Message ID | 20240124220619.work.227-kees@kernel.org |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel+bounces-37724-ouuuleilei=gmail.com@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7300:2553:b0:103:945f:af90 with SMTP id p19csp1278948dyi; Wed, 24 Jan 2024 14:06:49 -0800 (PST) X-Google-Smtp-Source: AGHT+IHPU2bweruCNAgiXsknHSIVXON9uKfQUTLQGS7d4pj7XSdtCSa9Zg9RLNdIosr3r/Wtdk7Y X-Received: by 2002:a05:6870:9624:b0:210:dfc0:5131 with SMTP id d36-20020a056870962400b00210dfc05131mr3946966oaq.77.1706134009503; Wed, 24 Jan 2024 14:06:49 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706134009; cv=pass; d=google.com; s=arc-20160816; b=J3yONInB27GHRPDcUb+plwhNkJEAI3O9o0YJ0PgIekJ+9RQHeFAjA1kAUvAAK9O5RV 2DRf6KF3pkMUutDGDtp/ozqLv1qlFsQNWnL5K0wtjtR5I72VRtbC8y9IY43XjexQkU93 ilXVx8XeAUd2sUtBDkINcjL+2IPOs/56eAurh1eRK8LWbZbs9Y/nk1prOc8vORWz9yO1 MDzsnauExeaYkydl4Ejg/MedLTWUU98+u0cNoJk9ttNtetEyVRnB3WORI7IzVCbqewtJ UAr2+QxqjHObi4vOUWQukE/53OExJ6hH5ffjixMmP7LwmAicOhWR5W7zmW7/MZRVGbnY ffYA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:cc:to :from:dkim-signature; bh=GQhmzfTAsJcV9PaL7uovsChg4Yg2U/Z+yBT5DYmcULc=; fh=gz3WdxDQnttMj2oDBqgAh3/0hH1Q88WVJWjbUXwI63Y=; b=VSIrLxhdiK/p5ul380z4L95VHg7SoWBPcLyo6stqe35DlwMEf1SEa5oGw8qsL+KVn4 I3P/BQkuwbgLj4HdUsi3ee4cwP+rtFkQhlW0lBZMgGEoZ+KSC8Ue51M42NZ0/sxH5bUl jARmGokBeb8T8gNFbVRRyac1SAFpb4cEQ6yFCzT8plTJ6OX4t44QcaiEDhgIzTT5R8AW y4JqCR8PAOQ4pdprtLrjGzX9tBbqkN1q3OiSQvrihHEK4fRZ1/J8okrpF9rWDCUgpR0L MLgRvPUDy/seSBtz+B39On12cJjAXjBBJABqEgvcHWaEmNdWJ76Kpb40xRjQhKQ2c6T1 JRUQ== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b="h0/zUNWH"; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-37724-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-37724-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id q4-20020a0c9a44000000b0067f7820cfebsi11316875qvd.390.2024.01.24.14.06.49 for <ouuuleilei@gmail.com> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Jan 2024 14:06:49 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-37724-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b="h0/zUNWH"; arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org); spf=pass (google.com: domain of linux-kernel+bounces-37724-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-37724-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 496D21C21FF5 for <ouuuleilei@gmail.com>; Wed, 24 Jan 2024 22:06:49 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 340C6135A5F; Wed, 24 Jan 2024 22:06:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="h0/zUNWH" Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DF4331353E8 