From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 33423C46CD2 for ; Wed, 24 Jan 2024 18:57:44 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id A91786B0074; Wed, 24 Jan 2024 13:57:43 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id A43406B0081; Wed, 24 Jan 2024 13:57:43 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 909A68D0001; Wed, 24 Jan 2024 13:57:43 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 7DFDE6B0074 for ; Wed, 24 Jan 2024 13:57:43 -0500 (EST) Received: from smtpin06.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 0DFC41C101D for ; Wed, 24 Jan 2024 18:57:42 +0000 (UTC) X-FDA: 81715113564.06.F84D3BA Received: from mail-il1-f177.google.com (mail-il1-f177.google.com [209.85.166.177]) by imf05.hostedemail.com (Postfix) with ESMTP id 3A12D100021 for ; Wed, 24 Jan 2024 18:57:39 +0000 (UTC) Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=Wov2ByJq; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf05.hostedemail.com: domain of keescook@chromium.org designates 209.85.166.177 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1706122660; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=dN/DcvuXwyp2yCQExIUGYH7ZCG5JTRWzNGVK64AipF8=; b=N8eMTOzMNDnZCfwFWvw3BJP8AYGVWx5JBHK1GX8mdyFzzyVQ6GLsedZVJ/FefVdb4IKfQa RIVRhGkZtbfbjU9jI1efd6xS6K2ZsC8I7+q1dE24g4UK1VAyk8Lvw5x2N6XQA/kL/mXx3E Gkman2xIPbh9JMP3xiJMGOWCUfPXqqQ= ARC-Authentication-Results: i=1; imf05.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=Wov2ByJq; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf05.hostedemail.com: domain of keescook@chromium.org designates 209.85.166.177 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1706122660; a=rsa-sha256; cv=none; b=8mRs3yLRI/3Fq4ctN4hnDgzpn0SYLMggVI2qPKe83tW5Ma46tVpj7Rgng4pAdRSx8OL2u7 LvHINWfZSZmGHCkb6/53dCoPm5HaR/9cF5fVJtMD6Vlf+kYkKR9faP76DFyMciHFF97Qev O8Y7Bcs/WIUsP9vFwM4y98UCJSLAxe0= Received: by mail-il1-f177.google.com with SMTP id e9e14a558f8ab-361a8bfa168so19957935ab.3 for ; Wed, 24 Jan 2024 10:57:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1706122659; x=1706727459; darn=kvack.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=dN/DcvuXwyp2yCQExIUGYH7ZCG5JTRWzNGVK64AipF8=; b=Wov2ByJqZkBlnJPq8NvtH0ug9P6Zr3rUrtIm3L+LfIzbrF4D+YNDTnMYGp2rpRdcQQ T4zh1SL38f88YL0WseEDWk4goC6WhZy3J1y87K5h+doAN24Tw6Z+AiyViKraM1v5bklR utP5t2kmEszIAhp5CnUfIBHVQGlWY84WaXc00= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706122659; x=1706727459; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=dN/DcvuXwyp2yCQExIUGYH7ZCG5JTRWzNGVK64AipF8=; b=HzgCNeh/orzYaNxkUk7F4X0Rjr3StHXw1vb089J9D6VpXst/0MKFEWOhE885IYYF47 JbXaUWQoYth9uKztSC262vjJJnOZ5sEnDZuKR3WScBGDAt7mpiIDZ2c1zUsvJyKWQeMJ a4htiUi09AyUUD7cjM6iY4AGA933t64qOnT4+PwdgTIElYRIUWNwOEBRXuZ4ljju5kub HGBmj3Wi6eiwH1aTpD6Umlne/cXOhQbSM2AGBd0zliwQ2xlNOlpQxOYg3iyf7UX5lmyS dxe3j5vQCNsfTNaD5NaHPCkFo3PB2ugMIBbmpDD+1apRuICWqi0iaChDcyDaTOnyOsid sU7w== X-Gm-Message-State: AOJu0Ywsj5/JIBf6FMVI03Sx2rZ5gbcVzElaAg+HKEC/T9NNOSzR2hut CQwH294aOW7eeqXGPDkmiMcyD5im+4OHBI62SLitivtS2jvjiMgAggomnytp9g== X-Google-Smtp-Source: AGHT+IE9qMB02EEUOxq/2jciZEyscL4XjQWdCqiITyqm3a3wtmsxRnL15cr80ulcxNXnl3HXms9o/Q== X-Received: by 2002:a05:6e02:16c7:b0:35f:ff56:c0fd with SMTP id 7-20020a056e0216c700b0035fff56c0fdmr2473407ilx.14.1706122659347; Wed, 24 Jan 2024 10:57:39 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id q22-20020a631f56000000b005cfd6b98d9bsm4724604pgm.87.2024.01.24.10.57.