From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0007AC54E58 for ; Fri, 15 Mar 2024 18:41:18 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 385A78013E; Fri, 15 Mar 2024 14:41:18 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 30E6B800B4; Fri, 15 Mar 2024 14:41:18 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 1D64F8013E; Fri, 15 Mar 2024 14:41:18 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 088FC800B4 for ; Fri, 15 Mar 2024 14:41:18 -0400 (EDT) Received: from smtpin18.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id C8CF2A0C61 for ; Fri, 15 Mar 2024 18:41:17 +0000 (UTC) X-FDA: 81900140994.18.643E043 Received: from sonic306-27.consmr.mail.ne1.yahoo.com (sonic306-27.consmr.mail.ne1.yahoo.com [66.163.189.89]) by imf23.hostedemail.com (Postfix) with ESMTP id D33CC14000C for ; Fri, 15 Mar 2024 18:41:15 +0000 (UTC) Authentication-Results: imf23.hostedemail.com; dkim=pass header.d=yahoo.com header.s=s2048 header.b=dLzjU0lc; dmarc=none; spf=none (imf23.hostedemail.com: domain of casey@schaufler-ca.com has no SPF policy when checking 66.163.189.89) smtp.mailfrom=casey@schaufler-ca.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1710528076; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=5dg50whhCpNYd8powoftqWuabRQ7BLUbj9Wpvo0+anU=; b=A4KN24GR87Ie6b7ScTBOEB5K2fhYGdj8ssJXuYceOo6jk+/QwiQB5MzqEO0FSpX2UfdaQ7 XeldCD7AnuXqn5jcaAk1jCR9aZxukvzC4BwGcmMYdI0clUF/r8MjIMtw5uFYuoLKATCFlK 3ZAA/zTAd/0c8wqIn51rT21lXsEd4lA= ARC-Authentication-Results: i=1; imf23.hostedemail.com; dkim=pass header.d=yahoo.com header.s=s2048 header.b=dLzjU0lc; dmarc=none; spf=none (imf23.hostedemail.com: domain of casey@schaufler-ca.com has no SPF policy when checking 66.163.189.89) smtp.mailfrom=casey@schaufler-ca.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1710528076; a=rsa-sha256; cv=none; b=DEAcYTGls8GbGzZ7cJcPRAT08gqYKMEH5E/iyjmO2NtB2DlMfjcSrlmIzT96ynW2U5lPNw kWhmmlyXoJaaGeMr3vJYMIcFHDAbBAT7hnB/2UCwXO9cN5dD+kMbw0G5vrLllDAWHXXljr UhPNHxcuRX2ruodo5n6EtvXBg1MJhZM= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1710528073; bh=5dg50whhCpNYd8powoftqWuabRQ7BLUbj9Wpvo0+anU=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From:Subject:Reply-To; b=dLzjU0lcnFGqim8QnU29nIrset/0LhACQlZoJybgp47FvnCpD5PSyiceU4onihGVQtm0q3IvkReDhcm19dbW8l7Jiv42MpbI9KORsccuwxKFJqk434ob+IUt5LRarw+r8MMs/HtXkx62CREvW/XinJvPNNHiYdAjEprLgc0dtcsNz9Z3JiHNBG1cNAO6exSHr0S7E3SkYDXbCSgtmjXFhPPHudHt0nAP+2Nqj3Ov5q3GHrviPwqCrLd4BPnUVXo9jSTSDOetWFd4f0U8LHWZcj92B7N4akEov8Brxq6wpgz7JYFlcfBKG8TWJfVhqenR1MRVsPE0IFSyxT75vHPm0Q== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1710528073; bh=/hv5mS/xEK9QM+5mVeuFHn3sgoRzf9EmkQBbXvr4j2I=; h=X-Sonic-MF:Date:Subject:To:From:From:Subject; b=GQwUnDXAnJeIDNz3A2XShRu6N8Ww926pfFCWbwdqpJj/CdEO1EVDCE1QTk0a+3ViGeBTsa1fBZNgMkLecaGS33NPvKt+dkxXsqgdy8MNhO/W3j6XfI4Hm6gpI/+1yiEhERWDbR5KWu+R8E549dPEfusrZpqgv5zI6n2cjkMQLw4fDoM3eOCe0ywTaPEezN59uPi2CUfOTbl9DShDCVLbMwOpr3KeD2qIFU/zvQmWbP1d2615k1/lX04Dp7RJWj6iLQdJuj9APqDGinK53VVty5YPyOTQOF6ncPwFHSqcIjUb6zMWFjbWlVUj4yh1rBEOhgIVAfGGlGJaqR5PdVkYJQ== X-YMail-OSG: