From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 69B40C47422 for ; Fri, 26 Jan 2024 10:47:34 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 02BC06B0092; Fri, 26 Jan 2024 05:47:34 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id F1DDE6B0095; Fri, 26 Jan 2024 05:47:33 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D996F6B0096; Fri, 26 Jan 2024 05:47:33 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id CB02C6B0092 for ; Fri, 26 Jan 2024 05:47:33 -0500 (EST) Received: from smtpin09.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id A3640A249C for ; Fri, 26 Jan 2024 10:47:33 +0000 (UTC) X-FDA: 81721135986.09.C57F034 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130]) by imf04.hostedemail.com (Postfix) with ESMTP id 5C34F40002 for ; Fri, 26 Jan 2024 10:47:31 +0000 (UTC) Authentication-Results: imf04.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b="uFWV5/6c"; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=4nrJbFly; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=oCRuZGtD; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=neMnI5wB; dmarc=none; spf=pass (imf04.hostedemail.com: domain of jack@suse.cz designates 195.135.223.130 as permitted sender) smtp.mailfrom=jack@suse.cz ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1706266051; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=dfDYD1hkMdAR4BGYjFkj7xOSPN6n4QHzvjQQXC87In8=; b=FCf2IsM/9RHM3gTBUI+kYBuTepjkoBU+OLVg8l7yGCf3fDV/q2gZks3DgmxcyAY5IzX8cc 9GHdsQ+9c77Mb+EEEv2O7epZ8dmSM2pgH+k1hyfhmQjC28QkMm5y4lskvSbw7asA1DrIVe dubYyIYE8kMLFKDRLmb7svjbsoOIofU= ARC-Authentication-Results: i=1; imf04.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b="uFWV5/6c"; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=4nrJbFly; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=oCRuZGtD; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=neMnI5wB; dmarc=none; spf=pass (imf04.hostedemail.com: domain of jack@suse.cz designates 195.135.223.130 as permitted sender) smtp.mailfrom=jack@suse.cz ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1706266051; a=rsa-sha256; cv=none; b=d4GMKo2ccQXj/b3iwY4wZ/KRrazZIfAKOfxaLPLpoTZ7VuwUM5mJqjDfEYVY8ktSmrLXq0 /se885080qn6iVZO0Mk+cTTpNFumropBsZjIEX71a3ZwVPmqDgeFgEw9N03u8YDZ3rzvSg Qkw5NCSqDmBqsxJ06xeiINDjWLUUSeM= Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 719F721FDE; Fri, 26 Jan 2024 10:47:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1706266049; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=dfDYD1hkMdAR4BGYjFkj7xOSPN6n4QHzvjQQXC87In8=; b=uFWV5/6c1EHGaUvzBag7+ZrIXQIiggCVI2OolOmkzhvhsKhHpuC8eOCy/0GD1Scy6wZiTx ciDKNFJOeCcQudtyS0ASxoIhiOIfZUrHYcgyZ/I7l2/EkGXSJms0CTaGIe/1P5/9LLf7mm JQk2IeeNtVKINRc7CutKAnonn9kB0vw= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1706266049; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=dfDYD1hkMdAR4BGYjFkj7xOSPN6n4QHzvjQQXC87In8=; b=4nrJbFlyFc+tJTX0x97F2K5qP2hAJmeItCpQm/f4Vr+GeD/keeAnPKeddWhJ8xmpuhOfUe 