From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id D3FD7C54E67 for ; Fri, 15 Mar 2024 18:22:17 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 45EBF8013C; Fri, 15 Mar 2024 14:22:17 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 40ED1800B4; Fri, 15 Mar 2024 14:22:17 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 2D6A98013C; Fri, 15 Mar 2024 14:22:17 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 1C745800B4 for ; Fri, 15 Mar 2024 14:22:17 -0400 (EDT) Received: from smtpin13.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id B748416030F for ; Fri, 15 Mar 2024 18:22:16 +0000 (UTC) X-FDA: 81900093072.13.B2DE2DC Received: from sonic304-27.consmr.mail.ne1.yahoo.com (sonic304-27.consmr.mail.ne1.yahoo.com [66.163.191.153]) by imf02.hostedemail.com (Postfix) with ESMTP id E265D8000A for ; Fri, 15 Mar 2024 18:22:14 +0000 (UTC) Authentication-Results: imf02.hostedemail.com; dkim=pass header.d=yahoo.com header.s=s2048 header.b=dG3NQMde; dmarc=none; spf=none (imf02.hostedemail.com: domain of casey@schaufler-ca.com has no SPF policy when checking 66.163.191.153) smtp.mailfrom=casey@schaufler-ca.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1710526935; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=IcLWcAwh7sO6qGb3KzfOR+SqxYFTY+EU4o/Haleqnr8=; b=PYfh6ipGOaB5VUqxpdQBmABElG+q/4fxcIfcXShJBs1qrJPvZtarTO0yBA+en5URLsno2O V6UlCAxRdsd/RRCnyVBw0QLP5FdOyitQSbZhWmDa0a5JxTM8+GlOuw8ZKlioCUCTemMmeT BKu7b/QNALgEkzgI4D4z/zPifUo8H2w= ARC-Authentication-Results: i=1; imf02.hostedemail.com; dkim=pass header.d=yahoo.com header.s=s2048 header.b=dG3NQMde; dmarc=none; spf=none (imf02.hostedemail.com: domain of casey@schaufler-ca.com has no SPF policy when checking 66.163.191.153) smtp.mailfrom=casey@schaufler-ca.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1710526935; a=rsa-sha256; cv=none; b=BhKQNrXwfz73QqVjDVNw0Gu0TxeSP+RfC3yURxNRa5ELjDcK26GerupJsnUScrYxc7EO0g /PmH1486cuFmYhj20HhbjCb2d+BgUtHCf9FdYAT7j1ffb5HTz56t+KEYkUmHg+FFPm4qKu BfXOzAcDRUfeape8B9hPkF6vNS4DfEQ= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1710526932; bh=IcLWcAwh7sO6qGb3KzfOR+SqxYFTY+EU4o/Haleqnr8=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From:Subject:Reply-To; b=dG3NQMdedq/3xZ0AmufPK7uJPf8qknlRFSRtpbPufTzpxl6L5XVXZUCw/ljUnDmtK1uAU7ZCk/DPZdlLAB2VSrw+ccpFuGBupK9Do6K2ecWOX1HjHu/S0MkZlCVlYXoHDTswO/uGKiF3F8NwnKU2hFr0gUWzrRt/SDveRlcDfdUDQbUIoXD7PC8ScXGMQe0WPd90ZexHPw97SjUOGUYCna1N4/nbt6LryLzwQuv/T+LQPPs2ilbkKl83PWUhRW32A9135SjZZ3GiHlQ27aJq74uRsT0AcUfLHAW/EZpvPV8KRCe+5N39UhQi6lSBqUJBiZEoHPdBl6SG3lyo8rqDFw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1710526932; bh=dDwZDOhUfANnYv5RBF+A42YU0fEwj7j7747ZXF9h2pP=; h=X-Sonic-MF:Date:Subject:To:From:From:Subject; b=IGt+HWB647vioG+O1iXUnbWwocLWHfBhJjiLIi0lPwS2uD1fDnqaB0nPmCc4UNGKhDOOjvtky4Re6obGWfHQ6LpqcQPdJoL0vnnqi/j4NCzwkuzJ3ij2JdTIf2JaBiVHRxuUKzWAVf8hvw7BtIaLytvk+b47s2MsElkCc+Wza/UHlavoH+z2rWVr+AjbMi0A+/b/aI5BKmMsKhKMBwaCIMLQMets6QLF5JKWYUZFp8EA9Djx22ynzN/LVl8AZLcyzSWiUyCQQd/Gv4QEPWgqXzhs2MK2Dr5JE41xMJnOj14zKekP2bLl9djl43JDDVGN0w+5rR2aR75uMH4ID8PEOA== X-YMail-OSG: 