From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5F430C47258 for ; Thu, 25 Jan 2024 14:17:35 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id D81C26B0085; Thu, 25 Jan 2024 09:17:34 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id D31EE6B0087; Thu, 25 Jan 2024 09:17:34 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id BF99C6B0088; Thu, 25 Jan 2024 09:17:34 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id AFC196B0085 for ; Thu, 25 Jan 2024 09:17:34 -0500 (EST) Received: from smtpin27.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 7D81280E0D for ; Thu, 25 Jan 2024 14:17:34 +0000 (UTC) X-FDA: 81718036428.27.198D8BB Received: from www262.sakura.ne.jp (www262.sakura.ne.jp [202.181.97.72]) by imf20.hostedemail.com (Postfix) with ESMTP id F263E1C001B for ; Thu, 25 Jan 2024 14:17:30 +0000 (UTC) Authentication-Results: imf20.hostedemail.com; dkim=none; dmarc=none; spf=none (imf20.hostedemail.com: domain of penguin-kernel@I-love.SAKURA.ne.jp has no SPF policy when checking 202.181.97.72) smtp.mailfrom=penguin-kernel@I-love.SAKURA.ne.jp ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1706192252; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=4pWkQgSadhtN9Uv5E81KEV3VTbjY9+M7K24UhM3Np7E=; b=0t2wuzRM0NyrcEYHNNaWe25tg9K597j5Rk8maqD/00hV+9JadlPXvxeuYUf0jHEIl+UDjY lBBXkJY7ft7D/KhnpZwr8CbWSOlB3yKeNT6Jv0g0j6JRgSuW5f6dbCv+it78fDjQ2ifm97 CIC2clOIQZxQfBjoD47SmAEOtowR1XY= ARC-Authentication-Results: i=1; imf20.hostedemail.com; dkim=none; dmarc=none; spf=none (imf20.hostedemail.com: domain of penguin-kernel@I-love.SAKURA.ne.jp has no SPF policy when checking 202.181.97.72) smtp.mailfrom=penguin-kernel@I-love.SAKURA.ne.jp ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1706192252; a=rsa-sha256; cv=none; b=hQnO4z6V9Qo061zUaT5XZcBJvaKhKSVAV7JVp4C5zZm8cEXlltaPls4majOrOPnL8W0g33 q0/GscbbJ4aVb8rSBvIA3Q4ltn01qSpRpcL2aDDOQL9hIUUNNv+asFqQGb0+scTTrfToTN jAofldWC/HI73MZuLfOpsbM+tdtWuyA= Received: from fsav413.sakura.ne.jp (fsav413.sakura.ne.jp [133.242.250.112]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 40PEGgch062962; Thu, 25 Jan 2024 23:16:42 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav413.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav413.sakura.ne.jp); Thu, 25 Jan 2024 23:16:42 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav413.sakura.ne.jp) Received: from [192.168.1.6] (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 40PEGfdi062958 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Thu, 25 Jan 2024 23:16:41 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Message-ID: Date: Thu, 25 Jan 2024 23:16:42 +0900 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [6.8-rc1 Regression] Unable to exec apparmor_parser from virt-aa-helper Content-Language: en-US To: Linus Torvalds , Kees Cook , John Johansen , Paul Moore Cc: Kevin Locke , Josh Triplett , Mateusz Guzik , Al Viro , linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, Kentaro Takeda References: <202401240832.02940B1A@keescook> <202401240916.044E6A6A7A@keescook> From: Tetsuo Handa In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: F263E1C001B X-Rspam-User: X-Rspamd-Server: rspam02 X-Stat-Signature: 4nh1x3wjbq6w5impoayet6ba5uxcm6im X-HE-Tag: 1706192250-542703 X-HE-Meta: U2FsdGVkX18HberhixiFMey279Bnbz/A+NVbk2jfSwn9oUfA6dNrAHDuLzbTBacBTdgrAgBH3s3KUDr+cN94oRsjnfG+vrH6FvhH8PlMqJ6mLpridMkxNuzINxNK5qdmy+/J9BWoEfpD/iHVd7O8uxvgHwzELSlriMXNGxusw07XY0fEztkemAvLR9B2xf9NdbBEO33YQN+eLI2vqjE2BeVG2tzmCUHXpLFgTFyiAlbCRiZm0yQzYI5wIuQXuj40+1s9dbL0GDWhW4qkFuxb+9jcqThJvVp9XOjRBUX7TjrglM3hdDtqnl3S14wqDwf3aZwXYHrgVFp9GO6Po3uGuQpyKL0Wqz3nqA9QsuDGWBHqPwjjf5v0vTvhfIs/+rk/Ii7SUnaejYzgWezaRSj9MakQqQSlAujvCd3IlJWe+e5odSgugZ0WmUfJBXn8CeS80iahmdZU6Uur28lfCFGLVtssPRbsTkc11GpZ3Mr0af0g5e2k++Pg3k2iAmpc9jH2yZ08rRJCAITqVJ+FUzxGhDgx5TZbzHsNYqXVhcO8dnfZGrZnwQKNSSj9+U8TQ05Gfkhwaed/9l+q7Dh5czuQ/oLsrKU31OQNd/Q/EyrLAH90/nZQiybWX0uGtI5jCLfIzOcymxpfTrfg1/Mep14plrvxK+yhUWDtnX4dDCt9zDHobTWLHwm+8fem4e8sgyn/RsDyk7hcnglSY6wf/CQD6lqLyKE16yFG8pCBNQhjjzJYMrbCVT5V426kDUNY577A6XxsMYYfbi+l8k4yvBXOm41+pHyscR2UVnWRIpIPyHmYpGeeToIrLEMRe+XWBb2Q3NEUz/4C3cWKai2YxjrNTVNAeFXshWjJXnjpPyMux3e2EPAwNM81cDzHYIGrIK3HUAl8tPC4jVBGpt3CcpExVKWA0FLuI2mXpvKd6UolovAQEaTFmlJQzZD6zarIXIxOdaRwe3os+daOg+2lVKx