Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp975473pxb; Wed, 6 Apr 2022 05:48:54 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx2KlQgQALx1nmQZube6vyXp8jxNWwCG3A6a9jRJiB7FRK7tV4hlNAT0aN7ZRB7n9GxAEAQ X-Received: by 2002:a17:902:aa81:b0:156:a183:b2e0 with SMTP id d1-20020a170902aa8100b00156a183b2e0mr8598973plr.73.1649249334149; Wed, 06 Apr 2022 05:48:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649249334; cv=none; d=google.com; s=arc-20160816; b=Q6U5Nz3d2K/A12dvwTcpzqr66Sau4Na9vN4h4GYHK+/eUUYQDkzph3SRsReo//oNcL hNxBa6D01OqUMHK/AibQP73+o8ycqD6TK0KA0AhPYN+YMc3F1J6KhJBVY89HkFSJvBnd PFxwTEQXeWrF/jATqCF7DKtZL7OvWBauBIrgAeC1l6h+93+VtxUvET6t1hvLsAtSySIV KaJa2Q2rnf2Z0motNs47rcTTagiUtiGWbfuVCMr90Td9U4BsnKwuDRZYeKM62IOIvLwv AYvWmHFKqNvFNvmMZ9MzBbQ/ap//bkg6Fpw1eF+UAXzd68dL2BgH8YbI5rrORM053gyo Bx8w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=6i/IxUCXhRaeQNxBNYgFGNIs1fxCap5TUOvXBv3wd7I=; b=cYq4zxfqXKyqi8lw/k/uM0wMoUj/eLW1vfCEJdx/vTJoxYTUoIEL448dEAZde97s1L mog4xMxfpRnEXjddRZ8Ln+EmgUQMKMxaxWevQ2sLClDjoQB697Oo1EyX3LTTNZ7zV+gf b1k+LznyYebdy8sw3R2+p96j8DoR1ZVVlwgj06WA4Fzq7zcd+dRoEdrY3yXHXHPbjOXj /NF71xzg5lJeNsnktrmFqc6aarBgckw6sowjaKGM9QYxGMyBhrp00Yyiq/EYXiPCTsQ7 YoMcn96gjwWHIT2k+QFvbWJVHOLxxqOUyOhd01/fRrvD48rlzPvrr8fhY9Ca5h8k9pYv L7RA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mit.edu Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id q22-20020a631f56000000b003816043ef28si15950209pgm.285.2022.04.06.05.48.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Apr 2022 05:48:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mit.edu Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 0D89960075; Wed, 6 Apr 2022 02:33:50 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1349498AbiDEVX4 (ORCPT + 99 others); Tue, 5 Apr 2022 17:23:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43030 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1452408AbiDEPyx (ORCPT ); Tue, 5 Apr 2022 11:54:53 -0400 Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C83891177; Tue, 5 Apr 2022 07:55:03 -0700 (PDT) Received: from cwcc.thunk.org (pool-108-7-220-252.bstnma.fios.verizon.net [108.7.220.252]) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 235EsMot006873 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 5 Apr 2022 10:54:23 -0400 Received: by cwcc.thunk.org (Postfix, from userid 15806) id 9237D15C3EB6; Tue, 5 Apr 2022 10:54:22 -0400 (EDT) Date: Tue, 5 Apr 2022 10:54:22 -0400 From: "Theodore Ts'o" To: =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= Cc: Linus Torvalds , Kees Cook , Al Viro , Andrew Morton , Christian Heimes , Geert Uytterhoeven , James Morris , Luis Chamberlain , Mimi Zohar , Muhammad Usama Anjum , Paul Moore , Philippe =?iso-8859-1?Q?Tr=E9buchet?= , Shuah Khan , Steve Dower , Thibaut Sautereau , Vincent Strubel , linux-fsdevel , linux-integrity , Linux Kernel Mailing List , LSM List , Christian Brauner Subject: Re: [GIT PULL] Add trusted_for(2) (was O_MAYEXEC) Message-ID: References: <20220321161557.495388-1-mic@digikod.net> <202204041130.F649632@keescook> <816667d8-2a6c-6334-94a4-6127699d4144@digikod.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <816667d8-2a6c-6334-94a4-6127699d4144@digikod.net> X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 04, 2022 at 10:30:13PM +0200, Micka?l Sala?n wrote: > > If you add a new X_OK variant to access(), maybe that could fly. > > As answered in private, that was the approach I took for one of the early > versions but a dedicated syscall was requested by Al Viro: > https://lore.kernel.org/r/2ed377c4-3500-3ddc-7181-a5bc114ddf94@digikod.net > The main reason behind this request was that it doesn't have the exact same > semantic as faccessat(2). The changes for this syscall are documented here: > https://lore.kernel.org/all/20220104155024.48023-3-mic@digikod.net/ > The whole history is linked in the cover letter: > https://lore.kernel.org/all/2ed377c4-3500-3ddc-7181-a5bc114ddf94@digikod.net/ As a suggestion, something that can be helpful for something which has been as heavily bike-sheded as this concept might be to write a "legislative history", or perhaps, a "bike shed history". And not just with links to mailing list discussions, but a short summary of why, for example, we moved from the open flag O_MAYEXEC to the faccessat(2) approach. I looked, but I couldn't find the reasoning while diving into the mail archives. And there was some kind of request for some new functionality for IMA and other LSM's that I couldn't follow that is why the new AT_INTERETED flag, but at this point my time quantuum for mailing list archeology most definitely expired. :-) It might be that when all of this is laid out, we can either revisit prior design decisions as "that bike-shed request to support this corner case was unreasonable", or "oh, OK, this is why we need as fully general a solution as this". Also, some of examples of potential future use cases such as "magic links" that were linked in the cover letter, it's not clear to me actually make sense in the context of a "trusted for" system call (although might make more sense in the context of an open flag). So revisiting some of those other cases to see whether they actually *could* be implemented as new "TRUSTED_FOR" flags might be instructive. Personally, I'm a bit skeptical about the prospct of additional use cases, since trusted_for(2) is essentially a mother_should_I(2) request where userspace is asking the kernel whether they should go ahead and do some particular policy thing. And it's not clear to me how many of these policy questions exist where (a) the kernel is in the past position to answer that question, and (b) there isn't some additional information that the kernel doesn't have that might be needed to answer that question. For example, "Mother should I use that private key file" might require information about whether the SRE is currently on pager duty or not, at least for some policies, and the kernel isn't going to have that information. Other examples of TRUSTED_FOR flags that really make sense and would be useful might help alleviate my skepticsm. And the "bike shed history" would help with my question about why some folks didn't like the original O_MAYEXEC flag? Cheers, - Ted