for <linux-kernel@vger.kernel.org>; Wed, 24 Jan 2024 22:06:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706133988; cv=none; b=Ir2fdemd+X5ZOeraI/Vn26fN9esdlxYnzC5hdcW5XdOxRMXyEYoo8Smp40vLt53/ammB6Nsol37Ai3oG9pyxGeBozAjhjIlBUZbTueMHUgjvHZqReM+nVBs0j7JZ/5k9jtpw6yjTs+KFZzwns+dxWzQn9t2ea9/ig4v6RlJfBEg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706133988; c=relaxed/simple; bh=gunPgS3TJQWZsp2MxCZKzizIUB7sMDtjwQmEImgzamo=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=lF2d47ensRJiLfsit6ckaEzHeChWtwAHLCX2tEzegTBXqzvAFMq9dQSz1RSWdoJA0btpuRm5gKZKWiBzPqL0W24WAkv1XbmsV3v5Y/0Tn6KJUZ4xhnupavGbRG80HYhDALVjEOxHHFUOSBepZ9QRBbcW7iDYbmV8sBvSaJV3RQU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=h0/zUNWH; arc=none smtp.client-ip=209.85.214.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-1d748d43186so27394905ad.0 for <linux-kernel@vger.kernel.org>; Wed, 24 Jan 2024 14:06:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1706133986; x=1706738786; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=GQhmzfTAsJcV9PaL7uovsChg4Yg2U/Z+yBT5DYmcULc=; b=h0/zUNWHpHeiOreGZPuONa6Z84M/pJCO4vYE8O2tqXbEXtnwwi1Gl/QXb5GYYd8Yrm 4GVRbP5WDq2007KaxngcFm+xeaEMpnYMzvaoMakiAMiuXRCePkASY5LNn6LGf3Dd1NBV dxKDMUJZtWBX7s/I0xUzYxx/tUKu+YMAWwQ3E= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706133986; x=1706738786; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=GQhmzfTAsJcV9PaL7uovsChg4Yg2U/Z+yBT5DYmcULc=; b=p59XwHI8UHFJ01sdtBCLOJnNaVKipqYDz/Ake0dQhBKRx+Sp/G/TGFI1FiDAXUtXFp tjUCX3EBEzYVfiuCDf6Y93VqN52ZfRwjxgM2rNodKCoyeiSZfZJtjI1kUVKrffiC659+ Fa6Ml15m7dJlSSQvTbygWce/qxTqKAQrCLFeTejaUKv+O77aVOJdtM3G9eQ40NC9UF/r aeMqtUJ404NTJg3X2FQOz4MD2XpqCovAZlY0Uo6+fvZeDaf3OKaSsISpeS/udZDFIs6E djpVHf1bD86SlyZ9oYrFN64cy1/VE/qVHcZ3RpMTh+ct8GrKaQpgFvHzdVftUhGcyi1p 2wWw== X-Gm-Message-State: AOJu0Yz+TszARv2WivT1VUNa24nI0raouRhXKk7S8y/ut2YytHCoaGwd q6LYrccnsdL9hrFt1+unJZc1Xs68f67iW+KJ7Cd89/kz0l/CcUjmJnvh5WBdbw== X-Received: by 2002:a17:902:ea10:b0:1d6:f263:5698 with SMTP id s16-20020a170902ea1000b001d6f2635698mr61299plg.28.1706133986148; Wed, 24 Jan 2024 14:06:26 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id h17-20020a170902f7d100b001d71ae81cbbsm9398467plw.190.2024.01.24.14.06.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Jan 2024 14:06:25 -0800 (PST) From: Kees Cook <keescook@chromium.org> To: Kevin Locke <kevin@kevinlocke.name> Cc: Kees Cook <keescook@chromium.org>, Jann Horn <jannh@google.com>, Linus Torvalds <torvalds@linux-foundation.org>, Eric Biederman <ebiederm@xmission.com>, Alexander Viro <viro@zeniv.linux.org.uk>, Christian Brauner <brauner@kernel.org>, Jan Kara <jack@suse.cz>, linux-mm@kvack.