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Jan 2024 10:57:38 -0800 (PST) Date: Wed, 24 Jan 2024 10:57:38 -0800 From: Kees Cook To: Linus Torvalds Cc: Kevin Locke , John Johansen , Kentaro Takeda , Tetsuo Handa , Josh Triplett , Mateusz Guzik , Al Viro , linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: Re: [6.8-rc1 Regression] Unable to exec apparmor_parser from virt-aa-helper Message-ID: <202401240958.8D9A11E8E@keescook> References: <202401240832.02940B1A@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspam-User: X-Stat-Signature: hesc3n6ku49ehixqcdk95ah35md9k4kh X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: 3A12D100021 X-HE-Tag: 1706122659-148738 X-HE-Meta: U2FsdGVkX1+bvq9HLBWzeAFrM13Tm842fcsEUDykRfokyiljg13HCccshIiPOTuYWpcNn8HFDdVbQS3W0+g110CYM7zTSpPx3IiYz2M7wRGTT8uWYCLQ+KW3UtzFGH02crWvbmOrfalPD1HVAc23oCvy+IluP19umGDZUfBCw++HvM5Ce7rWH7xNJLQTac/zoxI+PvDxx3S0WLVrxrQcB5OmeeEeAuQD6vRCpGLssBptITpCKrDsdcGvQtyI3kTGlA3P51baWHZX3S9DALlJh7lmESlr7gr1EjGB32oqybz7TCumjSln1s2QW1LVnPV92ejxRiSuwfm0Ndi2j2DERsxGJ7nuT2Q+2UlAFCRlDSQJ6pL3cejhvXAJd435faKtYzBra6yAVCwBB9NrYlSSHUI71VvxCPENrazgsgXEJpZzIWWwKuntUhGVvyMcdmAIIkYJupsntg2rYUQsp4QyssNVbGMh1pXV3Jnr17/V1C6OXbcqJUBCKON2+O+qGRnhMA6m3bTE6DyC+qFtETNullsEguvg6Gn3reKGu0BhOy4jocy9G3LM7drfI0f8lq804ax0USA5qVdZZWPJYP89a8J+IbwPbFhXCpZ4u2wquU/QD3stSCyQA6HsLII549B7se0ebx8tMtecd9jpK3ICkC8X0T1/dY9s3/M2hdF2lVsCu/RUJ7/a1RE/jkKF2Ns9TA2CdMOKkrjzPpPsay4WrWoL8aiIyFTmDLRp32rlcZc34DYeN0FU4Jgy4YE+4bnNwIjBNNJsVfW8uk8kca8G4w+g7EbjNXxUcpORWuYsCc2FLQLN26z76qSpiIE4GlH5hVtI5eHkOM/6rS3LUrljvdWUMSagy4f8yIAy/dUCyjcFjEHj87idYnmPgXwsE2xX/4SvNGtJEw/lCWNn2Q3FtZmnSQQN68UwvAzlnw3VLpCQ57V7vqSN8C6WoTxnl/OCNlscY//i2w8N3c+eqF/ GDACiuDr mourACDmM9zmNF424uxBDSnJgqnRyhzs+PMhTnZtWVKutdmtB0ICF3KBHqHKTIVqU1OasLA/2f355r5h3aNvnBCqc2DUvnBozUWO0an5K/vEdVdIHGm0B0xVNhO/8nTNHnejECNl+fK0ty0rSPmgATiTJJ+33Fomfr0QfBXQW47oiJ1O3CFtAdzEdtyDLST16E86tPtVTjK8OcwU7qBwENVD0uqpv17JTSfbTTFhKmbPrJwNTthX1NQZCRK8qsNBuPPzzgNgKA3qRqLTDKW0n5w+8cQXjHgHERwZC3BuheYQFe0SA1jQnwnlK/UakHcP5kTr5iX8A6qpWCUHZrDo1scq4XfiLijyJbJwdgcWaL/NIhTAciS0gCB+WeH/ZNpMJ3SKKUhaKlbb4bFut5Cky8LDfIDca1ame2d3tJR15k4aT9VueieZO9Q5RYwmtvFESEGJa03/gOREeRiQ= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Wed, Jan 24, 2024 at 09:10:58AM -0800, Linus Torvalds wrote: > On Wed, 24 Jan 2024 at 08:54, Linus Torvalds > wrote: > > > > Hmm. That whole thing is disgusting. I think it should have checked > > FMODE_EXEC, and I have no idea why it doesn't. > > Maybe because FMODE_EXEC gets set for uselib() calls too? I dunno. I > think it would be even better if we had the 'intent' flags from > 'struct open_flags' available, but they aren't there in the > file_open() security chain. I've tested AppArmor, and this works fine: diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 7717354ce095..ab104ce05f96 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -470,7 +470,7 @@ static int apparmor_file_open(struct file *file) * implicit read and executable mmap which are required to * actually execute the image. */ - if (current->in_execve) { + if (file->f_flags & __FMODE_EXEC) { fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP; return 0; } Converting TOMOYO is less obvious to me, though, as it has a helper that isn't strictly always called during open(). I haven't finished figuring out the call graphs for it... -- Kees Cook