From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7B412C54E58 for ; Fri, 15 Mar 2024 18:30:38 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 0BCB88013D; Fri, 15 Mar 2024 14:30:38 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 06D12800B4; Fri, 15 Mar 2024 14:30:38 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E4F748013D; Fri, 15 Mar 2024 14:30:37 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id D2863800B4 for ; Fri, 15 Mar 2024 14:30:37 -0400 (EDT) Received: from smtpin17.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id 5F983A1105 for ; Fri, 15 Mar 2024 18:30:37 +0000 (UTC) X-FDA: 81900114114.17.EEFDB9C Received: from mail-yb1-f174.google.com (mail-yb1-f174.google.com [209.85.219.174]) by imf26.hostedemail.com (Postfix) with ESMTP id 9A39F140006 for ; Fri, 15 Mar 2024 18:30:35 +0000 (UTC) Authentication-Results: imf26.hostedemail.com; dkim=pass header.d=googlemail.com header.s=20230601 header.b=m34vjUbk; spf=pass (imf26.hostedemail.com: domain of cgzones@googlemail.com designates 209.85.219.174 as permitted sender) smtp.mailfrom=cgzones@googlemail.com; dmarc=pass (policy=quarantine) header.from=googlemail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1710527435; a=rsa-sha256; cv=none; b=SG3c3I+4p80cbqtN3eh/9gOOkSKr+U8EdDQ/XX+z6vJyy3v1YeLcZJL6OFHSgNuTqvfyjZ dtenrEbOWYlG88Tzw5bsugDVZUkFvq/I+UPYBBk8koC7ifV5cyKM1m98cGr+pzSDBBxoh6 63V6SsrA05UFc5g61Y4nOWzavS8eyBE= ARC-Authentication-Results: i=1; imf26.hostedemail.com; dkim=pass header.d=googlemail.com header.s=20230601 header.b=m34vjUbk; spf=pass (imf26.hostedemail.com: domain of cgzones@googlemail.com designates 209.85.219.174 as permitted sender) smtp.mailfrom=cgzones@googlemail.com; dmarc=pass (policy=quarantine) header.from=googlemail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1710527435; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=spSR6qRGR6QrhghZSwpU7jLDpc5od9SU7Ron6pMaToY=; b=VK7YC69KyjvqgrUGu+Ez7ic3F7MUPv2rVkiPlETeGaWYQiyKu25Ys33kZINo/yynD0eyj5 YtNaliqcDuYgrcGglZzEmS586WZ9T6kFnAaZAXpu6/NPUm+HfFv6slOf3vCUWkQ55RmUhB wUEh2RBtswxEuhDhs2yDbY3vduFPDsg= Received: by mail-yb1-f174.google.com with SMTP id 3f1490d57ef6-dc6d8bd618eso2216902276.3 for ; Fri, 15 Mar 2024 11:30:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20230601; t=1710527435; x=1711132235; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=spSR6qRGR6QrhghZSwpU7jLDpc5od9SU7Ron6pMaToY=; b=m34vjUbk6YY/U8vpcPZDzxDU6NSuB5gP3F9sy5DSdIrk/N1gXqEz9BhrISENjtruW3 EE8mtpITzuvdBiHxp2mogliuTnf/FDywfGYm0xlWzCAGDus9O1ARGnTJrRY8C6HIZKwg WCXdyNoWHSvt8m9GAlaMVo80CAlHHzz7SBi6L9BY5frO8a88P40LfVTXsDJSIHgzJmrE vXiNpxyAo4mXvoyfYOO9ot2mg2zKG+erSU+4QAXbi+tuezlYQWyNbC26ZuSQ4BkUBY0x 9iod96VVlO8Xw2ZXmi1vpT8yRsKJFGNS2MXCpP40N+3AWyt+Evnm7FQ177QjZRshHmP4 wS9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710527435; x=1711132235; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=spSR6qRGR6QrhghZSwpU7jLDpc5od9SU7Ron6pMaToY=; b=OBJCCcovuge1ON23rvGgs4eRKHuQjwX7cfUBaC1f1Rlq/KY8RNzo4fGzHGxBaabyHx nQK1rdY9Ij+ex+Ll6WTl+9jBAhMSZAUM0twTfFxqMD6LxXTlCE4hId/UPHxENM2/aCD0 mUuEMPumWA4ZeOkvvLtJj1CffNfIcF7CNEDAL13H23xUz0HEFku3ydFzBRJrB85KgMwv gM6VZHzdcPo2fHnx1fNwECmWS0qea7k5Q+v6XK/Z/57XajTmII5IVrGzV2o0R3GOzhTz BvQ2cSpd7khiX31NaUXZQnBgk1ToFwp4MYZqu440/GvTGDQ67+LAPArMRAMeOqWAvFp1 