Received: by 2002:a05:7412:2a8a:b0:fc:a2b0:25d7 with SMTP id u10csp340042rdh;
        Wed, 7 Feb 2024 06:25:11 -0800 (PST)
X-Google-Smtp-Source: AGHT+IEZuPrKzKJ4hNWcAu1NyEbnsecsBQ55FVU5T8zfgbMe30RL+5TM5fo4GMsPjEOMaQgR+OgZ
X-Received: by 2002:a05:6a20:da9b:b0:19e:443c:1202 with SMTP id iy27-20020a056a20da9b00b0019e443c1202mr5714721pzb.26.1707315911189;
        Wed, 07 Feb 2024 06:25:11 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1707315911; cv=pass;
        d=google.com; s=arc-20160816;
        b=WzBpraXEjc3eo4Tuban1eX7Pl+zh3omWYayFWnCccKcOkX0Gv3zybfo7e0mGShrWN+
         LcfMxYTElg452apX+iX5k06d3kMmpnW9F1lH7VvNuJtbKNP3u5lFoZyOxPyXISRDGbC3
         OhAgi71FpRoRvHK/hypc7cZBYt7M+WIPTl+IFBfEZVBBxuM7wT/Es7Z92dJO7AX+pMDs
         0eALWbLw7pWFeU/j7y3epBIPhnaLZnkNF5HaI0y35KJkA8Z/d3knZxkK+3MGYbtGOMRK
         S4VQm4Ms5jO9gj36uWeZN2MYFY6q97bcoEC+SuQCdqUhrt9oN0rSU6vEK5DclGLYEuWa
         +t8g==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-disposition:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=RWTf399WiJ8kfKwENv7YV66YYsIFa333tQkHLNWYJlE=;
        fh=uNxxNGMkimTAsr+cIKfvN8/GHJjFXNBuD1eYlK1+cj4=;
        b=MsBfYWACLqUrnniI35g3Tw1gD7OrISYgFWiE2W0b71rduyaqHVjZ+I8pXlasP7fMOX
         0IWhRpP4TFyXyua/EKfkPDKLfPAvzRfxPdxHX1SctkHFD4oG2KL0ClWPFp0E+X5AvxBT
         Dgkb5F8x1n76eHAn38bdS5Rw8/2aaJmgT7rCAyMvWgb09ZN7iRfJndGYeKm+QRYGRT+A
         rAUBE0J5tE+sgC8yz/laphMv6aW5rhb59jrZHgk7KSJfxPhvqgG02cUTlI63SgdkcKy3
         9q2keCMuMqkDHuSCeXmAlWvUtGBpHbZhTJodmhrvvNungeKcK9QjbFAXmx6e8KUI0RKz
         nPgg==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b="T/XogiOr";
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of linux-kernel+bounces-56614-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-56614-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
X-Forwarded-Encrypted: i=2; AJvYcCV11I94Ln4zv+6urAvxghDYIwh0Y+rn72FMZhAOumGQ96tbqjPWE7wlSQzvpC2auVD9TjtnVxNNqO0bK5KVlT9rTjwDJ40LeyGaFEM35g==
Return-Path: <linux-kernel+bounces-56614-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1])
        by mx.google.com with ESMTPS id l1-20020a17090a850100b00296a4ebd5e3si3459831pjn.4.2024.02.07.06.25.10
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 07 Feb 2024 06:25:11 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-56614-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b="T/XogiOr";
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of linux-kernel+bounces-56614-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-56614-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id CD6C2287398
	for <linux.lists.archive@gmail.com>; Wed,  7 Feb 2024 14:25:10 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id B2ED47CF07;
	Wed,  7 Feb 2024 14:25:01 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="T/XogiOr"
Received: from mail-pg1-f171.google.com (mail-pg1-f171.google.com [209.85.215.171])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 574337A727
	for <linux-kernel@vger.kernel.org>; Wed,  7 Feb 2024 14:24:59 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.171
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1707315900; cv=none; b=LzzqrfiXR05Kr1X+CE9nsJK5NyHEp6pez2NnghH3FIYQGd5tkG8SFpTNTkidZC3sTUIYJuqOtWiv071qLb1PH9p4EdXfq3CVP6p5MULBy/Xl9vwjvTFh1DIRkkDcbOqYxB7z6LARBNI2clc00LHw3y5bv2JlxwhMh8ZHt2nv5CE=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1707315900; c=relaxed/simple;
