From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id EBB17C46CD2 for ; Wed, 24 Jan 2024 20:15:10 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 6D0AF6B008C; Wed, 24 Jan 2024 15:15:10 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 6808C6B0092; Wed, 24 Jan 2024 15:15:10 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 521466B0099; Wed, 24 Jan 2024 15:15:10 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 404956B008C for ; Wed, 24 Jan 2024 15:15:10 -0500 (EST) Received: from smtpin01.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 14CCF1C0A2B for ; Wed, 24 Jan 2024 20:15:10 +0000 (UTC) X-FDA: 81715308780.01.9DD89BF Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com [209.85.210.178]) by imf30.hostedemail.com (Postfix) with ESMTP id 157D28001E for ; Wed, 24 Jan 2024 20:15:07 +0000 (UTC) Authentication-Results: imf30.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b="T/iE9pi0"; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf30.hostedemail.com: domain of keescook@chromium.org designates 209.85.210.178 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1706127308; a=rsa-sha256; cv=none; b=PXvTP/Mxz4z4WFGcGJUwWDSvjOU1M00jCh0vD+Dds3NbdV58wIuWnZNbTNLyoESp1mKW7s QLo45GBmu3517hgaPvyR+Z6Mz15ORUfeLqpOldbIb5jGr5+SZJLDLOVxao2UPh67XoVEt5 Lekw1OibvZoHnbSvNjZAL3q128BNg1M= ARC-Authentication-Results: i=1; imf30.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b="T/iE9pi0"; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf30.hostedemail.com: domain of keescook@chromium.org designates 209.85.210.178 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1706127308; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Id1qRAoiWWWvqW/dbMxgihjX2oP7pYm4HN95FDf9D2k=; b=mgliQ4382ySGRDmokAF2Lpz017+iJfYWQbZIgMxDlF+WZWgsi+JR3oQeuZ0HJPZRvTVn8T bos1GmkDlEBz0rYLqryh3kqacpS3xmu769tsp08Fna8hLEuMgEb0Q7kFZTdBpkIUvtyV3r EH+Nj0YWZuaI9BenfpWuthWn855ULso= Received: by mail-pf1-f178.google.com with SMTP id d2e1a72fcca58-6dd7c194bb2so38398b3a.0 for ; Wed, 24 Jan 2024 12:15:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1706127307; x=1706732107; darn=kvack.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=Id1qRAoiWWWvqW/dbMxgihjX2oP7pYm4HN95FDf9D2k=; b=T/iE9pi0AbZnvFUjd+p5dtiJIrkMg7FbZQP6rVeN/qWPJdHA8yRh3XrL4Ns2xqlmrK pUtIHMHhwtvUXO9FsvfCozL8BDd92TJQpxtFUkiJQwvQrplEaEz7xl269HNxcQbOrSA9 3TsNCAG00ULbdxia7AdfXeE9JACPTgNKXTXZw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706127307; x=1706732107; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Id1qRAoiWWWvqW/dbMxgihjX2oP7pYm4HN95FDf9D2k=; b=P3Ws2f/zu4PQuojjPds9SMaJD0aC7zWWf7NDZpmzvfyLFqbcqsihg9WzryUKCnMfc/ dODIDLYhjkeNLw98P811H7L+sdDeihpezsScxyMbrJKxMl12y3qkOUwl4Q+d649aUk11 N83s/xH7nP4U9mHvL232OPqbgWG6pBRMHL/AZX9DO4pCuRimakagCR30AoidZtS9nUas tdphNdrZXEpblsEshCMssYz0mfVGkbxPVRXr/AN0fiwCnrHZLAzku4Dg9nrNUUDIDueh N+FtDOS4M7k7cUGjFNyUVZrnFEyTK7K7EdYTN5HVst8z8vrxDgT1hNtm3Yl2nTESjK9N FpOw== X-Gm-Message-State: AOJu0Yxl6Gb5vs9wcZL/RmpGM53UUGoYes35aX+J0OZLDACYFbiT5wpE NTbU/4+J851WTVXrHd8mxdUZEMSQVneVzjwXs91/ET67E1I5qpcX7QZV10xoAQ== X-Google-Smtp-Source: AGHT+IHQpUi+5B9WnuXhSmDXus8mitL4WXU/2ZY6llD9ZE0jvrWSufppkdsO/vLRfpghtMHGOwhO/A== X-Received: by 2002:a05:6a00:9297:b0:6db:9c1:7164 with SMTP id jw23-20020a056a00929700b006db09c17164mr66699pfb.15.1706127306883; Wed, 24 Jan 2024 12:15:06 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id fb18-20020a056a002d9200b006ddc2ac59cesm546649pfb.12.2024.01.24.12.15.