Sc+A== X-Forwarded-Encrypted: i=1; AJvYcCVGUVg3KFX1u11OCUYfcc2mxwK5FDQeADRz7Eg/gGXNZ4rNlEGHHLyWEZ5UTh9va33tGJBR4+wyh0eaboaQ9CtVHtU= X-Gm-Message-State: AOJu0Yya3P5o1WzCWBaOsyM5MJoTkM/1uIN5MayDojPcNeLlE5oRzP4X xK2BYP3yX4pIToC1UznGBfdaUOqpFbI8qhF+3mKknQPcakvBTtm2FnlMQzd9tFfcnsKKHb4YBks jvHeaQMBHGg+03BrIH0+RQdUvGls= X-Google-Smtp-Source: AGHT+IHJpxfHmnBK/IJ5Pv9HDwv1gImnsof0Ltw87oFO+Eu96nE6pWjn/dgNPyvXJNRVuJo7nHd7rz0f0MENO9NTOk4= X-Received: by 2002:a25:c7d4:0:b0:dcc:5a25:ae88 with SMTP id w203-20020a25c7d4000000b00dcc5a25ae88mr5970741ybe.19.1710527434195; Fri, 15 Mar 2024 11:30:34 -0700 (PDT) MIME-Version: 1.0 References: <20240315181032.645161-1-cgzones@googlemail.com> <20240315181032.645161-2-cgzones@googlemail.com> In-Reply-To: From: =?UTF-8?Q?Christian_G=C3=B6ttsche?= Date: Fri, 15 Mar 2024 19:30:23 +0100 Message-ID: Subject: Re: [RFC PATCH 1/2] lsm: introduce new hook security_vm_execstack To: Casey Schaufler Cc: linux-security-module@vger.kernel.org, Eric Biederman , Kees Cook , Alexander Viro , Christian Brauner , Jan Kara , Paul Moore , James Morris , "Serge E. Hallyn" , Khadija Kamran , Andrii Nakryiko , Alexei Starovoitov , Ondrej Mosnacek , Roberto Sassu , Alfred Piccioni , John Johansen , linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Server: rspam08 X-Rspamd-Queue-Id: 9A39F140006 X-Stat-Signature: txepahxz6bwku57kstqi6knybcnsgp53 X-Rspam-User: X-HE-Tag: 1710527435-856182 X-HE-Meta: U2FsdGVkX1/0ZFy1egTzoh+KGgULoAXA26bjeBDl+WrcqAHrqVRhEgfmtpHU7tyLidBU1Chbwz/fSgBqsPm6KOqTHEKvCIzCctZcDo5iuKBOlyWr28gOALB1Mls5jyGm68zbCsjKj421Azdz7rzSREebTDqb0sl+onO8Z4XtEQreZY/j6GM0ysu4c+bkG37JkiKhGb50YbUFcz6/f7wgRVPWvd4qN5ZRGABocFU3ZB340MMAFY5TfMI/DCC9ZwjIwpSUGb9o+O8Ds3DuMNp7qBZ/uH5WjUKxFbKzH5J9O+F7hBeWI7C3kk+80WOe/iKlcjjkGaB1v3jETQ7AIhBkbplx9bhApdmD9ecAf7BSOLoWN9adtptX9+M5BFSAO36OiUcKeVc4qFSm9FeHA5FWjGXjrfEr5UiDpFransLjKLH8lRBV+JLI9zuPYyqZV3FAtHST583OmX6Le6hL4K925voVm0r9MwSbvp9Vi9h/yylNW0CnDWjo7ToyBmVwDK7hZk2Vfn7mp0kai0lMOYvRtpcRJEK3xgIYdwQDy4oN4lz+gne3eo+3pAazcPKWFePu/YjqlUcIIg8Spc7pWuoSYRlZJXOfRJWBZt1wWDOUF/67/PZclS+HC7GnfEfg/c0mk0o6KQuKTO5dV+XlyPkxj7IglMSTHObcmnuxnmJY4h4J381B5x7FfG7r4cnv9EEv6hzVXK+627D+1C+A1CGmxukF3FYeoUnPpdET2Ju5V9mS5B4nVH2O9BRiCKa/WZkHuWpvYNYI5HY8PRS5eRosS79d7w/9kMmeNVVnkIQ8b9psPFnTQBzAEmo4mUN9hBbZeGZxFR0CsizAouuGhNO+7gg+QKJeii44S0Nl0p3dacaWRnOkyQ4rLMYHybZmoH8lQUBiXnA/OB+BdHeisxqlTwaIIMLKtb4OPhW73Kr9WGNqVOFGPceH6dnAmuVe2ieZXzp24QT8bHj189AXKOJ Gl+SceTY vKkZ/Iwee/Ba59fAUl7+nWgF0PbIpjuS1iXD91bEVHK6SXWBopqlDLOAfPQMIkJCAsZol X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Fri, 15 Mar 2024 at 19:22, Casey Schaufler wrot= e: > > On 3/15/2024 11:08 AM, Christian G=C3=B6ttsche wrote: > > Add a new hook guarding instantiations of programs with executable > > stack. They are being warned about since commit 47a2ebb7f505 ("execve: > > warn if process starts with executable stack"). Lets give LSMs the > > ability to control their presence on a per application basis. > > This seems like a hideously expensive way to implement a flag > disallowing execution of programs with executable stacks. What's > wrong with adding a flag VM_NO_EXECUTABLE_STACK? That would be global and not on a per application basis. One might want to exempt known legacy programs. Also is performance a concern for this today's rare occurrence? > > > > Signed-off-by: Christian G=C3=B6ttsche > > --- > > fs/exec.c | 4 ++++ > > include/linux/lsm_hook_defs.h | 1 + > > include/linux/security.h | 6 ++++++ > > security/security.c | 13 +++++++++++++ > > 4 files changed, 24 insertions(+) > > > > diff --git a/fs/exec.c b/fs/exec.c > > index 8cdd5b2dd09c..e6f9e980c6b1 100644 > > --- a/fs/exec.c > > +++ b/fs/exec.c > > @@ -829,6 +829,10 @@ int setup_arg_pages(struct linux_binprm *bprm, > > BUG_ON(prev !