Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp887539pxb; Wed, 6 Apr 2022 03:16:46 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz7F2R5N6v02r26Rhdt7JoQqguAONV6ovhWJhjkE9dsTb55pa9+KM03aeFzKjmhJfBv8PEb X-Received: by 2002:a17:902:b410:b0:156:35b8:6d10 with SMTP id x16-20020a170902b41000b0015635b86d10mr7907963plr.16.1649240206425; Wed, 06 Apr 2022 03:16:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649240206; cv=none; d=google.com; s=arc-20160816; b=okhYi/JBEyErrG4a2zHu9nw5lZyxLgckWraJaUIjXkOgWsr62zmltApMhnlAOuq1zF WdqjrW1GMtp079jofVx4ihvfB6q1EFLJD6qEY/2XthH/lVS5HEQAIDCFSoEg3LTIkpoh FIJVm4e2BddHiX/spKlZlhPeYCPK4KNxRksWwp3ZIqSaA0JJ1If+xlULK2lqw8HT/LXr oOCCHkMSnfz4DTgJtO07aYCSGJTc2TFu51DlVWRG5+guYZ68L32cc3SKIAkznI38AYFQ 3tvBBykndmVd37sxY4/was6s7rujgAiFyUSNriSe0mbkdfatQrsq64sBSkgfaw8Dl2+H ykcQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:subject :from:references:cc:to:content-language:user-agent:mime-version:date :message-id:dkim-signature; bh=X+YfVwGeUgPhXzKEuft+wiSzoE6ofyhVkuqYIpNrX9U=; b=JU6kXBNlz3LmBxUxKZ+JAM+SM0FozR6WYW7O+1jlVLYo4Lw13lZlwMXcHO8ShvgrRG ISoOj5vTriAEzSRPcQPxkiidtYr/BkcRGPnfaCn8qlDtGspgp0MjU0ia8Fsu6TycddwJ Adilh8QsIRBWDTb/7lIDNpPU5YxkERWzZ9RYPzNdUbQ+W+mP5wUAtAId7B1vAiXC42Yg qN2R8WBerKc3QC9TV1VxotcQVYfMeBieJHUVSs+xW5HE+XX1gTFQib5fv8mxfT+5TUUP xG34pTeF+HfVTJDakXyncLcEHOyuwE81VAWnEYfoU+D44Yl6CnYnPSfQmcoiKMUBLpno lODQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@digikod.net header.s=20191114 header.b=JnDSENf1; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id v8-20020a056a00148800b004fa3a8dff93si16750517pfu.74.2022.04.06.03.16.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Apr 2022 03:16:46 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@digikod.net header.s=20191114 header.b=JnDSENf1; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 7F76257D229; Wed, 6 Apr 2022 01:45:09 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1578794AbiDEXY7 (ORCPT + 99 others); Tue, 5 Apr 2022 19:24:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45084 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1457506AbiDEQDT (ORCPT ); Tue, 5 Apr 2022 12:03:19 -0400 Received: from smtp-bc08.mail.infomaniak.ch (smtp-bc08.mail.infomaniak.ch [45.157.188.8]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9C9B825292 for ; Tue, 5 Apr 2022 08:55:36 -0700 (PDT) Received: from smtp-2-0000.mail.infomaniak.ch (unknown [10.5.36.107]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4KXsgB4M82zMq0sP; Tue, 5 Apr 2022 17:55:34 +0200 (CEST) Received: from ns3096276.ip-94-23-54.eu (unknown [23.97.221.149]) by smtp-2-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4KXsg91X3NzlhSMT; Tue, 5 Apr 2022 17:55:33 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digikod.net; s=20191114; t=1649174134; bh=n8eScuGwrUyyZSJgvZ6lVdoUOYD/v6TfS3yMx/Udtks=; h=Date:To:Cc:References:From:Subject:In-Reply-To:From; b=JnDSENf16eneR0rB24qn+a2KSFPCjzI4EXohLg+3kAT8m4AC3+MfQVCKykfm6TKH2 MCz+01LQ4oBu62PsNO8nwK1T+DFOsDvhCKaFTkZKM9hj4PFy4VmKOnL/ryJ8yuTY6R irEn/3AiFzY58nJOspTOKxoSr9FMCyracTvvgYF8= Message-ID: <673bfc0f-7263-9404-3d88-6cc0ae1a1ae1@digikod.net> Date: Tue, 5 Apr 2022 17:55:58 +0200 MIME-Version: 1.0 User-Agent: Content-Language: en-US To: Kees Cook , Linus Torvalds Cc: Al Viro , Andrew Morton , Christian Heimes , Geert Uytterhoeven , James Morris , Luis Chamberlain , Mimi Zohar , Muhammad Usama Anjum , Paul Moore , =?UTF-8?Q?Philippe_Tr=c3=a9buchet?= , Shuah Khan , Steve Dower , Thibaut Sautereau , Vincent Strubel , linux-fsdevel , linux-integrity , Linux Kernel Mailing List , LSM List , Christian Brauner , Theodore Ts'o References: <20220321161557.495388-1-mic@digikod.net> <202204041130.F649632@keescook> <816667d8-2a6c-6334-94a4-6127699d4144@digikod.net> <202204041451.CC4F6BF@keescook> From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= Subject: Re: [GIT PULL] Add trusted_for(2) (was O_MAYEXEC) In-Reply-To: <202204041451.CC4F6BF@keescook> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 05/04/2022 00:25, Kees Cook wrote: > On Mon, Apr 04, 2022 at 02:28:19PM -0700, Linus Torvalds wrote: >> Now, what I *think* you mean is >> >> (1) user-space executable loaders want to be able to test the *same* >> policy as the kernel does for execve() > > Right. The script interpreter wants to ask "if this file were actually > an ELF going through execve(), would the kernel allow it?" The current behavior was a bit more flexible thanks to the sysctl. It was either the mount exec option check, the file perm check or both. The rationale is to let sysadmins adapt their system to existing applications/interpreters without breaking. Only basing the check on mount exec and file perm could be an issue in the short term, but I guess it would deter inconsistencies in existing systems… I'm not sure it is a wise move because if no interpreter want to use this check it would then be useless. See commit message in https://lore.kernel.org/all/20220104155024.48023-3-mic@digikod.net/ and the trusted_for_policy sysctl documentation: "Even without enforced security policy, user space interpreters can use this syscall to try as much as possible to enforce the system policy at their level, knowing that it will not break anything on running systems which do not care about this feature. However, on systems which want this feature enforced, there will be knowledgeable people (i.e. system administrator who configured fs.trusted_for_policy deliberately) to manage it. [...]" > >> (2) access(path, EXECVE_OK) will do the same permission checks as >> "execve()" would do for that path > > Maybe. I defer to Mickaël here, but my instinct is to avoid creating an > API that can be accidentally misused. I'd like this to be fd-only based, > since that removes path name races. (e.g. trusted_for() required an fd.) The fd-based approach is definitely better from a security point of view but there is indeed a use case for pathnames. I guess we could highlight this point in the documentation. > >> (3) if you already have the fd open, use "faccess(fd, NULL, >> F_OK_TO_EXECUTE, AT_EMPTY_PATH)" > > Yes, specifically faccessat2(). (And continuing the race thought above, > yes, there could still be races if the content of the file could be > changed, but that case is less problematic under real-world conditions.) I'm not worried about changes in the file once it is opened. This could be an issue but not in the kernel (e.g. flaky update system). [...]