Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp707725pxp; Fri, 11 Mar 2022 12:56:24 -0800 (PST) X-Google-Smtp-Source: ABdhPJzXNKpKjYJGeYCJBpdKRd7d0XX61GHXldpQHbDnC2RHrUY7HqLSz1c2i+Ab0QqHA9bC5p79 X-Received: by 2002:a17:902:d4c6:b0:151:d21c:7eb7 with SMTP id o6-20020a170902d4c600b00151d21c7eb7mr12398707plg.148.1647032184299; Fri, 11 Mar 2022 12:56:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1647032184; cv=none; d=google.com; s=arc-20160816; b=GiuVLE+Y+3SxjUXGq5Unv+uEIHOo89+hWU0o/SqnXjwU/R3xvvYNHoLZkVfqDPKarW YzV8Xb6BrT46gTwr1+8iRqgXqrZzZLdodrPvlOjhCjrMQkMDGknxIBcB9QAIyOaQkiE/ dQ6Hvh3q542pkNhr26B8fnVm6wGNyMrf6YqULEOoYr89BUSIdcei3xnAJSV84KBsnqIG +lEEIsHhky/AObOwEKX1o3K42VhMrvtLBLrIF6Tb0NqPiY/ndgEpiv7ue+wIVzohUz4N qH9L95sNdfhTTtZROeMAl9w7HEmZt8+iFaaOk6bbBWWvzpAq36ap6EW+3cOu0UfJHyu6 CmmA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:sender:dkim-signature; bh=17MWdnJm/ZtU5rlgn+dhHDvcPFAUwoVJySpzOZ59jis=; b=ir+O4TbzvKZPwcukGqitQITrpH05qi7QZbhwH71klX9KcJ9xJa66NYwFmF2V2d3ESf m4wa2ab393lZbIFbc1hIlXCyZ2Co7+lCArcnIldDYTDbPQaC2bzGntvEiO2HoFpnelxH QIPugLZj2XCBv8J9SoWt+bgS1v1yHtcCGC5VYxtt5MDTv1z+fT3HtKyI4DOFF4fXxB3Q ZqImG8a8Vhvi+cUYxafjT0wJw/GyYXca/cqPHpb5ZLg3iEXd5cavMoJyH01N86q3z5x1 632szwB/b/bgGslosF4jHVaGsexG4s2qe3xu0bmVklBfRw/ooWAQHCdNKVO+kVZO4RqJ 2Luw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=Qob3fh2A; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id k10-20020a170902c40a00b00151fd3c9fdfsi10008551plk.231.2022.03.11.12.56.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 11 Mar 2022 12:56:24 -0800 (PST) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=Qob3fh2A; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id A39051F7645; Fri, 11 Mar 2022 12:46:57 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240156AbiCJRpx (ORCPT + 99 others); Thu, 10 Mar 2022 12:45:53 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58524 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233573AbiCJRpx (ORCPT ); Thu, 10 Mar 2022 12:45:53 -0500 Received: from mail-ej1-x62e.google.com (mail-ej1-x62e.google.com [IPv6:2a00:1450:4864:20::62e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8E26D180D27 for ; Thu, 10 Mar 2022 09:44:51 -0800 (PST) Received: by mail-ej1-x62e.google.com with SMTP id r13so13779423ejd.5 for ; Thu, 10 Mar 2022 09:44:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=17MWdnJm/ZtU5rlgn+dhHDvcPFAUwoVJySpzOZ59jis=; b=Qob3fh2A/QDMmO4XXN1pbyfQ9Br7w7EJdyi3yXis0tHQldNUvtQcY1q3VE1SU51lVf uY/GkPsYNK7jdjk9CGANqOan+1FOETyKsUAOAe6pWYVkAgmJxsQeghZEyxAqRxHLMDeg lu/P4iOPbd3Ejcd5bCFKH0mSyf+H/1sEQTbL9tmBPMiEDiYw+RzV3p8NKlG6rRC44edY WHxTgjNuow2CEMElQnelEgv/3al6qWn7s0HaJAdMt6PGfnJ9OtCB825ZpYSKILSiD/7U da0a6kue3JRErWI9NJzUdlboyBQolUSpt/vHkYsk+/vn9j9UMj67J/m7ehgoUUDn5I15 EenQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :references:mime-version:content-disposition:in-reply-to; bh=17MWdnJm/ZtU5rlgn+dhHDvcPFAUwoVJySpzOZ59jis=; b=iHtWZ+88wG1m2uZFIwdSKWSFJ97tMUamADFHiJKe3wfRxihFevMfUJJ1uBKxwy5IYC FYNLiEbKeh0PhRVvUOeKKsu54IwaC71tSdudeRKssdxpO5+ddNFu5aFarCZ0DW7cFuut Lefw1m50lppH9QA1u4qJk7Xqlcpnb2N6qtK3Fa/2LyKeWgBiZzW6YkMgscRdQnHbr2IT lt0DNFcoUFhooYB8qHv9lcRqGItxLOAyR+5BSzWW+fdNnHyPcf5+0NF7EppJz7HRrcSi F8rIqlxGzXN27Jyy3ZTcmudhWMzV6BYh+cuzUKTuQ/1NIgc9PufsQfYTXekpB1YqO0eV Y4VQ== X-Gm-Message-State: AOAM531V5nB4UPsH6rd7bvuIiGDec9wFEKv5MBfgVy+Hkf9e07m+D8EI dCVOfAg/8wuAeS11KKX10X0= X-Received: by 2002:a17:906:d10c:b0:6cd:4aa2:cd62 with SMTP id b12-20020a170906d10c00b006cd4aa2cd62mr5348330ejz.229.1646934289797; Thu, 10 Mar 2022 09:44:49 -0800 (PST) Received: from m4.home (tor-exit-9.zbau.f3netze.de. [185.220.100.248]) by smtp.gmail.com with ESMTPSA id gs39-20020a1709072d2700b006d3ed4f51c6sm2154339ejc.0.2022.03.10.09.44.