Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp637569rdg; Wed, 11 Oct 2023 00:39:15 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFjp33VpKWtyxnyd14Eh42lUrq7TzvL2OMCSGSkfb/DxGSE3YC+FIK6TPgVbBu9Ai1XXPAr X-Received: by 2002:a05:6870:c14f:b0:1c0:fe16:90f8 with SMTP id g15-20020a056870c14f00b001c0fe1690f8mr20825406oad.57.1697009954694; Wed, 11 Oct 2023 00:39:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697009954; cv=none; d=google.com; s=arc-20160816; b=L/zq/eJp+6GeNgfkefg7VVJgKbQCrKQByqRLYGAvWj8t2YqxS1Y8xBVnYw4AMLSSnG qulwII+2l0tAenQgvtlgNGmuXIb6vMelmCeA32Ine3d9VaPeiqvnzaSbqYJ933wS8aAN xLgacv2jCW2yC9m5bjpVN0I57oJXJAhlArhfOtSjndutBYJ8axnFGzw29cLnQJi9XyT4 s9FHc+WQTtcUaJZmph9qnorOgDoHr4aqE3LqWWZPM4LFxtJ8VDeX07g5L0SQ72O7d8rS zREbAfzVG6JqE+FWHRcnWXUzEws0OeeQ1sZhPgK0C/oSLkfHTM6ZTW5HZ+1B77DIy1hK NPkw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:feedback-id:dkim-signature :dkim-signature; bh=tguG2aXRGfx+BtSSdosiAuKFgDBmx4SGy972Szw14Xw=; fh=x+xkW+aid2TtVneWM1AUhX/ioxcuMIm8x3zw74XiDNE=; b=nUnDs1WVIcGY6/BVMQ8qle+Spuwv0velMTSnGjlbR5YuFOcSoQxw84iPBYHKgDNJek TikX6klcBhb3dDB+jF22u1Y6GzLAWvBQCW7/4UOMXxer0ujN6JSAnxyWtpcRgG0DIPVp roXOajRb94Pxkg/iDubjFPQmtKl0TfHZuxu9fG04q6lbs5wYD/230oLNPZKaESLLzBcC n3D2kbtrchdpFNoEE57arH//jGbr39e0HqAfjF6MT7KAAWS+48gjVEcYRByAh1vZVobP 3GEkz9XyrPCuwk5rVDHwqOlTT7tbefHv2PHhXjRO2xryW9oxhgXyOZs0XCQgukzCbWWx 1bKA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@alyssa.is header.s=fm1 header.b=K+QEtTpU; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=c+u2vqe0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from howler.vger.email (howler.vger.email. [23.128.96.34]) by mx.google.com with ESMTPS id p21-20020a63c155000000b00578d1b590b0si11957240pgi.699.2023.10.11.00.39.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Oct 2023 00:39:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) client-ip=23.128.96.34; Authentication-Results: mx.google.com; dkim=pass header.i=@alyssa.is header.s=fm1 header.b=K+QEtTpU; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=c+u2vqe0; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by howler.vger.email (Postfix) with ESMTP id B44D9802600B; Wed, 11 Oct 2023 00:39:11 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345362AbjJKHi7 (ORCPT + 99 others); Wed, 11 Oct 2023 03:38:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57466 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345379AbjJKHiz (ORCPT ); Wed, 11 Oct 2023 03:38:55 -0400 Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B372792; Wed, 11 Oct 2023 00:38:53 -0700 (PDT) Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.west.internal (Postfix) with ESMTP id 291A332013E6; Wed, 11 Oct 2023 03:38:52 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute5.internal (MEProxy); Wed, 11 Oct 2023 03:38:52 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to; s=fm1; t=1697009931; x=1697096331; bh=tg uG2aXRGfx+BtSSdosiAuKFgDBmx4SGy972Szw14Xw=; b=K+QEtTpUgF75OMaZQu awOhoNWZjzQIEpgcPHus85fajdr6TqnfsBJsZ5w7/Hyhd5QxiVx3HCDAAo37Z3wp uo0ynzf3trRDe6iP5zwOfJB7CC7V1eJgWfm2Ojv3DEy0a+TOQYnL+JNXH7l1D9zP t3JDyNXQ7XjIcnHqFTBoFspVyeCbBmyZrre+s8SKaKV+xt4oyrefhoUOPFVkbycq knhid9ikyWWQ1XD5mmQrvvH3lf9Fm/xrBIkYTiA4aisF04SeC1P/Ir7Wnh70XRlj eg4iI+L6gbpK/gmv4HafNsS373CQHPBuKtwHX8Wm++/bMqf9hHQbZFOTsJcc7DYa dJIA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; t=1697009931; x=1697096331; bh=tguG2aXRGfx+B tSSdosiAuKFgDBmx4SGy972Szw14Xw=; b=c+u2vqe0zrP/tiv8UGK023yIbdcxV arlU0jbHPpMOjz+/tXj/1IuUt2tZ6NV3OfkE8Un59DtrdF+QXfU7J7Kfh+9jEmUv TeexUfps7fVBRWR8JnAezLtRb6eSRjlQk2wIYEx2KTG2dcyL+sZRCeMpASUCDLPm hdRsd0PGOE0Qkhz+RnhfvJvnmtHWVBJ8fSxsGQ9tvK7vKYLlK+jfeLHl5rGK04cV 8y0S87gCyHQ4QhFx7mEF6RBDqxV8La9i8+yPeuK1tKkrPQInD9Peden9D1akrm/p YkBfAE/0A11vsdNpKV+AuwR9H8bdy0mpdUed0GnScvlFhDmjsy8+gBxRg== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrheejgdektdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefhvfevufgjfhffkfggtgesghdtreertddtjeenucfhrhhomheptehlhihsshgr ucftohhsshcuoehhihesrghlhihsshgrrdhisheqnecuggftrfgrthhtvghrnhepteehve dugfejgfehhfeijeduleekleejgedvkeeuuefhhfegvdevfeetveegteeinecuvehluhhs thgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhephhhisegrlhihshhsrg drihhs X-ME-Proxy: Feedback-ID: i12284293:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 11 Oct 2023 03:38:50 -0400 (EDT) Received: by mbp.qyliss.net (Postfix, from userid 