y7eE3tIVM1nvO0dOXLvwbUbQBqJJm0nkAmnbMwC62s99HZGhGEAk_i.LpGfSxKj JxWNR7_Gx4PtbLZeSYx4Dm4HmJ4hJarEOpYkp_Hk5RZuQN07Qy2yzUCOpeNQt1FZS8eJxXddaeVw 0jLzJ7NP7zFOKYBOQ3TPd6HQaX7aRo1EqjRFJvvO5hiXIoJn3ZtZfCcl.L_lxkI8ELetA_9qaAJb FC5wnQf7NUox6ppQ_OCVFKGEVh9w6WkVNhrCizXDS.iu3KGVxcCWZCqCy8q8ApWZ7IXu9vOTF32d lUGlR9W_ibFbOMo7D782cnnk2TKJh_.TLvH25ONRNeYnHYwiKwAJHsrF.NoDa3IY1X7jmCOFL1sC KGNSXrNaDsSkR3DBjN3Ft5TMcFt6g2BLGIytIEc2ohTDV9PMuzVl8RmqJ16RnVSxsZAVvPIO...W 2jDSD9Z4UC5XKvpAJrZFVBvdinyzpOZjOpedhdItIQOSHhlp.gp.szvb9IgUkNIaeNkCTP9tJfqk WH9W2QIB_mMIZ0z7v.GHOqNYwNauV7RtLHsNkZEE_wgwOBZWrK_6UadWFh1HC8wEXs9HlHQxnxa2 IwLlePJd0UQCc1kV3BppzN1Y0dXanJFLXjZSeWOmbxXcJTU83EuVVGB55HDIVmaEisOZ5Jqr6Csp ZOqMuv_iZGzCaabUvldGzeI6U0M0zUqIule4OPKtToKh_297tBam3EBWWc.q3AbseICCJ0iQQMVq ov7Rb7JUl91LcL9gqK5ib1_eu4egKYlyP6cNfeikkykpQZ2fTQnKLp5sdqJxcQ.8wd4._wVbjOYc mFEI8wQnHpSWc1TkJZX_Dr2b7T0CGVCLkd8q0qFX5zrgkuQGFjjPuRc05BQE8yr3mcrhGJclmeX9 TvVfWWxbySv.cr7iXr931.kid9AunOt6ussj15zdXPeEiR3gZat_YT0RcnWhtVy7DRNPZmYlOU4y EEiBx8CqtlB2VCP9gTKDm9cnEZLCI1oXlOeLLZ9f6TqR.zwaquRb9Jceirl3M8lgZbLed1PHXxay cQKCK7Zm9TkqP0_cAODGu6mY4xSFurkNXy0N9waI8hHIdpqNQQ3ZHyBTJOO.ACBvD1ziZ9Ya6uH7 msrFgkK4pSq3SsDXhAhBAYBPtJcHBnoyiR4_MAJmLnwp7.EEmTJbmN.xweNRMLmAiKak4kh_S.Ze FN9VNVKQUFXfUjuvOTiqD5yc99njWGKyk4ZPVrTRuTQ3bRdsfZJwncfC50Jjcp9pg9EYi1EQURC_ f8rx9.MLZ_VeXapPwu__iaNRgYUlrGRD1f7thwRPHSwBhVp8oCDctOU3Cxg4X9dFFQRdZUuQhIjK o5zdln5unjl2Q5nUtAyDVX15G_S424kRtOMZzmNbK.2t4LXbUHWzIDPeMSqzdC.eJo7m.hfMdRkN H63_dpPO9h6LeIyhFTrEkvtuQIMGG9KEzHv0Ny6XSOMgD95QkcDeU66US__SVcQy287LJqRnquxw NI6HxSCPbTdT7Y7b3kgWzDntd2c9CLjRW40gNwN6NoInDALSzevqwS9tbBOtwGVLYTNWFp47.zu9 I0Nnm7d.EZuqW0S1rs_ifKDYPDE28OyNw.nvU2kcXzhjNy4WhyJ0eREGQvom04cQK488_G1tEf.l lLzJ0QF3HLbxOUh1uDypt8nNB4OH425Fk3OrGIZKKxtC7xF8BjLVWOumDFBy_Ur0xsTGnMTwJEm5 mL1dacq4E9ymjHt1oxUgYE76Ydy4m4TFKTju2gAucgrwz5LDz7qIsKvkog4Y3FwxMRRHoSbFHd7K Fu7Oyd3uXZilkRESXbYou7duKonFWgl25_WqA.roBRdqR3W3zuLC2RoCDkGEOnF_QR0fuHh.2VTc n3QUB8NBksssZUiMrOADkuSwneGLdvk.zs2tD35petOf3Z9jPZ6izhnGS5KoRWO7HdVW.BGgf37y q1rtZ7pnlJSvu0eGJ817ZgfHySDqN1MQIBWrDDcUhMhMcgyTN2Raj6.in.LMV1T0U3s9t3pL5zfX K4.ABBzYB49p3R.QBkxtMKWjtNTNCjlBY7xwZs_dswmHt4G.cEb5_zouovzSkN7oQ983WXmR2ZNJ XgmpWu7J8TRr3Ay5uq_HmumWfJova_6NovRg.JoN9AQV0tdRmJgmUcCagd2Up7meV9Lxvy7N19Bq PnWGtPyXmnLc79ZYAgwQhsNU9PLnuFZsiUtiXEccg4gAJf62vlKPorZDZSo2PmFNrZzcplhUbAmv W9FC3q.X9WkDahSiBxSgqnouY0i0i_Fry X-Sonic-MF: X-Sonic-ID: 6fbaec12-0bce-4c2c-abeb-e4ce840aa43c Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Mar 2024 18:41:13 +0000 Received: by hermes--production-gq1-5c57879fdf-hjdnf (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 58d9bbffc15b6d7ac17b262fc3b9fc21; Fri, 15 Mar 2024 18:41:08 +0000 (UTC) Message-ID: <8a2dc0a2-12c0-4389-a36d-8e8db0653fae@schaufler-ca.com> Date: Fri, 15 Mar 2024 11:41:06 -0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [RFC PATCH 1/2] lsm: introduce new hook security_vm_execstack Content-Language: en-US To: =?UTF-8?Q?Christian_G=C3=B6ttsche?