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 10 Mar 2022 09:44:49 -0800 (PST) Sender: Domenico Andreoli Received: from cavok by m4.home with local (Exim 4.94.2) (envelope-from ) id 1nSMq1-00031m-6G; Thu, 10 Mar 2022 18:44:33 +0100 Date: Thu, 10 Mar 2022 18:44:33 +0100 From: Domenico Andreoli To: Kees Cook Cc: Eric Biederman , linux-kernel@vger.kernel.org Subject: Re: [PATCH] binfmt_misc: add two-steps registration (opt-in) Message-ID: References: <202203100811.F2B43DD@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <202203100811.F2B43DD@keescook> X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Mar 10, 2022 at 08:13:25AM -0800, Kees Cook wrote: > On Tue, Mar 01, 2022 at 02:28:22PM +0100, Domenico Andreoli wrote: > > From: Domenico Andreoli > > > > Experimenting with new interpreter configurations can lead to annoying > > failures, when the system is left unable to load ELF binaries power > > cycling is the only way to get it back operational. > > > > This patch tries to mitigate such conditions by adding an opt-in > > two-steps registration. > > > > A new optional field is added to the configuration string, it's an > > expiration interval for the newly added interpreter. If the user is > > not able to confirm in time, possibly because the system is broken, > > the new interpreter is automatically disabled. > > Hi! Hi! > > As this both changes the userspace API and adds timers, I'd like the Right but 1. it's backward compatible, 2. it fails on unsupporting kernels. Curiosity, I understand why API changes require care but what's so special about the timers? > change to be really well justified. Can you explain the conditions you > get into that can't be escaped by just disabling the bad binfmt_misc > entry? It happened when I somehow messed up with the ELF loader of my system, it was the very first time I tried to manually configure qemu-user-static for a foreign architecture. Suddenly I could not do anything, no ls, no cat. Did not realize that my shell has built-in echo and that I could cut-and-paste the path for disabling the bad interpreter. I did not investigate what I did wrong or what I could do better, I simply didn't do it again. I just got a deeper understanding of the note in Debian's update-binfmts manpage: If you're not careful, you can break your system with update-binfmts. An easy way to do this is to register an ELF binary as a handler for ELF, which will almost certainly cause your system to hang immediately; even if it doesn't, you won't be able to run update-binfmts to fix it. I shot on my foot and I thought the API could be made a bit more friendly. Thanks, Dom > > -Kees > > -- > Kees Cook -- rsa4096: 3B10 0CA1 8674 ACBA B4FE FCD2 CE5B CF17 9960 DE13 ed25519: FFB4 0CC3 7F2E 091D F7DA 356E CC79 2832 ED38 CB05