	bh=fmDZRKAJ+iyEaLTPH9eG1pOzWbScOmhUKK0nz1DRrTU=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=ZLRhd2FQwyRnGy2xeMm+1ZRZOSyjgQjVGagSk7AVK/aA0bclh1LDu8vEPXfgh/FuLearuq43TOdKGvrYhithBNTWvaDIzaFXiGPPNYrnl3VFfW4Yd6dJ24Ct5JKFDasJwJWBdE5v+/1bI6Y+2qBEtS0dPjwajGDrAanqOAD1t74=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=T/XogiOr; arc=none smtp.client-ip=209.85.215.171
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org
Received: by mail-pg1-f171.google.com with SMTP id 41be03b00d2f7-5ce6b5e3c4eso441005a12.2
        for <linux-kernel@vger.kernel.org>; Wed, 07 Feb 2024 06:24:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1707315898; x=1707920698; darn=vger.kernel.org;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=RWTf399WiJ8kfKwENv7YV66YYsIFa333tQkHLNWYJlE=;
        b=T/XogiOrbAciZ8Z/r8zOQlhz7B82kGxr2tGGrH1BUhP/fjZ24vDDL6cQnQh/ux02TI
         zZKun0SNpW9AyadLwPESUtmXvfwyOblaFqFh6ALmd2LkaVw7omsWTkWFKtIg1mQryBaz
         7fwtW1Jfky12Dspqqeop2U2B0AxtLQdEeukvQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1707315898; x=1707920698;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=RWTf399WiJ8kfKwENv7YV66YYsIFa333tQkHLNWYJlE=;
        b=CAbuX3ohoRtwQhUd0W4gVEXxbBszUORc/wBgb/n5WUY3mwTXkGQUI9ZNmJJ5QqgXpx
         ARb3pRhmqi21U7bp5fbs/c9hXFEjN7WhE0ctG6zDe3Y64/5y9qc9EImFONnqUCq2sfpT
         YBdtACJ+uh4w/l0C+ivdYVxS4ONQJvZPkZor33frM1FcEFM9YjCa2L1wTtNh4wHRJERe
         WBVomAb45IES3ynQXEbfKYyNVbDOf64HIsAwYsnX/5DpZsqF/5wFPgqxJRG+r5/dKQnC
         YZDI38eyRRZ5VcX6v+fbExxypNOQhgZxa0f8h2a8BRvgDnQeO4v9a8veTHNPd699AcVF
         sQqg==
X-Gm-Message-State: AOJu0YxAe596PF8wUNyF31E+mcbLoPldFonpHh/B708SKdzxTQjjoRfM
	vyYap46hnnDF9bvGXfzATpLNUEAxox04zk40onZ9J2iwzXI+TxqJ3NQsezulDw==
X-Received: by 2002:a05:6a21:398d:b0:199:86d6:43de with SMTP id ad13-20020a056a21398d00b0019986d643demr6419947pzc.58.1707315898566;
        Wed, 07 Feb 2024 06:24:58 -0800 (PST)
X-Forwarded-Encrypted: i=1; AJvYcCWqYTB32oLv18AVZReWaKpoBixSOUFmOIGH3sK31jBy9rdQH2doA9rUaPvUaYBAzoAoonnCl0ZZeK/uy5tPYvJR3QjpCEYuDqOdMLVL4cVIZbknrzU+ke7rR6aed0gHWz2X/kXxVDlpsCMogMn6Ye03/Y1SXDfXgbQaeOG8EXTAmXDWnpCP5AZJfNzA2IVTEQ5w3pHxl/r24gGGLCIVlLhMlGP3cqT5LMBSsWRZNjDvZino6v5WKXN3gixGndvEK81j25WB9JTGFESG/TTTxD/UbOjs30B/qWtcYO924wHevka7gOWVhNYsWSboI6fa904vKvIEA/3YnQ1RplKR7/DsikG7N6M5YaHVo23Zgmj8ksnlSmzT40z4OmAjyEy9
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id kz16-20020a170902f9d000b001d987592c6asm1473701plb.232.2024.02.07.06.24.57
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 07 Feb 2024 06:24:57 -0800 (PST)
Date: Wed, 7 Feb 2024 06:24:57 -0800
From: Kees Cook <keescook@chromium.org>
To: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
	Eric Biederman <ebiederm@xmission.com>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Christian Brauner <brauner@kernel.org>, Jan Kara <jack@suse.cz>,
	Paul Moore <paul@paul-moore.com>, James Morris <jmorris@namei.org>,
	"Serge E. Hallyn" <serge@hallyn.com>,
	linux-security-module <linux-security-module@vger.kernel.org>,
	linux-fsdevel <linux-fsdevel@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v2 1/3] LSM: add security_execve_abort() hook
Message-ID: <202402070622.D2DCD9C4@keescook>
References: <8fafb8e1-b6be-4d08-945f-b464e3a396c8@I-love.SAKURA.ne.jp>
 <999a4733-c554-43ca-a6e9-998c939fbeb8@I-love.SAKURA.ne.jp>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <999a4733-c554-43ca-a6e9-998c939fbeb8@I-love.SAKURA.ne.jp>