6l9z5dZV7gbF3DDA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1706266048; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=dfDYD1hkMdAR4BGYjFkj7xOSPN6n4QHzvjQQXC87In8=; b=oCRuZGtDEaDojXKk77W9K6978xYhXrjBJWvilZKTV+D+mt42MLESnbDy6524QGR3rrwCJF fzmDqEWIPw4O+d5/Xf3RcI3t8dAG/jQAs4zHgkzZ+3Z9hdDHg1V98phCl8aYqHA7L4PEVD by1gdxoerrrY0rSD9JwVHg3smsUvpQE= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1706266048; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=dfDYD1hkMdAR4BGYjFkj7xOSPN6n4QHzvjQQXC87In8=; b=neMnI5wBWr2bdJwNDjgxzyXSCEH8TQu/eSWTUjVZjYV7nJGDPiYlLpiH9Ruo+EPNO/P2ej CFUDoNVRiYLjnbDw== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 58C1513A22; Fri, 26 Jan 2024 10:47:28 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id YQKiFcCNs2V9JwAAD6G6ig (envelope-from ); Fri, 26 Jan 2024 10:47:28 +0000 Received: by quack3.suse.cz (Postfix, from userid 1000) id 2F462A0805; Fri, 26 Jan 2024 11:47:27 +0100 (CET) Date: Fri, 26 Jan 2024 11:47:27 +0100 From: Jan Kara To: Kees Cook Cc: Kevin Locke , Jann Horn , Linus Torvalds , Eric Biederman , Alexander Viro , Christian Brauner , Jan Kara , linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org, Matthew Bobrowski , amir73il@gmail.com, Steve Grubb Subject: Re: [PATCH] exec: Remove __FMODE_EXEC from uselib() Message-ID: <20240126104727.rzksht5mjkanvo5n@quack3> References: <20240124220619.work.227-kees@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240124220619.work.227-kees@kernel.org> X-Rspamd-Queue-Id: 5C34F40002 X-Rspam-User: X-Rspamd-Server: rspam05 X-Stat-Signature: 1oaqkzr3a3anjrhgryqyrg78yri95d4w X-HE-Tag: 1706266051-290944 X-HE-Meta: U2FsdGVkX19T7A9tw+TzGgPled7A7gNDa89V0kClyHhIDwZmaDjSkLZ8LgEA8C8cA05r8L/vtQfAUxAwsAxgnDNBNC5qGB87SSJRuEXtpzRIVpAc/jBZF70LPZ3MKhWua86eAyKwIKOKo49+fvcrl3HvKmcbTiTDSPHa5STNoDloe5M5YZgHjYQSK/ePOvIht5Nt6SjYphwm6V1MRMYU4TrYmskonXanpSr1tvit/lMBPOYU6vPxas2hzi22vwuUVwLQKOBRWUbttxAk9kGUtWWjLR0rd6YlAjvFFiTlLMkcGUdrwTtBEFZm2VktfdlnDUo9oK3yMzBBts3I7UjU1Jxyz4vXAmhIBVFe3VAKM3BUSVr0TXCAqLD6mPwmo2TsOQRO4POUZ9wJw5G4OoBmddiSxvnZ5uFRIrqW1VUA8NUNOrCN3lMfUM74prbqZPiyZW7k5ePO4ozE4sE8CL42C7y/5pZIPD2CKsx8HLFGj6rgqN/N7ibGfuLyJI1GDuWTs7k/pnBHLrMBlS9fS7+063BK8wVNstYnhqSNWUce2crRqUn+74x+hXgiTw9KCkrmgKgIJfIfKYIrJBc5LbYFy8oOB4P5xT+n8HFuplG7yksJUGbSL32tgsyUGpkE2RdnDhMgxRTnOZrhZ3phnhDyHNU1zY7q1hIdZmJvrSWagfxMPwpEZ4aV82dztuMWP8S5+rCv9BynsmI4izUZWkrI9GTZ5BMr5UgSnbfusXDRw1a/IHOGC7t1DjOlwExiK6UMHIKh9rxZY+DPaKhl1XmDYTPRAENhUU2ad4noE9rWs7iGS7h3rjBbroEQhYGARLGqcg+cnNamUKR+YHiJMtUHhgnUebpJhaRRuInV6/uQDErKv7lp7VD5D7cJRBQoxk7SzERspKuvgsEsCp6/0ZoDOuqEhHEX5kRJtcuC0A6rGeq3HmmdXeenOctBgFdU3SN8RWeyj3AQlV3xOpnblyB Lb2/Mt7r