From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2CC49C47258
	for <linux-mm@archiver.kernel.org>; Thu, 25 Jan 2024 16:39:06 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 8E3216B0078; Thu, 25 Jan 2024 11:39:05 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 891AC6B0098; Thu, 25 Jan 2024 11:39:05 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 780CD6B0099; Thu, 25 Jan 2024 11:39:05 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15])
	by kanga.kvack.org (Postfix) with ESMTP id 683486B0078
	for <linux-mm@kvack.org>; Thu, 25 Jan 2024 11:39:05 -0500 (EST)
Received: from smtpin10.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay04.hostedemail.com (Postfix) with ESMTP id 3D4841A0DD4
	for <linux-mm@kvack.org>; Thu, 25 Jan 2024 16:39:05 +0000 (UTC)
X-FDA: 81718393050.10.33E2D04
Received: from smtp-8fae.mail.infomaniak.ch (smtp-8fae.mail.infomaniak.ch [83.166.143.174])
	by imf19.hostedemail.com (Postfix) with ESMTP id CB80F1A0013
	for <linux-mm@kvack.org>; Thu, 25 Jan 2024 16:39:02 +0000 (UTC)
Authentication-Results: imf19.hostedemail.com;
	dkim=pass header.d=digikod.net header.s=20191114 header.b="DO8PBK/6";
	dmarc=none;
	spf=pass (imf19.hostedemail.com: domain of mic@digikod.net designates 83.166.143.174 as permitted sender) smtp.mailfrom=mic@digikod.net
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1706200743;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=UC/r9AqbXnpFUmxwrrZGjwIncG3ZxY7IDhmnn12gWZg=;
	b=QjgK+8SGN+1JcnppnOhv0ta93Lnly+12BjhZ18jpg72P3J/cSf0GDKxOmDLNJRYZ3fktOA
	AOs/mO9pAv2fCo/Pwu8RaIgvcmtEWDcKwHPBU8XDndpzsSNmYZy6l/7nj9PnGCj1L/uaqQ
	RILzGT7ILjeR//0ZjC7PLIKp/rydlHM=
ARC-Authentication-Results: i=1;
	imf19.hostedemail.com;
	dkim=pass header.d=digikod.net header.s=20191114 header.b="DO8PBK/6";
	dmarc=none;
	spf=pass (imf19.hostedemail.com: domain of mic@digikod.net designates 83.166.143.174 as permitted sender) smtp.mailfrom=mic@digikod.net
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1706200743; a=rsa-sha256;
	cv=none;
	b=Hmm2JqdDORZbhp2JoObFQN3SAK4PEGsYMjAgUfKrlEHAPZw5hl5ItMDn785AezHqgYBleS
	chvReAxSNazPo4nFtepWNErAcwBsto/PuVZo0Ua/MfSydNS3zSmrvBDXAIKcCwPIaq6j4+
	7s+qwYRITDBbum2JKcmmLcR+ANY1fyA=
Received: from smtp-3-0000.mail.infomaniak.ch (unknown [10.4.36.107])
	by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4TLRNh6dy5zMqbBv;
	Thu, 25 Jan 2024 17:39:00 +0100 (CET)
Received: from unknown by smtp-3-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4TLRNd3PKVz3f;
	Thu, 25 Jan 2024 17:38:57 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digikod.net;
	s=20191114; t=1706200740;
	bh=du31PmGw/fTX+38J7um3nXoKGi9MdQjFP4Xk4imtbeU=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=DO8PBK/6IihpHWk1hJ0RnfwFUiEI5PVdOR0kOr5uSXu696eAYNVKL8OoG3hr3ZBqO
	 7NLJ7YfkSQETMHL9do9sD+BxXeEVD0vF42DMEasjGMEl5UxF22smEjqqzNtUjAU2ww
	 o3XlB60Dumm/C8JlxtzDsXde456a7Bm2+fmY5HgU=
Date: Thu, 25 Jan 2024 17:38:53 +0100
