| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200722161639.GA24129@gandi.net>
Date: Wed, 22 Jul 2020 18:16:39 +0200
From: Thibaut Sautereau <thibaut.sautereau@...p-os.org>
To: Kees Cook <keescook@...omium.org>,
Mickaël Salaün <mic@...ikod.net>
Cc: linux-kernel@...r.kernel.org, Aleksa Sarai <cyphar@...har.com>,
Alexei Starovoitov <ast@...nel.org>,
Al Viro <viro@...iv.linux.org.uk>,
Andrew Morton <akpm@...ux-foundation.org>,
Andy Lutomirski <luto@...nel.org>,
Christian Brauner <christian.brauner@...ntu.com>,
Christian Heimes <christian@...hon.org>,
Daniel Borkmann <daniel@...earbox.net>,
Deven Bowers <deven.desai@...ux.microsoft.com>,
Dmitry Vyukov <dvyukov@...gle.com>,
Eric Biggers <ebiggers@...nel.org>,
Eric Chiang <ericchiang@...gle.com>,
Florian Weimer <fweimer@...hat.com>,
James Morris <jmorris@...ei.org>, Jan Kara <jack@...e.cz>,
Jann Horn <jannh@...gle.com>, Jonathan Corbet <corbet@....net>,
Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>,
Matthew Garrett <mjg59@...gle.com>,
Matthew Wilcox <willy@...radead.org>,
Michael Kerrisk <mtk.manpages@...il.com>,
Mickaël Salaün <mickael.salaun@....gouv.fr>,
Mimi Zohar <zohar@...ux.ibm.com>,
Philippe Trébuchet
<philippe.trebuchet@....gouv.fr>,
Scott Shell <scottsh@...rosoft.com>,
Sean Christopherson <sean.j.christopherson@...el.com>,
Shuah Khan <shuah@...nel.org>,
Steve Dower <steve.dower@...hon.org>,
Steve Grubb <sgrubb@...hat.com>,
Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>,
Thibaut Sautereau <thibaut.sautereau@....gouv.fr>,
Vincent Strubel <vincent.strubel@....gouv.fr>,
kernel-hardening@...ts.openwall.com, linux-api@...r.kernel.org,
linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org,
linux-fsdevel@...r.kernel.org
Subject: Re: [PATCH v6 5/7] fs,doc: Enable to enforce noexec mounts or file
exec through O_MAYEXEC
On Thu, Jul 16, 2020 at 04:39:14PM +0200, Mickaël Salaün wrote:
>
> On 15/07/2020 22:37, Kees Cook wrote:
> > On Tue, Jul 14, 2020 at 08:16:36PM +0200, Mickaël Salaün wrote:
> >> @@ -2849,7 +2855,7 @@ static int may_open(const struct path *path, int acc_mode, int flag)
> >> case S_IFLNK:
> >> return -ELOOP;
> >> case S_IFDIR:
> >> - if (acc_mode & (MAY_WRITE | MAY_EXEC))
> >> + if (acc_mode & (MAY_WRITE | MAY_EXEC | MAY_OPENEXEC))
> >> return -EISDIR;
> >> break;
> >
> > (I need to figure out where "open for reading" rejects S_IFDIR, since
> > it's clearly not here...)
Doesn't it come from generic_read_dir() in fs/libfs.c?
> >
> >> case S_IFBLK:
> >> @@ -2859,13 +2865,26 @@ static int may_open(const struct path *path, int acc_mode, int flag)
> >> fallthrough;
> >> case S_IFIFO:
> >> case S_IFSOCK:
> >> - if (acc_mode & MAY_EXEC)
> >> + if (acc_mode & (MAY_EXEC | MAY_OPENEXEC))
> >> return -EACCES;
> >> flag &= ~O_TRUNC;
> >> break;
> >
> > This will immediately break a system that runs code with MAY_OPENEXEC
> > set but reads from a block, char, fifo, or socket, even in the case of
> > a sysadmin leaving the "file" sysctl disabled.
>
> As documented, O_MAYEXEC is for regular files. The only legitimate use
> case seems to be with pipes, which should probably be allowed when
> enforcement is disabled.
By the way Kees, while we fix that for the next series, do you think it
would be relevant, at least for the sake of clarity, to add a
WARN_ON_ONCE(acc_mode & MAY_OPENEXEC) for the S_IFSOCK case, since a
socket cannot be open anyway?
--
Thibaut Sautereau
CLIP OS developer
Powered by blists - more mailing lists