Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp3540959pxb; Mon, 4 Apr 2022 20:32:23 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzjcxnxI+sdTt7qmCWLXKXEsW1QLRoLeAjNrTLmdPL+c+G3YD9KcHMfuYz+6sYQXde7z8aX X-Received: by 2002:a17:90a:1142:b0:1ca:ad6b:cab4 with SMTP id d2-20020a17090a114200b001caad6bcab4mr1650694pje.144.1649129543595; Mon, 04 Apr 2022 20:32:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649129543; cv=none; d=google.com; s=arc-20160816; b=EQz/0P+8Bt6ZcUOL+V7ttbtLYqYlbDVgQxZfZ4DTs8hSXVWZkhEWEKK8jTqyYHo54j 9XT25wDNLzDt1eS7liFdz7y5uikJeadWy3r6Rx9p7Q9J057gzkt0cB/dCsu4cM69iRHQ UhfqeY0Ea1SAEkEjNatd+nz1wHRiZFjdi8kWN/w554hZUEYXklZ3l12uuDnMUdPoRfIT x1JDflqD15IwQjhF47NUyUN39DD5jXUvhYaHHENkl3OutyziPFZ6ind5q0ndKjrhCUhj QuC6RTZ10WeUjo3pT7CNt4eOxpRWTirUrttvzm3R+HD6zgkTfZQ1SOedztEexX6R+lCV vn4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=jx5P7yX3O5pX2LqkyeQfqU0tlbRjJjmmZeKsgU5FQa8=; b=R4kpbfk/Up2E9Ak4nleqkz/peKUSDaBspK4zCWKezBTbEHrCnmbWuc1t+bQZCRXPUw uaEtamotLw60pZIiu+biDRBTDCgjqAvJq7hkfKNXY9ja4Ta3nue14dhjDpOa4NlrSPal /4iT+ahJlv4zwBuyORX7KOKRAQEmU8QdaLe57shNWW/9lFJpnZi82xRFuzqjD+WP2Qwa oHuoSvRsNEAd5NcXzNbj4Inc/3btmTFshrH55YN+NC6RfyFy5N+fzAMTwTmBBPj2kH7g tRdQwVeJIXJtm3hd8k+vIc7kVlb1yVH6+26sGSAaTIc35aRQZNvKCIzh0N+OZKbDy4Bj kr8w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=X33eVsWc; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id u2-20020a056a00158200b004fa3a8e000csi12766087pfk.195.2022.04.04.20.32.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Apr 2022 20:32:23 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=X33eVsWc; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id AF084368998; Mon, 4 Apr 2022 18:31:32 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234359AbiDDX3F (ORCPT + 99 others); Mon, 4 Apr 2022 19:29:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46328 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229468AbiDDX3D (ORCPT ); Mon, 4 Apr 2022 19:29:03 -0400 Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 145792B254 for ; Mon, 4 Apr 2022 16:27:06 -0700 (PDT) Received: by mail-lf1-x135.google.com with SMTP id b21so9610562lfb.5 for ; Mon, 04 Apr 2022 16:27:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=jx5P7yX3O5pX2LqkyeQfqU0tlbRjJjmmZeKsgU5FQa8=; b=X33eVsWc7Y7k1gT/g4zGwLZX8IMd0zDiGeq+SNK556d+FRB/nBPgAmF91Jc2ZewIkm ZVSXfO5pzStwMUuGMJ8Wv3wH7WLkU4AEEqTy2TzSWZE+Lyew31d9KVPVL8zsXNSVCGzB iZj8spgT2H19hxodlQ23EHu0IDi3xox/PKjik= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=jx5P7yX3O5pX2LqkyeQfqU0tlbRjJjmmZeKsgU5FQa8=; b=et9ZiXYSWXfwGo9lROJ/9GMxVwS+xsWcyF7xMwoI7+VLdg1ikiWaZ8pM1LwO6gVB0y UcrBPuArV1Nsq0KRk436DtCHr/HsOIVMo7L90nWNFy9kNRpAfl8xVHMCk2abfy5VJwg0 rELD3oXvkUDTOHhT5+w7JzR//XXFv0tLPrT0b2OhZcekiqeIGcWty2pNbWhBmIHLgC3G VDOdMJPpusJ5DyaxSAfU3hzbIFdhcST3wxH+D36JefZwYgaoPGyA3wExZIDZUysN02jn saB2Vu9/tnwteet9Z73nvxOwu+B1laCwMNiVeIMBZQU7liGALQ00D2KTdobyEsdfM8wi i+Ig== X-Gm-Message-State: AOAM533Jhmph4AXwk+BIo3QP5e/roM8XbqQku0dMvYt1SoWQvukIkuog eX9WbptlBHNoED58XhKao5Qga/aAYIzVQV7EHFA= X-Received: by 2002:a05:6512:158d:b0:44a:6522:f98f with SMTP id