Received: by 2002:ac2:5a04:0:0:0:0:0 with SMTP id q4csp1097193lfn; Wed, 23 Feb 2022 19:15:08 -0800 (PST) X-Google-Smtp-Source: ABdhPJyTLemYx0nhFNvczlZ6Ghv+9LZHFhVZf7BNknYOXFj4THrK9JCJos/WCbx0+C3gYbxB2a6q X-Received: by 2002:a17:902:d4c9:b0:14f:929c:f3c9 with SMTP id o9-20020a170902d4c900b0014f929cf3c9mr741445plg.45.1645672508731; Wed, 23 Feb 2022 19:15:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645672508; cv=none; d=google.com; s=arc-20160816; b=KIojYylxg+tihcC2xs7G/u1+EG/fkXs01uhf8Sxh1I3tPeEVS1LChKjXpTC1Zx8F2r m8B0BH2/YdJXtao7bgsHJrkM5yKErwLS3NlUQAZrgFPdfQXXtdlPYbBuLZNPxUu2iQ+H jD4C0WLKM40/a8iYplWFtwttBSRgvxnDQ4cxJHRt1pIyliG0foBdWP2J1At3maiwwBl8 sv6lf2tZA/ZNcWaxPLnRlP4iXZsjdYbp2trvonkFLoYEiF3HbWpGn+7dmV33pGlG/GHl zKl8pTeS+TICrHVaKdKyVXOFiGbD3XYP+w9vZqKx+xm9NHWYAf/oc2X1t4PzKP7rO8OB zakw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=R2XTHubm34qtzXwVA3ruMMT7BpLGJcOTk/y/ohBRsCk=; b=WIZ7yhdiu6PPGFm7LeAdqsx50KNDvcrKEmQ39BCe7XJigrECidqihrd2jkZtQGYQXk 8ORb5dOSlu6wRiUeu+jA3XuQrXtFjp7q8xl7gXgObQoGDpbDym6QPc7Bc4E/+6ZQVjF4 v1j5yPv0vohaFGF/3oERMb1Tq587kDVMqnsGT8LxFTKNhn7YlffFgbsoC8lX7+Bd8ttz gxd9Q/UYQxQzlJGUxYVeVGYik0KO1RAo8k+1r4GcwJGIyegVIb7kjmHLCNNM9FzEN0KW Qu5aPY9vcu8uHDji3Q0ztz2AiqwP00z1Iz3tmuHX5ScwNOgns+3Lyr4LINaLl7NwLoul hmTg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=BOcBjgdq; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id b19si1319030plz.254.2022.02.23.19.15.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 23 Feb 2022 19:15:08 -0800 (PST) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=BOcBjgdq; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 68ED0252904; Wed, 23 Feb 2022 19:14:54 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229795AbiBXDOl (ORCPT + 99 others); Wed, 23 Feb 2022 22:14:41 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42962 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229694AbiBXDOk (ORCPT ); Wed, 23 Feb 2022 22:14:40 -0500 Received: from mail-yw1-x1134.google.com (mail-yw1-x1134.google.com [IPv6:2607:f8b0:4864:20::1134]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F25A21A2718; Wed, 23 Feb 2022 19:13:49 -0800 (PST) Received: by mail-yw1-x1134.google.com with SMTP id 00721157ae682-2d641c31776so10566327b3.12; Wed, 23 Feb 2022 19:13:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=R2XTHubm34qtzXwVA3ruMMT7BpLGJcOTk/y/ohBRsCk=; b=BOcBjgdqlKkUNhQRx8iJ34wekjnTqi8fvUyoFE8px7UF4sma8TzYuiZrRq8b7grAKY 9FLxRw4T0ukCJbVYH8ophek+sg8NVngm8KpkIRxWXWVEw5xQlM4gC7eQgb3dLFkm2XJm YzcN4EfzMuHJGPOvs6eTITer0PjfP1c1G8p3Bk1tJum43FrOOyZrelIAAhRGlrXECvS9 oXJTJ9W6xr4oqSUSAyjx4SNjNfi9yS+rL1I8ImbA0ZpFp7o03EASSYvCnP0NqJ9f35jG 3Tkspz2B4xLq4MJiASXAduu8RNSYoRPax6Ia3Vm08KChZS5QI8BIzvpqYoWoLBB2fjYw hgRA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=R2XTHubm34qtzXwVA3ruMMT7BpLGJcOTk/y/ohBRsCk=; b=PiCGQo/ai0WnN6ZbESErU0VC6IaFvudM96eRoHq/u566nIxOQqgLJTXDhull/wmxbp KLxaviWlAzp4gxYp9dL43wbWVd4TKE1v/l04VMqpauhwrkRkzBcaj9j2q2ZssLLolTaK 7jmYba4pBgWzadJM1KxPyqpgESs7QwE5JuE2XhKpa/1Lnf6RPzVNiR1USXnvs6/cRNDs 