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH] exec: Remove __FMODE_EXEC from uselib() Date: Wed, 24 Jan 2024 14:06:23 -0800 Message-Id: <20240124220619.work.227-kees@kernel.org> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: <linux-kernel.vger.kernel.org> List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org> List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org> MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1955; i=keescook@chromium.org; h=from:subject:message-id; bh=gunPgS3TJQWZsp2MxCZKzizIUB7sMDtjwQmEImgzamo=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlsYnf7Lk5Uf58mAb9lvaALksPqiA1c0eFcYWS1 pm8ae1S6IWJAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZbGJ3wAKCRCJcvTf3G3A Jh3PD/wJCOZiXf2turY8NXwNDR9hOetJn5TUurzjSx1454xqWSrni13jg9kUhLD8/Q3CJ0k7QtE lkVXUafB7zj45P53AR/4/7mbdMEUdN3IkYXJuDHj9CugQLCxGx/XEdyKVm2nTancZQxdKocFuvL BKD5whC/h3YmJ/elQq+LVUoaUoQujwHs/gWUm81mrJdrjnscFhP1aFDgg4/QL/yVX8/C1lnEd8W KULt3HRcq5HRP4zoBAW3+nOTrzatET2nm9FF43sWginO9aFnXzOSqnbb36xQkBqdlg2OdIELrUs HEmanv/2AURU4BEjz2DIMfC5O3P2u2hfeDxtTvcGKCK0WhFkJcXQ4+2PoOsUXkdbVtzQJrZJlrv zXFmWXLVdwYPZlYWePXATpqmiR5csemrnL87mZtP7lPcz0uShL4ThhOh8ZEEWj28vUfttd/k6ff 0ztAdSJFTWpRKG0ziU/UP3olgu9Rn6VSr7OcEj0kbeA2RAq/lgM1YECuIk/UL7aG2A3UFXjlpBX 1jfOmvDoaEfzKrpXM15eNkiWQ8OiMXxxkmqZqFPE2bntN8h41Nk1IlTisaVVdOusbm2usWcYVYZ /QCUMcvHCjm3Jxzo3pqMx39ax/dNE2k7R28V13HwSO1gG4FF44qH95KgUZHNt19WB6tb56+Q0al eHBAz9g maHQEgNQ== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 Content-Transfer-Encoding: 8bit X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1789011175142215691 X-GMAIL-MSGID: 1789011175142215691 |
Series |
exec: Remove __FMODE_EXEC from uselib()
|
|
Commit Message
Kees Cook
Jan. 24, 2024, 10:06 p.m. UTC
Path-based LSMs will bypass uselib() "open" checks since commit
4759ff71f23e ("exec: Check __FMODE_EXEC instead of in_execve for LSMs"),
so don't set __FMODE_EXEC during uselib(). The LSM "open" and eventual
"mmap" hooks will be restored. (uselib() never set current->in_execve.)
Other things that checked __FMODE_EXEC:
- fs/fcntl.c is just doing a bitfield sanity check.
- nfs_open_permission_mask() is only checking for the
"unreadable exec" case, which is not an issue for uselib(),
which sets MAY_READ, unlike execve().
- fsnotify would no longer see uselib() as FS_OPEN_EXEC_PERM, but
rather as FS_OPEN_PERM, but this is likely a bug fix, as uselib() isn't
an exec: it's more like mmap(), which fsnotify doesn't intercept.