1000) id 461BBF0E; Wed, 11 Oct 2023 07:38:48 +0000 (UTC) From: Alyssa Ross To: Kees Cook Cc: Alexander Viro , Christian Brauner , Tetsuo Handa , Eric Biederman , linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] exec: allow executing block devices In-Reply-To: <202310101535.CEDA4DB84@keescook> References: <20231010092133.4093612-1-hi@alyssa.is> <202310101535.CEDA4DB84@keescook> Date: Wed, 11 Oct 2023 07:38:39 +0000 Message-ID: <87o7h5vcao.fsf@alyssa.is> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Status: No, score=2.7 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, RCVD_IN_SBL_CSS,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on howler.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Wed, 11 Oct 2023 00:39:11 -0700 (PDT) X-Spam-Level: ** --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Kees Cook writes: > On Tue, Oct 10, 2023 at 09:21:33AM +0000, Alyssa Ross wrote: >> As far as I can tell, the S_ISREG() check is there to prevent >> executing files where that would be nonsensical, like directories, >> fifos, or sockets. But the semantics for executing a block device are >> quite obvious =E2=80=94 the block device acts just like a regular file. >>=20 >> My use case is having a common VM image that takes a configurable >> payload to run. The payload will always be a single ELF file. >>=20 >> I could share the file with virtio-fs, or I could create a disk image >> containing a filesystem containing the payload, but both of those add >> unnecessary layers of indirection when all I need to do is share a >> single executable blob with the VM. Sharing it as a block device is >> the most natural thing to do, aside from the (arbitrary, as far as I >> can tell) restriction on executing block devices. (The only slight >> complexity is that I need to ensure that my payload size is rounded up >> to a whole number of sectors, but that's trivial and fast in >> comparison to e.g. generating a filesystem image.) >>=20 >> Signed-off-by: Alyssa Ross > > Hi, > > Thanks for the suggestion! I would prefer to not change this rather core > behavior in the kernel for a few reasons, but it mostly revolves around > both user and developer expectations and the resulting fragility. > > For users, this hasn't been possible in the past, so if we make it > possible, what situations are suddenly exposed on systems that are trying > to very carefully control their execution environments? I expect very few, considering it's still necessary to have root chmod the block device to make it executable. > For developers, this ends up exercising code areas that have never been > tested, and could lead to unexpected conditions. For example, > deny_write_access() is explicitly documented as "for regular files". > Perhaps it accidentally works with block devices, but this would need > much more careful examination, etc. > > And while looking at this from a design perspective, it looks like a > layering violation: roughly speaking, the kernel execute files, from > filesystems, from block devices. Bypassing layers tends to lead to > troublesome bugs and other weird problems. > > I wonder, though, if you can already get what you need through other > existing mechanisms that aren't too much more hassle? For example, > what about having a tool that creates a memfd from a block device and > executes that? The memfd code has been used in a lot of odd exec corner > cases in the past... Is it possible to have a file-backed memfd? Strange name if so!=20 --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEH9wgcxqlHM/ARR3h+dvtSFmyccAFAmUmUP8ACgkQ+dvtSFmy ccC7DhAAgtwwDA4fn/aXYdqL7F7R68MtABW7LyXGNCjuGEmP1kZbkg0lEyEc7UCr +dn5F8EXSzRGK5huEn2RzhPNnzU28KWBxmXN6bFED/YaCDKYBC9MM3cGUaXEbTPG fQyQAGo36qlB5m/hS5j8XMuM/uIcYlsEk8qkgpAkfebNAMEKTxxSTshUSFRyq5wa KTT76URCwrxPooy25Znv4JqjsR2taMPOvXnVV6bf8DXcCNuI+eVeu7J/nZ44LyEe 0GykVN2hBeUwuSQEkyR11iKbaoxlTgYRyMMYOw+ylgaBUgfsJn88tGk1qCDlfRW+ /B1QUJephRtk0LsBLGcjeEqATCJ4ITZaDoIe1CI1pUjluR8tJrMxhmhX9dlyWvjb b4CRpFck2sjXbDaP36sW9s7F7qgp9NspPLzSrcgVmKNPY90c/sTVvrkd8CXca2px 0z1Yxa5P1OFPSSEwBbwqNUpTjsRwQMfsq8TUbcbzJ1h++9F6HEce79WkMz6AHGPD c/rpzHS7MqbHCj/nxHP9IuCU1XyR8rIXRynD9NFdDtp8bJMGwvGselrRHfHVz9+X tzX4PUuz9k+3PEoHSOVrIaHItIY5Ml7i5md1wpeARpi0lz7CeUvTWMLxXPb/Xc4Y BMlmXuKi7CZmjYS/zkw6d1KGddkMhyeZ2I76hkbyGTbfbKDNsU0= =S7sC -----END PGP SIGNATURE----- --=-=-=--