= Cc: linux-security-module@vger.kernel.org, Eric Biederman , Kees Cook , Alexander Viro , Christian Brauner , Jan Kara , Paul Moore , James Morris , "Serge E. Hallyn" , Khadija Kamran , Andrii Nakryiko , Alexei Starovoitov , Ondrej Mosnacek , Roberto Sassu , Alfred Piccioni , John Johansen , linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Casey Schaufler References: <20240315181032.645161-1-cgzones@googlemail.com> <20240315181032.645161-2-cgzones@googlemail.com> From: Casey Schaufler In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Mailer: WebService/1.1.22129 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo X-Rspam-User: X-Rspamd-Server: rspam12 X-Rspamd-Queue-Id: D33CC14000C X-Stat-Signature: ckhayhk17kkgat6ft5rkjyq78zcao8jz X-HE-Tag: 1710528075-776214 X-HE-Meta: U2FsdGVkX18uv3xioZq6ELjYmBtIX6+FWA+cXEE9FF3YbmvlY6IJ2UeXcq6i3m5NlXblXsuLp1b2OmMYQMRaLiqDkIvFYvUSl+n5CSX4dunhOTJ9qxDykVYgQAnUp0LQiZc4W+QM6uQwco1N6p4DPxlmZw4gMUQsiU+U3ncnuY1MNMfmdrhldxljZATf+MKQaw+TldRd0IGcUy6ZcuD1O6Hc2Qm+juuUaZWgZxk0EUC6Dmgqkmbf3pgod4RyGrjiAcpnLmyNrJ0qgfJGYLX97acD00hJdAN38NM88ioEYt4aZXs6SPEICwE6lE6Lv0xlwrF8rCM+iqIn3/rsDnmjJLWPl4PWiuAfp05mqPpqjbc9HIc1DUt2x7Y8XrQKjWSXj2v7+1+JefNMDZ+iTSlVIs826o/SdLHnDORPlZoIyhbj9kHCubvw0xItVdo8iivBaLpSAwFgklTtPLGJMfB9lQbuW/As/rDy99Sgz+Om36AiXTsXwPFdX4rFD3o+BBmUHuz3Z7qddWw4f9oyAwhOfs/9Lkb2VpTLCBYxlM2C1/Mdq4EXWxyzaGdcLR0DFFlPilTiRb1QgiyXqwqvXJoinlbrv7Pk8DmSbHal6hVaED4kJcTK6IB0o576A2yiwLffOPOCc5WI+Ie4Pdc3nF3XFTXqMp7s4WxchCqbLch/dk9jBTHmuvMjQa2if/rRnjp6bsqdKzZFtRFbxVSYrBnGAhtH95krXbuivWTjOwrreJ6aZd8jjTMD/odJUoP712fz6QTArekyYWFK+ZsxioQmrxVDm3o7ORh01adwt9EKRY0FW0MXMBpFXz5BTUsWe86gfKq8F8gmU9j+b2WUMZRMDxfW0pAKc0qussp+GHh0UBXCcrxjCeXO5VSPsxf4KQuX0GjfminVt2mxShRZ8sE+dSfhUsQuLGpbuDhgRFwsVsIfnnHfPnDZCUnBUIKQlRB96CA/OeL5k2Xo2pw374q KKEy/ptg oDsOi X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 3/15/2024 11:30 AM, Christian Göttsche wrote: > On Fri, 15 Mar 2024 at 19:22, Casey Schaufler wrote: >> On 3/15/2024 11:08 AM, Christian Göttsche wrote: >>> Add a new hook guarding instantiations of programs with executable >>> stack. They are being warned about since commit 47a2ebb7f505 ("execve: >>> warn if process starts with executable stack"). Lets give LSMs the >>> ability to control their presence on a per application basis. >> This seems like a hideously expensive way to implement a flag >> disallowing execution of programs with executable stacks. What's >> wrong with adding a flag VM_NO_EXECUTABLE_STACK? > That would be global and not on a per application basis. > One might want to exempt known legacy programs. OK, I can see that. > Also is performance a concern for this today's rare occurrence? Performance is *always* a concern. You're adding a new hook list for a "rare" case. You're extended SELinux policy to include the case. This really should be a hardening feature, not an SELinux policy feature. The hook makes no sense for an LSM like Smack, which only implements subject+object controls. You could implement a stand alone LSM that implements only this hook, but again, it's not really access control, it's hardening.