From: =?utf-8?Q?Micka=C3=ABl_Sala=C3=BCn?= <mic@digikod.net>
To: Kees Cook <keescook@chromium.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>, 
	Jann Horn <jannh@google.com>, Josh Triplett <josh@joshtriplett.org>, 
	Kevin Locke <kevin@kevinlocke.name>, John Johansen <john.johansen@canonical.com>, 
	Paul Moore <paul@paul-moore.com>, James Morris <jmorris@namei.org>, 
	"Serge E. Hallyn" <serge@hallyn.com>, Kentaro Takeda <takedakn@nttdata.co.jp>, 
	Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>, Alexander Viro <viro@zeniv.linux.org.uk>, 
	Christian Brauner <brauner@kernel.org>, Jan Kara <jack@suse.cz>, Eric Biederman <ebiederm@xmission.com>, 
	Andrew Morton <akpm@linux-foundation.org>, Sebastian Andrzej Siewior <bigeasy@linutronix.de>, 
	linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, apparmor@lists.ubuntu.com, 
	linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: Re: Re: [PATCH] exec: Check __FMODE_EXEC instead of in_execve for
 LSMs
Message-ID: <20240125.bais0ieKahz7@digikod.net>
References: <20240124192228.work.788-kees@kernel.org>
 <CAG48ez017tTwxXbxdZ4joVDv5i8FLWEjk=K_z1Vf=pf0v1=cTg@mail.gmail.com>
 <202401241206.031E2C75B@keescook>
 <CAHk-=wiUwRG7LuR=z5sbkFVGQh+7qVB6_1NM0Ny9SVNL1Un4Sw@mail.gmail.com>
 <202401241310.0A158998@keescook>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <202401241310.0A158998@keescook>
X-Infomaniak-Routing: alpha
X-Rspamd-Queue-Id: CB80F1A0013
X-Rspam-User: 
X-Rspamd-Server: rspam05
X-Stat-Signature: xi9pgq3353ehwgmukq5ywbnth7ccwfy5
X-HE-Tag: 1706200742-394737
X-HE-Meta: U2FsdGVkX1+whI/etDg/YA+7tkrCMtYWdmY/atScwSgxhlen3tgWozYbWBO67C1EXqZm5u+IN+8cWmGaxNz1zdKCFGhFAiy2jf8nDx2Trx5bZSNZQrPSIWpVrMxOuveLlXwk0UlGCMfTFzLGd+G/qyYZqaEgr9Te7vKBGvqSsBF4vEKbWjGpeH++3TDRODvTkT6ncuB3MtjNpcZRCPS5eJ70X03ZLObhEIl4j86CIoPHzHW7iPNC1oBfmcqdEVwlLmu77vYHfYDQRpoesxZN1m00h8fJP32gNIKYsgHfVwTOIo1ziXlGvjYob+V6kzx/S6pJbRWL5juDxBKLIN1h3CYjWiNOV51YZJybcgwerdAWqQxmrMHGxMYH51bNBzdaUa7BgAj6OuhipSqxtCPXcsJRm/WtyPvE/qIN2ssqvB/FegqaVRPAqkLe/kCkYMs900KgyAhRUZL8zTFoP2DWb9H+ZLt4RB0mvGCenaT6vYA6MCi7gySLYf1RB/hTbrohxQXxONTD9eA/n2yrCg/u2RwoAQuZKi8OXRstXhm4q9hgwiwaRW7tI+TJC7YMD9tcCSh0Dglxc4ezrytDqJkXsRyz4h0KUENxHLg7XBQ+Yjd3uuDWZ3OvJHEYXGk2B4NuVQVlPNd7WuIh18XUtH/frwIyR3M5KziLtlUym/6c5WF//TxNCEASJDyV77Urvu8MI6pcUAP4wBh5ctPEUIJ8wctEB+vLgEnh8BvaRsHlvorpBP4EyCpTYWER8LfHqtQ57yBi5cTU+qZnidu4ZOABwkHWlCiHh67cbn6MDP1qJfbYdl8XPCFgTrAP33DzNenBdOBR5n2Tyk3AY1uxfPNQQVKBL2hDey//SpYyff1B96BtpKumlV1a1J9Gd6TqDrHl7QorWYciSuPMFzpO00r6BozmGyse+GLIuBUpzPWDaVblR/buee5dV80/XADncvKLUYBQ6q3qHHIQ5zAwf/p
 RZmn0ORD
 wfgjgDdO372CbBF6mUSXuwg49S9/1FmvP/+vnnQGrwoBVlsGlxnBGHH/Chk6jF4fGqvYOzBknwW2F/6ymN2QrYmt3rvsOSWewN0yyEavojautefeoWnaizeosI2d0f0N55i2OyN/rVJuAr5ZXzpbshJXbeN6z98+D7Oi6A/LvHP4H6HddihunEkwJR9gqZjSGVreT/o2Kxu6NS/AcG9I1NqG6SRrcQcDrmlX6gUOhUJdKQXQrE0feK0+ReoD9CWXbTHX8TJJiCwwuIJqz2wyncqfMBhT8RzsOyNUSZe9XE5Tn4bUKfqLms3Glzed+CD7cydlEdfST6hWNaqKMhuYi1yDjWM970Wmu4cUCzQz0sfLWwiKMW3Oi44ocUQ==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On Wed, Jan 24, 2024 at 01:32:02PM -0800, Kees Cook wrote:
