Received: by 2002:a05:7412:5112:b0:fa:6e18:a558 with SMTP id fm18csp1237743rdb; Wed, 24 Jan 2024 08:46:35 -0800 (PST) X-Google-Smtp-Source: AGHT+IGxESlzlVUgPHp5fejc5W5GOpL+eBpl3u0jq0GYAkjRtaCpjepvHmklvrM/DSmeY6lk1QvE X-Received: by 2002:ad4:5946:0:b0:681:6c3b:a5a6 with SMTP id eo6-20020ad45946000000b006816c3ba5a6mr2987951qvb.10.1706114794870; Wed, 24 Jan 2024 08:46:34 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706114794; cv=pass; d=google.com; s=arc-20160816; b=CCll18ynux6dqBWr1xyu34chZ3W1/CYo/hoT9p8VIH4feES0w5BjY5/jfX3CQGh/Pt PKYLVrW1ezQHN3sZOHa2zo3vWJQ+0NtDeleSgBgC/h+c7+wVDiaMdJDpOBOMfQKPL0VX M/OMzFrVUcAwDcxPlGqzEb8Pg9na4GaZMpeLXIcRXM6Vg/zqcoStG6/sRRu8881VOvW0 YY6BTv9U6lS7YORsj8HBsAOR5YgJxkMrNrjdMXNoe4LGj51CtMl3Iibm3HxqkIZvhckk E0XNxBLsXMG+V8qLQLuHB6PG8Ucx21qfn1OXyO7z/3hUF4abnyt4c39J4Tofc22EF1Ce Zwyw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :dkim-signature; bh=gAV9hUjIFjsOqBZPLiRvCMjNyiBrTHJa47CjdZfZGyc=; fh=vEyhGAtG8HQNiq2dPKrs1TN/cRLM9E83yUZb7T5qaTU=; b=vQtOQkQsRwQELqZ0P8dEwhjQyTlW2dvfyEUnpJ0GLsPOAsljJj/o1Gs5Lt/ZfDPGjZ 0z90MmwsJQ+GjaypHkIjEeBltTaOIlP3VkUwi/y3zsT6hsipsfAExLIqkG4jX3IfweW/ UQS9o8OJHmwQ20H1CqI8aP8m2ZAE/M976jBt0tbeILXEyl/2FaEQ0ayZOmOJjeYW4ESF RLl2xELzMr6K/MkEX/MCZIiYz0l9nMtXDNdVRn2Vb7FsAr0XSCoN+1aw83w3yeR/CVVm r3xKjOZYbEuiMAhNwp+NrKSQUmp+mJhbiTdkRIsdo0zQiLDM6GBUIHJrijmPuDp7L5YG nxXg== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=Ed5XcKxR; arc=pass (i=1 spf=pass spfdomain=linuxfoundation.org dkim=pass dkdomain=linux-foundation.org); spf=pass (google.com: domain of linux-kernel+bounces-37353-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-37353-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id b18-20020a0cc992000000b006840e216ddbsi10765589qvk.331.2024.01.24.08.46.34 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Jan 2024 08:46:34 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-37353-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=Ed5XcKxR; arc=pass (i=1 spf=pass spfdomain=linuxfoundation.org dkim=pass dkdomain=linux-foundation.org); spf=pass (google.com: domain of linux-kernel+bounces-37353-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-37353-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 964641C210D1 for ; Wed, 24 Jan 2024 16:46:34 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 4B3087CF3D; Wed, 24 Jan 2024 16:46:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux-foundation.org header.i=@linux-foundation.org header.b="Ed5XcKxR" Received: from mail-ej1-f43.google.com (mail-ej1-f43.google.com [209.85.218.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9E8D17E564 for ; Wed, 24 Jan 2024 16:46:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.43 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706114782; cv=none; b=Epv6mYLgHx5VHqgCFZQaZSbVsUMwBV8zmvDdpvqDjQx/JHgijYhMgdavIKV8CmHD2URbfP6fwXTGXMK76amrdkBu3xpmkgJ4AAoCxp7EcFRHGxOFLl+TbCRq4SCvHGqJO/blgCHqj3O1nPZcLZttjQGyqwFOk5hY2favf7jlpaM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706114782; c=relaxed/simple; bh=2p6qpEQ0FQqgHQ9MZJ6hGygl88/GlnO048hMSuetf9g=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=pJPh2Opgloi/Mtkk0KvhG/xU08J2J7e08j2C6Vfk6pW2WfaHFsx79fneMF4bkGH6FkNqq7+hSQfEAvo3GUlqBuu6d6lTB95V9VI7l0TBJboAMxwThh1t1nvZzeIcleENoXcU+PRoB54G/f3DA/fy/WZvP8XX4eQQMn38gQUUrA8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=linux-foundation.org; spf=pass smtp.mailfrom=linuxfoundation.org; dkim=pass (1024-bit key) header.d=linux-foundation.org header.i=@linux-foundation.org header.b=Ed5XcKxR; arc=none smtp.client-ip=209.85.218.43 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=linux-foundation.