XB40ZJ/J1oy4Z5QngUgg+MBMOhn8Ad2wOLXRn/OdVL7RhP87113QfBuqCHb4g1yIHrMWXUKVjFXpduWb3jFD0H1MJA21TJzmFxhQvX3NmFRA+WDkfRyx1oA0fHyZwdLRNVtL6NML9Vc+ia8xQnd9RYPijSCJsiE3uIgjuZpVQYUPsycpXmdMJz/a3dQNfGkYsJTgZn71n8xKOemgi/CZ1qluq0gxo2SePRXhVYrYuceISMK/Iqtrj2Jwgmg+votPE6Uwh8hfz7n85BxOL5uTZuuGW3W3JYCTyOl8dQxNAHkTea7RARaKe6dsKxmjbJJLhwFvQ9cVPfKkUuAuLOP7gGiIcbMNKYsd/wu5uB0OrulDRCKIGDVo+oQN9j1vUmhaJAOfx+yLvcfzlsNT9VoBT4XBCJubU3okgaMY5hkfAL0Ku2h443Q4lxKV7bZZv2jc5DWc5AuTrJi0W/czSX3447qRbIr1H2jKRKd7PdkLia/Q4mnQxRK8MUHqvjdFD4Qy1iMGRRNU0cld+PJA0Txmtn0Ngy6HMM9xV12yhfAYkXuyYnYP/M4o1ZztjmeAkPeJbPsuy6d6CB9eOtS/VRUE6bfJeR0eO1Zy1BjDDwgNY96a1LMV54i4rs6KSGRzUNnL1j8mD5EtSr7DPQq3FOCND+vWTTS5HXoW0x954qKyD/DdxPrDEOJlMB1z9gdGmiI4rhBNzZjjBsZtJ/VTGniF4mhse9HS4PTH9TS4+ X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Wed 24-01-24 14:06:23, Kees Cook wrote: > Path-based LSMs will bypass uselib() "open" checks since commit > 4759ff71f23e ("exec: Check __FMODE_EXEC instead of in_execve for LSMs"), > so don't set __FMODE_EXEC during uselib(). The LSM "open" and eventual > "mmap" hooks will be restored. (uselib() never set current->in_execve.) > > Other things that checked __FMODE_EXEC: > > - fs/fcntl.c is just doing a bitfield sanity check. > > - nfs_open_permission_mask() is only checking for the > "unreadable exec" case, which is not an issue for uselib(), > which sets MAY_READ, unlike execve(). > > - fsnotify would no longer see uselib() as FS_OPEN_EXEC_PERM, but > rather as FS_OPEN_PERM, but this is likely a bug fix, as uselib() isn't > an exec: it's more like mmap(), which fsnotify doesn't intercept. OK, I went back to the original discussion with Steve Grubb and Matthew Bobrowski who asked for FS_OPEN_EXEC_PERM and AFAICT this change in uselib() should be fine wrt usescases we discussed. That doesn't mean there cannot be some userspace which will get broken by this (in which case we'd have to revert or find some other solution) but I'm willing to try. I'm also CCing Steve & Matthew for input but from my side feel free to add: Acked-by: Jan Kara Honza > > Reported-by: Jann Horn > Closes: https://lore.kernel.org/lkml/CAG48ez017tTwxXbxdZ4joVDv5i8FLWEjk=K_z1Vf=pf0v1=cTg@mail.gmail.com/ > Fixes: 4759ff71f23e ("exec: Check __FMODE_EXEC instead of in_execve for LSMs") > Suggested-by: Linus Torvalds > Cc: Kevin Locke > Cc: Eric Biederman > Cc: Alexander Viro > Cc: Christian Brauner > Cc: Jan Kara > Cc: linux-mm@kvack.org > Cc: linux-fsdevel@vger.kernel.org > Signed-off-by: Kees Cook > --- > fs/exec.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/exec.c b/fs/exec.c > index d179abb78a1c..af4fbb61cd53 100644 > --- a/fs/exec.c > +++ b/fs/exec.c > @@ -128,7 +128,7 @@ SYSCALL_DEFINE1(uselib, const char __user *, library) > struct filename *tmp = getname(library); > int error = PTR_ERR(tmp); > static const struct open_flags uselib_flags = { > - .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC, > + .open_flag = O_LARGEFILE | O_RDONLY, > .acc_mode = MAY_READ | MAY_EXEC, > .intent = LOOKUP_OPEN, > .lookup_flags = LOOKUP_FOLLOW, > -- > 2.34.1 > -- Jan Kara SUSE Labs, CR