bp13-20020a056512158d00b0044a6522f98fmr526566lfb.608.1649114824033; Mon, 04 Apr 2022 16:27:04 -0700 (PDT) Received: from mail-lf1-f43.google.com (mail-lf1-f43.google.com. [209.85.167.43]) by smtp.gmail.com with ESMTPSA id z8-20020a056512308800b0044a2863f972sm1293176lfd.241.2022.04.04.16.27.01 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 04 Apr 2022 16:27:01 -0700 (PDT) Received: by mail-lf1-f43.google.com with SMTP id bu29so20251632lfb.0 for ; Mon, 04 Apr 2022 16:27:01 -0700 (PDT) X-Received: by 2002:a05:6512:2296:b0:44a:6aaf:b330 with SMTP id f22-20020a056512229600b0044a6aafb330mr496667lfu.531.1649114820779; Mon, 04 Apr 2022 16:27:00 -0700 (PDT) MIME-Version: 1.0 References: <20220321161557.495388-1-mic@digikod.net> <202204041130.F649632@keescook> <816667d8-2a6c-6334-94a4-6127699d4144@digikod.net> <202204041451.CC4F6BF@keescook> In-Reply-To: <202204041451.CC4F6BF@keescook> From: Linus Torvalds Date: Mon, 4 Apr 2022 16:26:44 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [GIT PULL] Add trusted_for(2) (was O_MAYEXEC) To: Kees Cook Cc: =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= , Al Viro , Andrew Morton , Christian Heimes , Geert Uytterhoeven , James Morris , Luis Chamberlain , Mimi Zohar , Muhammad Usama Anjum , Paul Moore , =?UTF-8?Q?Philippe_Tr=C3=A9buchet?= , Shuah Khan , Steve Dower , Thibaut Sautereau , Vincent Strubel , linux-fsdevel , linux-integrity , Linux Kernel Mailing List , LSM List , Christian Brauner Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 4, 2022 at 3:25 PM Kees Cook wrote: > > Maybe. I defer to Micka=C3=ABl here, but my instinct is to avoid creating= an > API that can be accidentally misused. I'd like this to be fd-only based, > since that removes path name races. (e.g. trusted_for() required an fd.) Some people want pathnames. Think things like just the PATH thing just to find the right executable in the first place. For things like that, races don't matter, because you're just trying to find the right path to begin with. > I think this already exists as AT_EACCESS? It was added with > faccessat2() itself, if I'm reading the history correctly. Yeah, I noticed myself, I just hadn't looked (and I don't do enough user-space programming to be aware of if that way). > > (a) "what about suid bits that user space cannot react to" > > What do you mean here? Do you mean setid bits on the file itself? Right. Maybe we don't care. Maybe we do. Is the user-space loader going to honor them? Is it going to ignore them? I don't know. And it actually interacts with things like 'nosuid', which the kernel does know about, and user space has a hard time figuring out. So if the point is "give me an interface so that I can do the same thing a kernel execve() loader would do", then those sgid/suid bits actually may be exactly the kind of thing that user space wants the kernel to react to - should it ignore them, or should it do something special when it sees that they are set? I'm not saying that they *should* be something we care about. All I'm saying is that I want that *discussion* to happen. Linus