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linuxfoundation.org Received: by mail-ej1-f43.google.com with SMTP id a640c23a62f3a-a30e445602cso253058266b.0 for ; Wed, 24 Jan 2024 08:46:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; t=1706114778; x=1706719578; darn=vger.kernel.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=gAV9hUjIFjsOqBZPLiRvCMjNyiBrTHJa47CjdZfZGyc=; b=Ed5XcKxRANEFyjUxjVjM+3EXeg433iIdKQ+NHDBO13fP02ova6nbaTF5/mIECUYlcC oXqTqFqOKVJSU//AI1yKMDVsZo2EU//OFwcHjf/BQTPjZ5k1gJqueUPRHoZt16kiA4OD B8HhzlYJYM3GkFggqr5BhGgp38ODjMzMEJ35o= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706114778; x=1706719578; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=gAV9hUjIFjsOqBZPLiRvCMjNyiBrTHJa47CjdZfZGyc=; b=BTgALKaU9ejRLx8Yp/MOzCt+bdRlLMLSZh0FHztxxU4CFNVi01Yro86b2LG8tFfUYv yRG01P0uU8ZlVD3wA5X3tco88aw82DS4BWsL+E5wo+IUufzt4+IPslE0k1Zkg1Oz9+hq PSVyzNmyWWQtRfoAKTe+yTHt9d82UNX7YdQ12Eh3V8p4tkxm7AZOYhx5FniB2ykquO7E rEnCDmbL7y7sr3g875XY/gu3vPiGeVpLSD/sN4bYNctGyWMEoNuPBb8mbXOVrWzl+GO9 nwWbRUWDeeZt5pac1pp05xoesMf/J4zP2xZdTtx/DlI4DvmsoHFcHxj0ARluKzqM3gq+ 2WWA== X-Gm-Message-State: AOJu0Yyo4ZbNDKTLCyetZyfIPZGQ0PzZVyyfVXsKc7xljwNtn7vIuh9g L3mmtvrOoOo41PsAhz8XjDGwtK0ZraVKq4sR8Web8xoHh2dispFpUfI7gktsEcxLb1mWEtSr4Wc DQCAhLQ== X-Received: by 2002:a17:906:4097:b0:a30:d9ee:3db6 with SMTP id u23-20020a170906409700b00a30d9ee3db6mr1505217ejj.51.1706114778692; Wed, 24 Jan 2024 08:46:18 -0800 (PST) Received: from mail-ed1-f47.google.com (mail-ed1-f47.google.com. [209.85.208.47]) by smtp.gmail.com with ESMTPSA id h23-20020a170906261700b00a311a356760sm65509ejc.68.2024.01.24.08.46.17 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 24 Jan 2024 08:46:17 -0800 (PST) Received: by mail-ed1-f47.google.com with SMTP id 4fb4d7f45d1cf-55cdaa96f34so658776a12.1 for ; Wed, 24 Jan 2024 08:46:17 -0800 (PST) X-Received: by 2002:aa7:d44a:0:b0:55c:c7f5:4ce3 with SMTP id q10-20020aa7d44a000000b0055cc7f54ce3mr1287114edr.5.1706114777365; Wed, 24 Jan 2024 08:46:17 -0800 (PST) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <202401240832.02940B1A@keescook> In-Reply-To: <202401240832.02940B1A@keescook> From: Linus Torvalds Date: Wed, 24 Jan 2024 08:46:00 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [6.8-rc1 Regression] Unable to exec apparmor_parser from virt-aa-helper To: Kees Cook Cc: Kevin Locke , John Johansen , Josh Triplett , Mateusz Guzik , Al Viro , linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Content-Type: text/plain; charset="UTF-8" On Wed, 24 Jan 2024 at 08:35, Kees Cook wrote: > > Oh, yikes. This means the LSM lost the knowledge that this open is an > _exec_, not a _read_. > > I will starting looking at this. John might be able to point me in the > right direction more quickly, though. One obvious change in -rc1 is that the exec open was moved much earlier: commit 978ffcbf00d8 ("execve: open the executable file before doing anything else"). If the code ends up deciding "is this an exec" based on some state flag that hasn't been set, that would explain it. Something like "current->in_execve", perhaps? Linus