From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id DB10FC47258 for ; Thu, 25 Jan 2024 15:00:00 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 595098D0003; Thu, 25 Jan 2024 10:00:00 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 51E328D0002; Thu, 25 Jan 2024 10:00:00 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 397648D0003; Thu, 25 Jan 2024 10:00:00 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 26DD48D0002 for ; Thu, 25 Jan 2024 10:00:00 -0500 (EST) Received: from smtpin14.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id B1CFE1C069A for ; Thu, 25 Jan 2024 14:59:59 +0000 (UTC) X-FDA: 81718143318.14.0DF5C7B Received: from mail-ed1-f47.google.com (mail-ed1-f47.google.com [209.85.208.47]) by imf08.hostedemail.com (Postfix) with ESMTP id CCA9916001E for ; Thu, 25 Jan 2024 14:59:56 +0000 (UTC) Authentication-Results: imf08.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b="CpjCTns/"; spf=pass (imf08.hostedemail.com: domain of jannh@google.com designates 209.85.208.47 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1706194796; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=NVvEtQm6kIc5iJVLjWQ7WGuCykEqscCeR/8JE5EYsvU=; b=nBqDDmBbU81gzWsKOq3NL/U0uMezPnOWF+4h2eokVXCXSwXvVtulMNI1c6cWDJPK4a1xEw SvGccsoK2opw1u2GJ0avl0YVxUJAgYYd7h5i3vrFk9edHMmXY+2RhHnSw2Q2la46uGaUaM yIbPCQUxtqBH/wyUTCFKeKXsRuiX120= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1706194796; a=rsa-sha256; cv=none; b=y4HTMi6sFnfsVBgx5JjHUiSyGZkhH/iEB4WFtwpRnmQ6amPPhlZcz8adD9zPb3VQwMcbms tfiIvwV9CiWRf96ebz1/4NhzaDQr4gwrB2Ioe7/894QmX/y6Ka8tbnlE8jl/iOSjv498M3 YQtYDQiuKznZB4KfCIHSsuM5x2kqnm4= ARC-Authentication-Results: i=1; imf08.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b="CpjCTns/"; spf=pass (imf08.hostedemail.com: domain of jannh@google.com designates 209.85.208.47 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com Received: by mail-ed1-f47.google.com with SMTP id 4fb4d7f45d1cf-55c24a32bf4so15311a12.0 for ; Thu, 25 Jan 2024 06:59:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1706194795; x=1706799595; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=NVvEtQm6kIc5iJVLjWQ7WGuCykEqscCeR/8JE5EYsvU=; b=CpjCTns/ge5UGkoH2Gc5LEYTz+hHnxxsO64w8bxYz6o1wWBp98VfuKXPnkk+YuLSBJ rAWUY1hH8W/31uCbP7u25E7HELvnzZ7xDMGEi1YOLDkAgSvv98+uxy4MYdw78xFgiXMV jf86ngOTVp0d/m9urbkakvrgN0bUsoXbYmyrHQAhCsEIjrPltXG/hMlxmd2fmiAYjMKv PtN6yk0DfGbj+9isVS1B9B9Whms0LFN/bOM6dKatLDnp++JVNnuxfOh+bwtihPce/ImO CXxAuUyuZL06M7sGxBFFaY4wkvvheFKMIHu4Kf1Q3HhPjUzuimkXWoH0Qw+XG+B4Cv9s K2IQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706194795; x=1706799595; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=NVvEtQm6kIc5iJVLjWQ7WGuCykEqscCeR/8JE5EYsvU=; b=gdwPCWadppZ/Nj8KAelhzSAKEyG4awAyC7m+wEzfO14Pt6BG29n0fnYJUoc36iQXaw u7Bev42BuvwSHaa9HB+rCIJNoiy6yB2T5wOThRCcdZQojld0opb4Vp+3hjwBh13CVksl RT8yKIV+uZZGmE0yiGkuU50Dd0qVI9zkUpo9Ktdfb5AijKNoYK1XzHLFNytAN9G9Iucp sEE+eb8CVmD/K176nR124bxleqC3qAsrsZKlvfcOVuXgC/OAH0NxsE21kyt0QMSlX6fP /zBLM9DwYEifkfTFIcksmbTCE327VGS14eMS5yvnXi+qhhX6LSfrbmYMuau2KUAvyaCO OyVQ== X-Gm-Message-State: AOJu0YxRUtMj6QgaB8riTL2VpnF3zG2MOldB3Nz86Agl6LAsjpRsHTu/ bV6n1XnPQpswVcqtp5Me2m7cDYkoQOytOQV6/1iHSpEcKcM+6qgs5hZ3Ec72EsnEH2cqjwlHCfa Mojbdf/iEKHue/yf6yMvcWlivRthzcftxehqF X-Google-Smtp-Source: AGHT+IGIh91e+GUrEWI2VlgkJRJgEwPq3pQit/1u6pod8dk+ZSjuV2o1xzEEvMsVGi6ZGj+bb5Hul2/ERa0C1CI5xvw= X-Received: by 2002:a05:6402:c08:b0:55c:e50c:c66 with SMTP id co8-20020a0564020c0800b0055ce50c0c66mr233529edb.0.1706194795113; Thu, 