Received: by 2002:a05:7412:d1aa:b0:fc:a2b0:25d7 with SMTP id ba42csp182093rdb; Sun, 28 Jan 2024 20:47:22 -0800 (PST) X-Google-Smtp-Source: AGHT+IGH/S7K7YY3K33VwqxEoQ69R5nFaKG/2tVKPxWPqnq5zuh/QzHgqGKP4+5TLRXL/YbCK7jK X-Received: by 2002:a05:6214:765:b0:68c:4e54:7fab with SMTP id f5-20020a056214076500b0068c4e547fabmr1506526qvz.6.1706503642397; Sun, 28 Jan 2024 20:47:22 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706503642; cv=pass; d=google.com; s=arc-20160816; b=lsPwGUdhrcOc6Q6hdY4GFbteTVUlUmMDqy7DYiQFo8nArVPNSt2UTqroGR6SftAB26 rL4pcSGcm8bnDCwdvFDP2nf0s+w7+NBkm81UYeGWpyIzUhWQVPQfGkXMWTiqocoJLvhP Hk7Sn5d37+fMCxKDSI6wI4FeDFbcMB+Mtg+cGgsJND5cHf7pjuLeFWyv8uPOfNuvII+Y VQVe9+q0pf/sSmgLFotWJmFDtPL36TZ5cGaE9T3ZGlIG/X81Oaasz9AWPwZKdBK/8D7Y tX0V/0xqBhb+RZIxhMKMPDFzMDDmQLS+QN7UIPbnC0bFbxNGUlVzo5i5DVvVKK7C8cX+ YX7w== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:date:message-id; bh=vnr83TEOhYB+Cqfj9YLO80aA55q5gKNHyk1BQrTm11o=; fh=38w8MGDOfZWorH3I+NDDWMfvZqFE3Mhs1ni5/6oS8FM=; b=K/OVUTNX6bZzFdVBeDzDygrY/HQCA7tcxvRGBAutkTqReBeuAfh5bgAf0a6qxw+Uk1 OGycqjUxja+XlARO3ZPfrHgavCpgjooQNK5Sk6jBKqu3ztYko8THsjzFlBWC1WskAKbF Q1NOy8aIhIwu5RmSdpJkRxsa3gcqA0+fx0IYXDRbpI5l78ducf+4RmCQYx80OE2jDtkJ NCPD9gXkuxBHdaqmMlWBWBMO3a750kJjzHJ/DuKozIO+1qYnHfiy7UFjBysuT1M1lKdQ nf9F7bR6/0LwZy92eLkLLLVEagIYsXUIPsvhs3TD4ZOSFffWdr3U9rxnUDUkusozuQTv UZ2w== ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=i-love.sakura.ne.jp); spf=pass (google.com: domain of linux-kernel+bounces-42162-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-42162-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id q3-20020a056214194300b0068c4530beffsi3164654qvk.353.2024.01.28.20.47.22 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 28 Jan 2024 20:47:22 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-42162-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=i-love.sakura.ne.jp); spf=pass (google.com: domain of linux-kernel+bounces-42162-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-42162-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 29E551C21BD0 for ; Mon, 29 Jan 2024 04:47:22 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 7FE3F433C1; Mon, 29 Jan 2024 04:47:09 +0000 (UTC) Received: from www262.sakura.ne.jp (www262.sakura.ne.jp [202.181.97.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7213E3C47A; Mon, 29 Jan 2024 04:47:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=202.181.97.72 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706503629; cv=none; b=nmDSClsKcgDTvKcOr7My3MBwMVJhrQsDDCKGD75yhvBZVGvJpjUGBdWliR9P3k3f4BcKm1Lr764awMuD8ZIgUCbXZLkk7EEOiyWZVPpEYGnOLjQki3IrGida0voBQck+38YaqdwpLsx0fAasSu59W7YpJH6u33ZN/2DnQwt4rZc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706503629; c=relaxed/simple; bh=JoucwMxZd9PmjTkgLDJUpbbMuXcQwuV6dkhdjMXMF4s=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=nPtFyoUzSRl2olgHearmZ2qLwQLEWWgmZeGegAvz1opQn8xMJszQguIiuW+EP2vYcDmkrqXS6DTmC6KO9K0sfeI1GL7cmcr/HwzrvV2qg7I8Js9hefE3392hgPXr+tl8R9bAF1i3ElWj/7yAQ8a9LRBvm5sKCGvva8yFKr+VyUY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=I-love.SAKURA.ne.jp; spf=pass smtp.mailfrom=I-love.SAKURA.ne.jp; arc=none smtp.client-ip=202.181.97.72 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=I-love.SAKURA.ne.jp Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=I-love.SAKURA.ne.jp Received: from fsav115.sakura.ne.jp (fsav115.sakura.ne.jp [27.133.134.242]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 40T4kUgS074310; Mon, 29 Jan 2024 13:46:30 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav115.