2ozgzP0VM1kchnzeWVCectdYHBQ6XkZUD0js43FPQ..LwyHz1xnZzLLk8DiLue. thkTfVnoT432L4NRN.F1m3GmmpWd_3T9p6nogtMKRStFaEsIwq3RBuw3qbDZxcRDrvdsvyO.X7.H gZ7vdX1hbrNEkTUYeusBZzb.9kHSQ9IFQzfii78KOw6RtFjgSiGXBAeO2xCTxXDuCr2X2GRSoP1r kvJ7QLDk537c_dGyBuDJQjA0dxh9lUc_4G1okKY_0uVBrVwogDdPhNIo5o0pxIEWb.94Qiyx4Dv2 fibJyEoDEXA7hXi04Z4AtVLFqhKtiVan1ax7jR5JIynR9fi472mjX7eeap0_YaYXERIZIKsTHme3 9xl9p4mRShF7A2oGuemgaKmYEbTCCYSaCm89BZXDq.Jt6Jyas0DYDi4cqqJmKRt9T1ZfSmlge8Cl Tu9I0OKnwzlalqpXH0tWTH3z3tnTXlwd_imCxUwqnPnUjrTtXiwCjjYgMz3KeiDQFyUyJgAMmEfH y3dcJLeLNdX1UPMkCpEY1fp5ICGgiiTVbbF4u4d6j1lYgd7FFcbVUE2plb1ZzA63TZNPl7A4U9MC cIaA8gvF5MNMPAunYsz7rXjTDMa8coVufpTy8jf4.3AU98kKQAjsVSRNfx0F3D7A4c1gxZVVPcmO qZ7.kgwvx1UFEbDOh3QBrtd6NnG7xVRvxg6ux7.9s5dyL.tc6336DCUM66HcSSf70FVnQOoy9W5D WaNZbJwUjl_hVWf6sESXa41VSlLPsVfJw4wUcubNz2kXHnmGf4ZlrkBgIjcusL5YtW.V3kQMLaCl LSKuJf8_TT_SIei_LuoMqtDaagJt7pk5w3E_3Qr1Drt6FG0a_8SLxPai7r29eTZIEhjrinIIUWFD GKc.NOvY7fUmWIieKs6Cuh5GRt4YPhiXD5VAb.UlRVh8UPE9B99rOKhx3tpQFT35evXN8RVR5DHC ZrJlGDyqUwmgscb312ftoJiWo37ti6HjdRXz1kbmT99y3Toan1eLoCcZfHPYSyxv3UBqWVHrgACK VzuDT_jrYhuA7P.kot2CtQay9yPyfYWVfwk_wIE3adcL0.upaRGIctCvc5AanZ3SbLf07aWNdxQL eLTHf3C8BaRompNlmtXsV30tyL6jl.rDWKy55kdC_RJUfQzzIJUzm_e5r2gJW2LCHI3AoLa61b9L CVjGsYYEt1BdY4OAK33LZAEcIZIrp340Q4iTrBmwwg8yVKIrNOXppy36sXzesJNXjHRffkIiIjYU of4SAcsMPRrBG49qVMdniC0m6idyhpNMIM5A3L2pf0d2DZvqf6SG8Euu3ODur9za5FHWZK21yutI TStKm8klw326vc3eJ0RSHA5e5HBLdtcOccw2SahPr14cUT6m2l4SNeHdKASk6fvna4YXluYko7Q0 B3GEwQcv1_5LtyPaU8NbBtKJPX68r1vvSXwWxIr7vbvRNo95xp5DHdyvr.twHpeKAD.YqCJak46Z AoCK0n4hOYdr1VMOoFN1ADftffImrxMgFcLrqr1ZzW_OKXUsXzwxyYXAfIoMzYMOzGk9mMaa0HwD 3Ud0lRMC5UEFwqQpmHX4gpU5TY1CocaBXsBBPpAM.pQAL4mcBs0hKSB8RuzEqZfjFaRm7mdPPceM s0A4yE9H4XEOvKvqphogE4yOmwrDyBsvpanoTYY3Bc0M2wcvdz6ew54snq0ADbgDWLffRu2uqo6u j.YzE5NPYkhXeh4AfX2qFbllYynoVnpJjKmmED6hXzXBqThzGnrJAudvfwbJlw3mevfFteljqEWO lN_vOLb8ix0W09O.8U2BaK9CtYusPpaicylAsfDjUG.7QCs.nkkIn3ufQWl6K_6UTOU8AnuMIjJ3 t_CBaeXoXzWI6iukuXDKFVQE0XpicvscSljrfr4ShesEZUzVCR8_eWylhhxK1s6oTwgwnEpWPyc2 SkIHXqgfeHCDq_D8.gHyCtOKJhEWSALB5P071L0Hs3WOC6BVgshtn7ha1KmuLg19xcHyxeinsU0Q TqnoJhj2mpukYeLlYV.FurVfDpTbOLbiPacNP5qIPbK2zgL0yjwHPC0jfjJrOjPjZFBJZDBLaZfG OQDI8HS9ee4.Axx58TLFCYHe8n.J7FxVuDvFe6TlbIZN0W555yr9HFIIcgohjoCdmDIiipsudBFO XpjqbqGdZ29s3KwYnDIpdVCmnqQCx1Px5wYRgvI_m_TX54ZZM0kS8c96C1SQ6KryJTRdYSktx0ie lB9kVIOhm74GOhHe200fi5y5yZHewDEfhbFq_QaSTnyW7nKZe95..SqpkT86MQg-- X-Sonic-MF: X-Sonic-ID: e650a4e6-a765-40e7-b88d-02be5f049f41 Received: from sonic.gate.mail.ne1.yahoo.com by sonic304.consmr.mail.ne1.yahoo.com with HTTP; Fri, 15 Mar 2024 18:22:12 +0000 Received: by hermes--production-gq1-5c57879fdf-p26ct (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID ce6ad3d26e81771d69316a3d04363fb1; Fri, 15 Mar 2024 18:22:06 +0000 (UTC) Message-ID: Date: Fri, 15 Mar 2024 11:22:05 -0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [RFC PATCH 1/2] lsm: introduce new hook security_vm_execstack Content-Language: en-US To: =?UTF-8?Q?Christian_G=C3=B6ttsche?