82WjA1PAscmx7GWh83Cj6qNLa0Lym1480R9cMoKBpjwa3CwMg/NnSZJUU8fW0fllN27E 4b0106qSMcNV65VCSSDv4U169b5yOgqsMG9O66/WW0YopEmyrWCQOpjUczFp42hWVW9q SRrg== X-Gm-Message-State: AOAM530cqqMOgPw58C86lih7rVoHwBMnS3KPurIDoNA+OwcKZ1fHkXcp qTwuz+j3juVV6moBHasypCSyKxN/f1poYtUEV0B7fuC01uPV9Q== X-Received: by 2002:a0d:ed01:0:b0:2d4:6dfd:bec with SMTP id w1-20020a0ded01000000b002d46dfd0becmr597678ywe.191.1645672428586; Wed, 23 Feb 2022 19:13:48 -0800 (PST) MIME-Version: 1.0 References: <20220223231752.52241-1-ppbuk5246@gmail.com> In-Reply-To: From: Yun Levi Date: Thu, 24 Feb 2022 12:13:37 +0900 Message-ID: Subject: Re: [PATCH] fs/exec.c: Avoid a race in formats To: Al Viro Cc: Kees Cook , "Eric W. Biederman" , linux-fsdevel@vger.kernel.org, Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Feb 24, 2022 at 12:00 PM Al Viro wrote: > > On Thu, Feb 24, 2022 at 08:59:59AM +0900, Yun Levi wrote: > > > I think if someone wants to control their own binfmt via "ioctl" not > > on time on LOAD. > > For example, someone wants to control exec (notification, > > allow/disallow and etc..) > > and want to enable and disable own's control exec via binfmt reg / unreg > > In that situation, While the module is loaded, binfmt is still live > > and can be reused by > > reg/unreg to enable/disable his exec' control. > > Er... So have your ->load_binary() start with > if (I_want_it_disabled) > return -ENOEXEC; > and be done with that. > The only caller of that thing is > list_for_each_entry(fmt, &formats, lh) { > if (!try_module_get(fmt->module)) > continue; > read_unlock(&binfmt_lock); > > retval = fmt->load_binary(bprm); > > read_lock(&binfmt_lock); > put_binfmt(fmt); > if (bprm->point_of_no_return || (retval != -ENOEXEC)) { > read_unlock(&binfmt_lock); > return retval; > } > } > so returning -ENOEXEC is equivalent to not having it in the list. > IDGI... Why bother unregistering/re-registering/etc.? For example, someone wants to control exec via policy (allow or deny exec) In that case, it just wants to confirm the policy NOT LOAD binary but want to pass the LOAD to the next binfmt (That's the reason __register_binfmt with insert). So, To do this, register linux_binfmt with its own with load_binary function like if (this binary allow to run) return -ENOEXEC; // pass to next binfmt to load that binary else if (deny) return -1; And enable / disable is determined by registered or unregistered status. That mean // ioctl hook for enable // enable by register binfmt __register_binfmt(binfmt, 1); // ioctl hook for disable // disable by unreigster binfmt __unregister_binfmt(binfmt); Because, __unregister_binfmt isn't called int module __exit, but call while the module is live, it makes a problem. It looks so strange, But in the case of the kernel without FTRACE, BPF, KPROBE, etc I think there's no other way to control exec running. So I just do stupid test :) But When I read Eric's answer, I think __unregister_binfmt should be only called in the module __exit function... right?