=3D vma); > > > > if (unlikely(vm_flags & VM_EXEC)) { > > + ret =3D security_vm_execstack(); > > + if (ret) > > + goto out_unlock; > > + > > pr_warn_once("process '%pD4' started with executable stac= k\n", > > bprm->file); > > } > > diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_def= s.h > > index 185924c56378..b31d0744e7e7 100644 > > --- a/include/linux/lsm_hook_defs.h > > +++ b/include/linux/lsm_hook_defs.h > > @@ -49,6 +49,7 @@ LSM_HOOK(int, 0, syslog, int type) > > LSM_HOOK(int, 0, settime, const struct timespec64 *ts, > > const struct timezone *tz) > > LSM_HOOK(int, 1, vm_enough_memory, struct mm_struct *mm, long pages) > > +LSM_HOOK(int, 0, vm_execstack, void) > > LSM_HOOK(int, 0, bprm_creds_for_exec, struct linux_binprm *bprm) > > LSM_HOOK(int, 0, bprm_creds_from_file, struct linux_binprm *bprm, cons= t struct file *file) > > LSM_HOOK(int, 0, bprm_check_security, struct linux_binprm *bprm) > > diff --git a/include/linux/security.h b/include/linux/security.h > > index d0eb20f90b26..084b96814970 100644 > > --- a/include/linux/security.h > > +++ b/include/linux/security.h > > @@ -294,6 +294,7 @@ int security_quota_on(struct dentry *dentry); > > int security_syslog(int type); > > int security_settime64(const struct timespec64 *ts, const struct timez= one *tz); > > int security_vm_enough_memory_mm(struct mm_struct *mm, long pages); > > +int security_vm_execstack(void); > > int security_bprm_creds_for_exec(struct linux_binprm *bprm); > > int security_bprm_creds_from_file(struct linux_binprm *bprm, const str= uct file *file); > > int security_bprm_check(struct linux_binprm *bprm); > > @@ -624,6 +625,11 @@ static inline int security_vm_enough_memory_mm(str= uct mm_struct *mm, long pages) > > return __vm_enough_memory(mm, pages, cap_vm_enough_memory(mm, pag= es)); > > } > > > > +static inline int security_vm_execstack(void) > > +{ > > + return 0; > > +} > > + > > static inline int security_bprm_creds_for_exec(struct linux_binprm *bp= rm) > > { > > return 0; > > diff --git a/security/security.c b/security/security.c > > index 0144a98d3712..f75240d0d99d 100644 > > --- a/security/security.c > > +++ b/security/security.c > > @@ -1125,6 +1125,19 @@ int security_vm_enough_memory_mm(struct mm_struc= t *mm, long pages) > > return __vm_enough_memory(mm, pages, cap_sys_admin); > > } > > > > +/** > > + * security_vm_execstack() - Check if starting a program with executab= le stack > > + * is allowed > > + * > > + * Check whether starting a program with an executable stack is allowe= d. > > + * > > + * Return: Returns 0 if permission is granted. > > + */ > > +int security_vm_execstack(void) > > +{ > > + return call_int_hook(vm_execstack); > > +} > > + > > /** > > * security_bprm_creds_for_exec() - Prepare the credentials for exec() > > * @bprm: binary program information