25 Jan 2024 06:59:55 -0800 (PST) MIME-Version: 1.0 References: <20240124192228.work.788-kees@kernel.org> <202401241206.031E2C75B@keescook> <202401241310.0A158998@keescook> <202401241348.1A2860EB58@keescook> <62d1c43c-18e5-4ddf-ad85-c47e5c58d79a@I-love.SAKURA.ne.jp> In-Reply-To: <62d1c43c-18e5-4ddf-ad85-c47e5c58d79a@I-love.SAKURA.ne.jp> From: Jann Horn Date: Thu, 25 Jan 2024 15:59:18 +0100 Message-ID: Subject: Re: [PATCH] exec: Check __FMODE_EXEC instead of in_execve for LSMs To: Tetsuo Handa Cc: Kees Cook , Linus Torvalds , Josh Triplett , Kevin Locke , John Johansen , Paul Moore , James Morris , "Serge E. Hallyn" , Kentaro Takeda , Alexander Viro , Christian Brauner , Jan Kara , Eric Biederman , Andrew Morton , Sebastian Andrzej Siewior , linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, apparmor@lists.ubuntu.com, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: CCA9916001E X-Rspam-User: X-Rspamd-Server: rspam11 X-Stat-Signature: qeq67ij4e8bmqjwubmxcfbosyirc8zyx X-HE-Tag: 1706194796-303248 X-HE-Meta: U2FsdGVkX19Zv0+JRF4CLD2qehM+EXwXFkQCtTrRXkEvmaFutiRT4hbjw80HBTKow5kyG5JJzLa+UjllwNXZwQ0fseZrr/cON24W/F0rILMHJ9aFvEc9r0urd7P/aBU5GBvW6Bh4xthjie+rdxLwZwwEcOdC/5PFkvNBaitZOWQ6zhPFZ0rVLnkpYCjwAV97ZbjrDiGDNAsxmbKdkcU5O3iMmniPe47JwpRO7ltYrbd9hpjkDnOZ62wMXtDoaUFBYQVPMU1o8VxSppAuoj573T0Jpzfv9cakPN35BB+PQzBaw3gCCY0J9jJ++s0GZXSf+Uqq9J8FQGFyonBztgUPFzy7PLhyNK430SZz4+i3n7xXfTKkrAibHpmGYGhmpLowWQ27LqSebbFWixMLcyuo41P/iOENK+9xnAqTOUDOyOiIpsqWIvFKPQeWorM1EOGvCT23glxO4sCychiqVEzOlTWKGZNkWoqEEFaet+eqS3M1q3O4VrGKjACLukBlTf2Tx27E2GDRk9/Gs0yOFlJHR3T/PjHlA4ccK6IfNmfI1DTX5wdipFEGuaMIeSO1/vQNnSCTL1Zz6edWNkGgNX2t2T1V0XCkV2EeYhBLPLJ7pTnf7ErU4szdOkbkt3WwQG9gDtoABg+QHKqRafKmUWtIaYLL5jozoepLb5+D2AckmaI0CJKBu9YzMBIBS60fOTdIZUhklbH0sUj4AcPKqkGoL/CHjhssDBrUhuVoOqWcyuKJ4Q5280f4Jw9rr4lCev7F7pn/zac+hgVUcx8X6TkqDWKHsNWGcIEuxrq/eNK7vpN/ochwmkKrW7yiAJjbyjMqAbClILJi0r7ayBBLaeUPb2AFwNKY/ivUjJPcjsGifZvS0BDry0QfrvmR5LX5XsbF5P9kbzI2x5uL8DznW1dXe21N0cGMUO8eGRKy4ALPvET1k2cA2K3GdspNiztshCsUctwKVvgVQX0cKmssKt2 xGHy6Sz/ YiE9kzQnI9JVqU9QEWhQP/CaMlmrNJ1OQg+H/rM91VUATdy9p7penstmmpMb1GdaGAAgQoyhxuEjpGFQF03Dxb6OOBB/ypCzZkrUidcFAwEdOOq55NRwxtWyJejCG6E17aHeELCTKv+qnAI62hv48AOP/fnxvVTBsIoCV7DcSNQQWEq12OLMeG117ejQvtUI7t3/bZEBlKtEAGKZciJ0PbazPhtV+ZFKdjD1ucyb3C2mlewTry8owQYLegKFjTdOQVhK/UO6smqVP4ojZxH/HZIBnjZsb4/I9V32D1aZsCvMrKpI= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Thu, Jan 25, 2024 at 3:35=E2=80=AFPM Tetsuo Handa wrote: > > On 2024/01/25 6:50, Kees Cook wrote: > > Yeah, I was just noticing this. I was over thinking. :) It does look > > like all that is needed is to remove __FMODE_EXEC. > > I worry that some out-of-tree kernel code continues using __FMODE_EXEC fo= r > opening for non-execve() purpose. If that happened, TOMOYO will be fooled= ... I just scrolled through the Github code search results for the query "__FMODE_EXEC -path:fs/exec.c -path:fs/fcntl.c -path:fs/nfs/ -path:security/tomoyo/ -path:security/apparmor/ -path:include/linux/fsnotify.h -path:nfs/dir.c -path:include/linux/fs.h -path:security/landlock/", and the only place I saw in there that sets __FMODE_EXEC, other than copies of core kernel code in weirdly named files, was this one hit in a patch for the 2.6.39 kernel to add plan9 syscalls: https://github.com/longlene/clx/blob/fdf996e0c2a7835d61ee827a82146723de76a3= 64/sys-kernel/glendix-sources/files/glendix_2.6.39.patch#L2833 Debian codesearch also doesn't show anything relevant. So I don't think we have to be particularly worried about that.