Reported-by: Jann Horn <jannh@google.com>
Closes: https://lore.kernel.org/lkml/CAG48ez017tTwxXbxdZ4joVDv5i8FLWEjk=K_z1Vf=pf0v1=cTg@mail.gmail.com/
Fixes: 4759ff71f23e ("exec: Check __FMODE_EXEC instead of in_execve for LSMs")
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Kevin Locke <kevin@kevinlocke.name>
Cc: Eric Biederman <ebiederm@xmission.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Jan Kara <jack@suse.cz>
Cc: linux-mm@kvack.org
Cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
---
fs/exec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
On Wed, Jan 24, 2024 at 02:06:23PM -0800, Kees Cook wrote: > Path-based LSMs will bypass uselib() "open" checks since commit > 4759ff71f23e ("exec: Check __FMODE_EXEC instead of in_execve for LSMs"), > so don't set __FMODE_EXEC during uselib(). The LSM "open" and eventual > "mmap" hooks will be restored. (uselib() never set current->in_execve.) Ah, nevermind, I see Linux's commit has taken care of this already: https://git.kernel.org/linus/3eab830189d94f0f80f34cbff609b5bb54002679
On Wed 24-01-24 14:06:23, Kees Cook wrote: > Path-based LSMs will bypass uselib() "open" checks since commit > 4759ff71f23e ("exec: Check __FMODE_EXEC instead of in_execve for LSMs"), > so don't set __FMODE_EXEC during uselib(). The LSM "open" and eventual > "mmap" hooks will be restored. (uselib() never set current->in_execve.) > > Other things that checked __FMODE_EXEC: > > - fs/fcntl.c is just doing a bitfield sanity check. > > - nfs_open_permission_mask() is only checking for the > "unreadable exec" case, which is not an issue for uselib(), > which sets MAY_READ, unlike execve(). > > - fsnotify would no longer see uselib() as FS_OPEN_EXEC_PERM, but > rather as FS_OPEN_PERM, but this is likely a bug fix, as uselib() isn't > an exec: it's more like mmap(), which fsnotify doesn't intercept. OK, I went back to the original discussion with Steve Grubb and Matthew Bobrowski who asked for FS_OPEN_EXEC_PERM and AFAICT this change in uselib() should be fine wrt usescases we discussed. That doesn't mean there cannot be some userspace which will get broken by this (in which case we'd have to revert or find some other solution) but I'm willing to try. I'm also CCing Steve & Matthew for input but from my side feel free to add: Acked-by: Jan Kara <jack@suse.cz> Honza > > Reported-by: Jann Horn <jannh@google.com> > Closes: https://lore.kernel.org/lkml/CAG48ez017tTwxXbxdZ4joVDv5i8FLWEjk=K_z1Vf=pf0v1=cTg@mail.gmail.com/ > Fixes: 4759ff71f23e ("exec: Check __FMODE_EXEC instead of in_execve for LSMs") > Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> > Cc: Kevin Locke <kevin@kevinlocke.name> > Cc: Eric Biederman <ebiederm@xmission.com> > Cc: Alexander Viro <viro@zeniv.linux.org.uk> > Cc: Christian Brauner <brauner@kernel.org> > Cc: Jan Kara <jack@suse.cz> > Cc: linux-mm@kvack.org > Cc: linux-fsdevel@vger.kernel.org > Signed-off-by: Kees Cook <keescook@chromium.org> > --- > fs/exec.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/exec.c b/fs/exec.c > index d179abb78a1c..af4fbb61cd53 100644 > --- a/fs/exec.c > +++ b/fs/exec.c > @@ -128,7 +128,7 @@ SYSCALL_DEFINE1(uselib, const char __user *, library) > struct filename *tmp = getname(library); > int error = PTR_ERR(tmp); > static const struct open_flags uselib_flags = { > - .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC, > + .open_flag = O_LARGEFILE | O_RDONLY, > .acc_mode = MAY_READ | MAY_EXEC, > .intent = LOOKUP_OPEN, > .lookup_flags = LOOKUP_FOLLOW, > -- > 2.34.1 >
diff --git a/fs/exec.c b/fs/exec.c index d179abb78a1c..af4fbb61cd53 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -128,7 +128,7 @@ SYSCALL_DEFINE1(uselib, const char __user *, library) struct filename *tmp = getname(library); int error = PTR_ERR(tmp); static const struct open_flags uselib_flags = { - .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC, + .open_flag = O_LARGEFILE | O_RDONLY, .acc_mode = MAY_READ | MAY_EXEC, .intent = LOOKUP_OPEN, .lookup_flags = LOOKUP_FOLLOW,