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav115.sakura.ne.jp); Mon, 29 Jan 2024 13:46:30 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav115.sakura.ne.jp) Received: from [192.168.1.6] (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 40T4kUgF074307 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Mon, 29 Jan 2024 13:46:30 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Message-ID: Date: Mon, 29 Jan 2024 13:46:28 +0900 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH 1/3] LSM: add security_bprm_aborting_creds() hook Content-Language: en-US To: "Eric W. Biederman" Cc: Linus Torvalds , Kees Cook , Alexander Viro , Christian Brauner , Jan Kara , Paul Moore , James Morris , "Serge E. Hallyn" , linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, LKML References: <613a54d2-9508-4f87-a163-a25a77a101cd@I-love.SAKURA.ne.jp> <87frygbx04.fsf@email.froward.int.ebiederm.org> From: Tetsuo Handa In-Reply-To: <87frygbx04.fsf@email.froward.int.ebiederm.org> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 2024/01/29 13:10, Eric W. Biederman wrote: >> @@ -1519,6 +1519,7 @@ static void free_bprm(struct linux_binprm *bprm) >> } >> free_arg_pages(bprm); >> if (bprm->cred) { >> + security_bprm_aborting_creds(bprm); >> mutex_unlock(¤t->signal->cred_guard_mutex); >> abort_creds(bprm->cred); > > Why isn't abort_creds calling security_free_cred enough here? Because security_cred_free() from put_cred_rcu() is called from RCU callback rather than from current thread doing execve(). TOMOYO wants to restore attributes of current thread doing execve(). > The fact that somewhere Tomoyo is modifying a credential that the rest > of the kernel sees as read-only, and making it impossible to just > restore that credential is very concerning from a maintenance > perspective. TOMOYO does not use "struct cred"->security. TOMOYO uses only "struct task_struct"->security. struct lsm_blob_sizes tomoyo_blob_sizes __ro_after_init = { .lbs_task = sizeof(struct tomoyo_task), }; TOMOYO uses security_task_alloc() for allocating "struct task_struct"->security, security_task_free() for releasing "struct task_struct"->security, security_bprm_check() for updating "struct task_struct"->security, security_bprm_committed_creds() for erasing old "struct task_struct"->security, security_bprm_aborting_creds() for restoring old "struct task_struct"->security. Commit a6f76f23d297 ("CRED: Make execve() take advantage of copy-on-write credentials") made TOMOYO impossible to do above. current->in_execve flag was a hack for emulating security_bprm_aborting_creds() using security_prepare_creds(). > Can't Tomoyo simply allow reading of files that have __FMODE_EXEC > set when allow_execve is set, without needing to perform a domain > transition, and later back out that domain transition? No. That does not match TOMOYO's design. allow_execve keyword does not imply "allow opening that file for non-execve() purpose". Also, performing a domain transition before execve() reaches point of no return is the TOMOYO's design, but COW credentials does not allow such behavior.