions previously checked at file open to support policy changes and file or process label changes. We'd have to modify the SELinux hook if we wanted to have it check execute access even if nothing has changed since open time.