On Sat, Feb 03, 2024 at 07:52:54PM +0900, Tetsuo Handa wrote:
> A regression caused by commit 978ffcbf00d8 ("execve: open the executable
> file before doing anything else") has been fixed by commit 4759ff71f23e
> ("exec: Check __FMODE_EXEC instead of in_execve for LSMs") and commit
> 3eab830189d9 ("uselib: remove use of __FMODE_EXEC"). While fixing this
> regression, Linus commented that we want to remove current->in_execve flag.
> 
> The current->in_execve flag was introduced by commit f9ce1f1cda8b ("Add
> in_execve flag into task_struct.") when TOMOYO LSM was merged, and the
> reason was explained in commit f7433243770c ("LSM adapter functions.").
> 
> In short, TOMOYO's design is not compatible with COW credential model
> introduced in Linux 2.6.29, and the current->in_execve flag was added for
> emulating security_bprm_free() hook which has been removed by introduction
> of COW credential model.
> 
> security_task_alloc()/security_task_free() hooks have been removed by
> commit f1752eec6145 ("CRED: Detach the credentials from task_struct"),
> and these hooks have been revived by commit 1a2a4d06e1e9 ("security:
> create task_free security callback") and commit e4e55b47ed9a ("LSM: Revive
> security_task_alloc() hook and per "struct task_struct" security blob.").
> 
> But security_bprm_free() hook did not revive until now. Now that Linus
> wants TOMOYO to stop carrying state across two independent execve() calls,
> and TOMOYO can stop carrying state if a hook for restoring previous state
> upon failed execve() call were provided, this patch revives the hook.
> 
> Since security_bprm_committing_creds() and security_bprm_committed_creds()
> hooks are called when an execve() request succeeded, we don't need to call
> security_bprm_free() hook when an execve() request succeeded. Therefore,
> this patch adds security_execve_abort() hook which is called only when an
> execve() request failed after successful prepare_bprm_creds() call.
> 
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>

This looks good to me.

Given this touches execve and is related to the recent execve changes,
shall I carry this in the execve tree for testing and send a PR to Linus
for it before v6.8 releases?

There's already an Ack from Serge, so this seems a reasonable way to go
unless Paul would like it done some other way?

Reviewed-by: Kees Cook <keescook@chromium.org>

-- 
Kees Cook