= , linux-security-module@vger.kernel.org Cc: Eric Biederman , Kees Cook , Alexander Viro , Christian Brauner , Jan Kara , Paul Moore , James Morris , "Serge E. Hallyn" , Khadija Kamran , Andrii Nakryiko , Alexei Starovoitov , Ondrej Mosnacek , Roberto Sassu , Alfred Piccioni , John Johansen , linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Casey Schaufler References: <20240315181032.645161-1-cgzones@googlemail.com> <20240315181032.645161-2-cgzones@googlemail.com> From: Casey Schaufler In-Reply-To: <20240315181032.645161-2-cgzones@googlemail.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Mailer: WebService/1.1.22129 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.yahoo X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: E265D8000A X-Stat-Signature: 8hqthsoshbaeg8t98heo33sd1hmaj4r7 X-Rspam-User: X-HE-Tag: 1710526934-8170 X-HE-Meta: U2FsdGVkX1+7SVyOfSxoAT/n/JEQwXmyxVQdWJLkDufieIpA5HktK5wHLGB0AjwV8+1o/9+UlWGmgvm70uJ+RzFl9EFaBI7YS1Mb7DRzyNKzS7mdshk5ki6j/IQRyZMMNSEBa8brti69f5a11Z7ngUs+Lin6MHTG6TEMiM2cqHbH3mfltyLT79sGclQOQBaBVaC7RWqbPONVW5a2To5xJ/2yAe0faop4GAR2dj/xHpUQ5OGTrO5bizCgPpP57uHo0388cL3teK2IUt2w5HkxyB24aHor80zydkxYjp3fmRLgapS80OmpjU/k2AevV1E6X/Q4Ee5ppZ5dh8ICfUZmZHHG2zZh5WzmHfTPuTmF7COOQi66zgnJuW5BH8fKepPzZWn2K7RTsnSBJLkb8eK1PEq2jidYkSE62aBMWap/2Icf9RRmGl79NJfNrwSg7W+saqqtz3WwlcJHHI/LiDHwx9iU7UO+JhtN5CvSN+5qyWSvLGMikUf17N0IN7rnmCkQqQVND1D5a2e32XOwdmRg9kp2Qlaa3/GHxBgOqrw/4vvOLztD2/9ZoethL2r2CwMNXIYCgs0duClDfYnpyPYC2Pd6rJisfy02Kv2K+DNruhtO0UZ4bwNWSZgTZ0RMRMEhIbUFpr4GNqk879Y9RnqKCfdx2f8M1/wM+ruD9F8n6yDXNXuqHWagI+WDsPv0VJhylL3biucSQPrdQCmS2wzQ8OdDWjVEAlCbK0Juh2s16hN5kKKNnVIBIscGgJwpKWTN5BiIZFo5vO8KN21mZv+pV2P49xrpDZ/MBhuF6Nc7hGabXEmJf671TGHzMji1e+RsYVpDAEPqS4N+MKN9EpWIGIJWqq3rxNPAGT7MaJHGhUiNwXQWzXwqF5+LGAbcSgNuYjabOZuokR3jNBCQNmVChgyKqMNDtKhIBxHxfeoxbUt/wQr+DqSRbD9CWrte4oulJrLoD8QnTmbO82zE+zQ hVGWtZ+P 1N6Be X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 3/15/2024 11:08 AM, Christian Göttsche wrote: > Add a new hook guarding instantiations of programs with executable > stack. They are being warned about since commit 47a2ebb7f505 ("execve: > warn if process starts with executable stack"). Lets give LSMs the > ability to control their presence on a per application basis. This seems like a hideously expensive way to implement a flag disallowing execution of programs with executable stacks. What's wrong with adding a flag VM_NO_EXECUTABLE_STACK? > > Signed-off-by: Christian Göttsche > --- > fs/exec.c | 4 ++++ > include/linux/lsm_hook_defs.h | 1 + > include/linux/security.h | 6 ++++++ > security/security.c | 13 +++++++++++++ > 4 files changed, 24 insertions(+) > > diff --git a/fs/exec.c b/fs/exec.c > index 8cdd5b2dd09c..e6f9e980c6b1 100644 > --- a/fs/exec.c > +++ b/fs/exec.c > @@ -829,6 +829,10 @@ int setup_arg_pages(struct linux_binprm *bprm, > BUG_ON(prev != vma); > > if (unlikely(vm_flags & VM_EXEC)) { > + ret = security_vm_execstack(); > + if (ret) > + goto out_unlock; > + > pr_warn_once("process '%pD4' started with executable stack\n", > bprm->file); > } > diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h > index 185924c56378..b31d0744e7e7 100644 > --- a/include/linux/lsm_hook_defs.h > +++ b/include/linux/lsm_hook_defs.h > @@ -49,6 +49,7 @@ LSM_HOOK(int, 0, syslog, int type) > LSM_HOOK(int, 0, settime, const struct timespec64 *ts, > const struct timezone *tz) > LSM_HOOK(int, 1, vm_enough_memory, struct mm_struct *mm, long pages) > +LSM_HOOK(int, 0, vm_execstack, void) > LSM_HOOK(int, 0, bprm_creds_for_exec, struct linux_binprm *bprm) > LSM_HOOK(int, 0, bprm_creds_from_file, struct linux_binprm *bprm, const struct file *file) > LSM_HOOK(int, 0, bprm_check_security, struct linux_binprm *bprm) > diff --git a/include/linux/security.h b/include/linux/security.h > index d0eb20f90b26..084b96814970 100644 > --- a/include/linux/security.h > +++ b/include/linux/security.h > @@ -294,6 +294,7 @@ int security_quota_on(struct dentry *dentry); > int security_syslog(int type); > int security_settime64(const struct timespec64 *ts, const struct timezone *tz); > int security_vm_enough_memory_mm(struct mm_struct *mm, long pages); > +int security_vm_execstack(void); > int security_bprm_creds_for_exec(struct linux_binprm *bprm); > int security_bprm_creds_from_file(struct linux_binprm *bprm, const struct file *file); > int security_bprm_check(struct linux_binprm *bprm); > @@ -624,6 +625,11 @@ static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages) > return __vm_enough_memory(mm, pages, cap_vm_enough_memory(mm, pages)); > } > > +static inline int security_vm_execstack(void) > +{ > + return 0; > +} > + > static inline int security_bprm_creds_for_exec(struct linux_binprm *bprm) > { > return 0; > diff --git a/security/security.c b/security/security.c > index 0144a98d3712..f75240d0d99d 100644 > --- a/security/security.c > +++ b/security/security.c > @@ -1125,6 +1125,19 @@ int security_vm_enough_memory_mm(struct mm_struct *mm, long pages) > return __vm_enough_memory(mm, pages, cap_sys_admin); > } > > +/** > + * security_vm_execstack() - Check if starting a program with executable stack > + * is allowed > + * > + * Check whether starting a program with an executable stack is allowed. > + * > + * Return: Returns 0 if permission is granted. > + */ > +int security_vm_execstack(void) > +{ > + return call_int_hook(vm_execstack); > +} > + > /** > * security_bprm_creds_for_exec() - Prepare the credentials for exec() > * @bprm: binary program information