> On Wed, Jan 24, 2024 at 12:47:34PM -0800, Linus Torvalds wrote:
> > On Wed, 24 Jan 2024 at 12:15, Kees Cook <keescook@chromium.org> wrote:
> > >
> > > Hmpf, and frustratingly Ubuntu (and Debian) still builds with
> > > CONFIG_USELIB, even though it was reported[2] to them almost 4 years ago.
> 
> For completeness, Fedora hasn't had CONFIG_USELIB for a while now.
> 
> > Well, we could just remove the __FMODE_EXEC from uselib.
> > 
> > It's kind of wrong anyway.
> 
> Yeah.
> 
> > So I think just removing __FMODE_EXEC would just do the
> > RightThing(tm), and changes nothing for any sane situation.
> 
> Agreed about these:
> 
> - fs/fcntl.c is just doing a bitfield sanity check.
> 
> - nfs_open_permission_mask(), as you say, is only checking for
>   unreadable case.
> 
> - fsnotify would also see uselib() as a read, but afaict,
>   that's what it would see for an mmap(), so this should
>   be functionally safe.
> 
> This one, though, I need some more time to examine:
> 
> - AppArmor, TOMOYO, and LandLock will see uselib() as an
>   open-for-read, so that might still be a problem? As you
>   say, it's more of a mmap() call, but that would mean
>   adding something a call like security_mmap_file() into
>   uselib()...

If user space can emulate uselib() without opening a file with
__FMODE_EXEC, then there is no security reason to keep __FMODE_EXEC for
uselib().

Removing __FMODE_EXEC from uselib() looks OK for Landlock.  We use
__FMODE_EXEC to infer if a file is being open for execution i.e., by
execve(2).

If __FMODE_EXEC is removed from uselib(), I think it should also be
backported to all stable kernels for consistency though.


> 
> The issue isn't an insane "support uselib() under AppArmor" case, but
> rather "Can uselib() be used to bypass exec/mmap checks?"
> 
> This totally untested patch might give appropriate coverage:
> 
> diff --git a/fs/exec.c b/fs/exec.c
> index d179abb78a1c..0c9265312c8d 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -143,6 +143,10 @@ SYSCALL_DEFINE1(uselib, const char __user *, library)
>  	if (IS_ERR(file))
>  		goto out;
>  
> +	error = security_mmap_file(file, PROT_READ | PROT_EXEC, MAP_FIXED | MAP_SHARED);
> +	if (error)
> +		goto exit;
> +
>  	/*
>  	 * may_open() has already checked for this, so it should be
>  	 * impossible to trip now. But we need to be extra cautious
> 
> > Of course, as you say, not having CONFIG_USELIB enabled at all is the
> > _truly_ sane thing, but the only thing that used the FMODE_EXEC bit
> > were landlock and some special-case nfs stuff.
> 
> Do we want to attempt deprecation again? This was suggested last time:
> https://lore.kernel.org/lkml/20200518130251.zih2s32q2rxhxg6f@wittgenstein/
> 
> -Kees
> 
> -- 
> Kees Cook
>