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Jan 2024 12:15:06 -0800 (PST) Date: Wed, 24 Jan 2024 12:15:05 -0800 From: Kees Cook To: Jann Horn Cc: Josh Triplett , Kevin Locke , Linus Torvalds , John Johansen , Paul Moore , James Morris , "Serge E. Hallyn" , Kentaro Takeda , Tetsuo Handa , Alexander Viro , Christian Brauner , Jan Kara , Eric Biederman , Andrew Morton , Sebastian Andrzej Siewior , linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, apparmor@lists.ubuntu.com, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: Re: [PATCH] exec: Check __FMODE_EXEC instead of in_execve for LSMs Message-ID: <202401241206.031E2C75B@keescook> References: <20240124192228.work.788-kees@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Rspam-User: X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: 157D28001E X-Stat-Signature: yso7sa17qd4pdso3k7oyyhxkodefoca4 X-HE-Tag: 1706127307-790975 X-HE-Meta: U2FsdGVkX1+cF/qLk5jqu1XifH8/EzrMPafstXveljQaDBWnIXnNSAj5i8Hc5YBi/Bxg2dGmyXC5kJWSOeYytZg9J7m2XtnAUnxmR0Pkoo488jhe8tVB3HHEuRsSEZseVdaHsY2L/jJ87LG2RFLEYf7Kh3uqpqqu+CaePqWwRckE+ZaamyjmBD/X+FnwlmECcwGRnL/H4fs4qCPESVC0OKwBbtSUif87HCvLw3W7c0FpdFo5vYfjW8CeC+uGidktKKhrTD8zm+MMKb9wWFS0CpHl/4oc0xU4/jKGfWAfQRR6m0nV7Q1gp1a9517tYyTH4yqnr4ytv+q7M9XvLrqlUxgZ8/hPAV8NRaHahjuuChkwpOTnrzfjTHPxmkOv0L/Ekd9KeQPoFrfhqEkZiYDhhEGWhh3VzQznevWTWCJRKStC/w4rdBy3XAt1PdlHTSySmoLt5pOCDmKtMvo8tk23T9jhwvGckCIdWiUJ6mQx69b1+9lI4qXMqve2SdDgKiLD53K/QI5+cW/Q00A93L7fLlUNP/RmadR/ca8O4VJH3xLDliGAPPryR7NIZf13r3gEXQFfOQ9tc01IEgbH+dn5B4FFouNgdlgGG8RavBMrTsm//xH7u1hxMJ8jlXdJ1IcesEiaKqfuqvAr0QiyB15oM10Rx6woh8+8GmnlhXAhadsNcApPzf1Dws/u4x/Vn8unoV1yfY1DbjaL5uDWuubTo0trW4hHvM7qV0U6iK37OxoZC62XM20UO+ifyrKsRLF20Qqv8NAJSmQP2u4SoAhw9ODjNnjTztkpav4oQFn+YXxQ7LjwBzo4B66D3+UsFrzUV02skWtTsbi7oNHnTQrBdNRpydRMplf1TDb/o7p0flMAnapQXonYNIaLjh6HRltsh5YhvoKt74ODaOr+EwkbjBx16uGpvObmAhPo8g/+y0Vqy/P5uTnZbPWL7MxCy+SdDDH1wbUDtYVZBFNQB80 4R+ymiim ivVIkYHMNuRAtZEKfwaXkW3EqRzXr377wFASZPcaNb9BeXVfqASsoOoovovHcBibE7qjuBnzkY83MT8RuigmFOkJpxk+kYpyv2UFx2B0auaWNKHBL2QTO5bHOBuKuy3Mm25R1 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Wed, Jan 24, 2024 at 08:58:55PM +0100, Jann Horn wrote: > On Wed, Jan 24, 2024 at 8:22 PM Kees Cook wrote: > > After commit 978ffcbf00d8 ("execve: open the executable file before > > doing anything else"), current->in_execve was no longer in sync with the > > open(). This broke AppArmor and TOMOYO which depend on this flag to > > distinguish "open" operations from being "exec" operations. > > > > Instead of moving around in_execve, switch to using __FMODE_EXEC, which > > is where the "is this an exec?" intent is stored. Note that TOMOYO still > > uses in_execve around cred handling. > > I think this is wrong. When CONFIG_USELIB is enabled, the uselib() > syscall will open a file with __FMODE_EXEC but without going through > execve(). From what I can tell, there are no bprm hooks on this path. Hrm, that's true. We've been trying to remove uselib for at least 10 years[1]. :( > I don't know if it _matters_ much, given that it'll only let you > read/execute stuff from files with valid ELF headers, but still. Hmpf, and frustratingly Ubuntu (and Debian) still builds with CONFIG_USELIB, even though it was reported[2] to them almost 4 years ago. -Kees [1] https://lore.kernel.org/lkml/20140221181103.GA5773@jtriplet-mobl1/ [2] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1879454 -- Kees Cook