lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20240126104727.rzksht5mjkanvo5n@quack3>
Date: Fri, 26 Jan 2024 11:47:27 +0100
From: Jan Kara <jack@...e.cz>
To: Kees Cook <keescook@...omium.org>
Cc: Kevin Locke <kevin@...inlocke.name>, Jann Horn <jannh@...gle.com>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Eric Biederman <ebiederm@...ssion.com>,
	Alexander Viro <viro@...iv.linux.org.uk>,
	Christian Brauner <brauner@...nel.org>, Jan Kara <jack@...e.cz>,
	linux-mm@...ck.org, linux-fsdevel@...r.kernel.org,
	linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org,
	Matthew Bobrowski <mbobrowski@...browski.org>, amir73il@...il.com,
	Steve Grubb <sgrubb@...hat.com>
Subject: Re: [PATCH] exec: Remove __FMODE_EXEC from uselib()

On Wed 24-01-24 14:06:23, Kees Cook wrote:
> Path-based LSMs will bypass uselib() "open" checks since commit
> 4759ff71f23e ("exec: Check __FMODE_EXEC instead of in_execve for LSMs"),
> so don't set __FMODE_EXEC during uselib(). The LSM "open" and eventual
> "mmap" hooks will be restored. (uselib() never set current->in_execve.)
> 
> Other things that checked __FMODE_EXEC:
> 
> - fs/fcntl.c is just doing a bitfield sanity check.
> 
> - nfs_open_permission_mask() is only checking for the
>   "unreadable exec" case, which is not an issue for uselib(),
>   which sets MAY_READ, unlike execve().
> 
> - fsnotify would no longer see uselib() as FS_OPEN_EXEC_PERM, but
>   rather as FS_OPEN_PERM, but this is likely a bug fix, as uselib() isn't
>   an exec: it's more like mmap(), which fsnotify doesn't intercept.

OK, I went back to the original discussion with Steve Grubb and Matthew
Bobrowski who asked for FS_OPEN_EXEC_PERM and AFAICT this change in
uselib() should be fine wrt usescases we discussed. That doesn't mean there
cannot be some userspace which will get broken by this (in which case we'd
have to revert or find some other solution) but I'm willing to try. I'm
also CCing Steve & Matthew for input but from my side feel free to add:

Acked-by: Jan Kara <jack@...e.cz>

								Honza

> 
> Reported-by: Jann Horn <jannh@...gle.com>
> Closes: https://lore.kernel.org/lkml/CAG48ez017tTwxXbxdZ4joVDv5i8FLWEjk=K_z1Vf=pf0v1=cTg@mail.gmail.com/
> Fixes: 4759ff71f23e ("exec: Check __FMODE_EXEC instead of in_execve for LSMs")
> Suggested-by: Linus Torvalds <torvalds@...ux-foundation.org>
> Cc: Kevin Locke <kevin@...inlocke.name>
> Cc: Eric Biederman <ebiederm@...ssion.com>
> Cc: Alexander Viro <viro@...iv.linux.org.uk>
> Cc: Christian Brauner <brauner@...nel.org>
> Cc: Jan Kara <jack@...e.cz>
> Cc: linux-mm@...ck.org
> Cc: linux-fsdevel@...r.kernel.org
> Signed-off-by: Kees Cook <keescook@...omium.org>
> ---
>  fs/exec.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/exec.c b/fs/exec.c
> index d179abb78a1c..af4fbb61cd53 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -128,7 +128,7 @@ SYSCALL_DEFINE1(uselib, const char __user *, library)
>  	struct filename *tmp = getname(library);
>  	int error = PTR_ERR(tmp);
>  	static const struct open_flags uselib_flags = {
> -		.open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC,
> +		.open_flag = O_LARGEFILE | O_RDONLY,
>  		.acc_mode = MAY_READ | MAY_EXEC,
>  		.intent = LOOKUP_OPEN,
>  		.lookup_flags = LOOKUP_FOLLOW,
> -- 
> 2.34.1
> 
-- 
Jan Kara <jack@...e.com>
SUSE Labs, CR

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