EknaHNU8 v+tWNoB/uv17qIIMN5y9JGBtjgkODKk1NNGnrxptVvxUqJGQUeb+DjXvfiNyF8bvgLmdpVtYlrXMHe96SyfQVVO3ihVupxWzeIdBKCTFoW85O9fr4wn4hd5V6FuBX2x+2v5XKvqwNYPUqc2Y/X99SgqS+F/EuGu4GUTRTJEgUHFFLfT8G+8Ffza1Cj07nJBw9j1VN9PKyGvGOsAmi3rq3BGjYumfwV0t8ZKkyn4lW5UljV9gGfMRRpwmW03LYOH7BT6Q0t7eJBPYD+rdE5xoLzDkDt7aJ2Hh12GdDKGNzdN5bGVI= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 2024/01/25 3:27, Linus Torvalds wrote: > The whole cred use of current->in_execve in tomoyo should > *also* be fixed, but I didn't even try to follow what it actually > wanted. Due to TOMOYO's unique domain transition (transits to new domain before execve() succeeds and returns to old domain if execve() failed), TOMOYO depends on a tricky ordering shown below. ---------- // a caller tries execve(). sys_execve() { do_execve() { do_execveat_common() { bprm_execve() { prepare_bprm_creds() { prepare_exec_creds() { prepare_creds() { security_prepare_creds() { tomoyo_cred_prepare() { if (s->old_domain_info && !current->in_execve) { // false because s->old_domain_info == NULL. s->domain_info = s->old_domain_info; s->old_domain_info = NULL; } } } } } } current->in_execve = 1; do_open_execat() { (...snipped...) security_file_open() { tomoyo_file_open() // Not checked because current->in_execve == 1. } (...snipped...) } exec_binprm() { search_binary_handler() { security_bprm_check() { tomoyo_bprm_check_security() { if (!s->old_domain_info) { // true because s->old_domain_info == NULL. tomoyo_find_next_domain() { // Checks execute permission here. s->old_domain_info = s->domain_info; // Remember old domain. s->domain_info = domain; // Transit to new domain. } } } } fmt->load_binary() { // e.g. load_script() in fs/binfmt_script.c open_exec() { // Not checked because current->in_execve == 1. } } } search_binary_handler() { security_bprm_check() { tomoyo_bprm_check_security() { if (!s->old_domain_info) { // false because s->old_domain_info != NULL. } else { // Checks read permission here. } } } } // An error happens after s->domain_info was updated. } current->in_execve = 0; // No chance to restore s->domain_info. } } } // returning an error code to the caller. } // the caller retries execve(). sys_execve() { do_execve() { do_execveat_common() { bprm_execve() { prepare_bprm_creds() { prepare_exec_creds() { prepare_creds() { security_prepare_creds() { tomoyo_cred_prepare() { if (s->old_domain_info && !current->in_execve) { // true because s->old_domain_info != NULL && current->in_execve == 0. s->domain_info = s->old_domain_info; // Transit to old domain. s->old_domain_info = NULL; } } } } } } current->in_execve = 1; do_open_execat() { (...snipped...) security_file_open() { tomoyo_file_open() // Not checked because current->in_execve == 1. } (...snipped...) } exec_binprm() { search_binary_handler() { security_bprm_check() { tomoyo_bprm_check_security() { if (!s->old_domain_info) { // true because s->old_domain_info == NULL. tomoyo_find_next_domain() { // Checks execute permission here. s->old_domain_info = s->domain_info; // Remember old domain. s->domain_info = domain; // Transit to new domain. } } } } fmt->load_binary() { // e.g. load_script() in fs/binfmt_script.c open_exec() { // Not checked because current->in_execve == 1. } } } search_binary_handler() { security_bprm_check() { tomoyo_bprm_check_security() { if (!s->old_domain_info) { // false because s->old_domain_info != NULL. } else { // Checks read permission here. } } } } fmt->load_binary() { // e.g. load_elf_binary() in fs/binfmt_elf.c begin_new_exec() { security_bprm_committed_creds() { tomoyo_bprm_committed_creds() { s->old_domain_info = NULL; // Forget old domain. } } } } } current->in_execve = 0; } } } } ---------- Commit 978ffcbf00d8 ("execve: open the executable file before doing anything else") broke the ordering and commit 4759ff71f23e ("exec: Check __FMODE_EXEC instead of in_execve for LSMs") and commit 3eab830189d9 ("uselib: remove use of __FMODE_EXEC") fixed the regression. But current->in_execve remains required unless an LSM callback that is called when an execve() request failed which existed as security_bprm_free() until Linux 2.6.28 revives...