Thread (32 messages) 32 messages, 10 authors, 2020-08-11

Re: [PATCH v7 0/7] Add support for O_MAYEXEC

From: Mickaël Salaün <mic@digikod.net>
Date: 2020-08-11 08:49:59
Also in: linux-fsdevel, linux-integrity, linux-security-module, lkml

On 11/08/2020 01:05, Al Viro wrote:
On Tue, Aug 11, 2020 at 12:43:52AM +0200, Mickaël Salaün wrote:
quoted
Hooking on open is a simple design that enables processes to check files
they intend to open, before they open them.
Which is a good thing, because...?
quoted
From an API point of view,
this series extends openat2(2) with one simple flag: O_MAYEXEC. The
enforcement is then subject to the system policy (e.g. mount points,
file access rights, IMA, etc.).
That's what "unspecified" means - as far as the kernel concerned, it's
"something completely opaque, will let these hooks to play, semantics is
entirely up to them".
I see it as an access controls mechanism; access may be granted or
denied, as for O_RDONLY, O_WRONLY or (non-Linux) O_EXEC. Even for common
access controls, there are capabilities to bypass them (i.e.
CAP_DAC_OVERRIDE), but multiple layers may enforce different
complementary policies.
 
quoted
Checking on open enables to not open a file if it does not meet some
requirements, the same way as if the path doesn't exist or (for whatever
reasons, including execution permission) if access is denied. It is a
good practice to check as soon as possible such properties, and it may
enables to avoid (user space) time-of-check to time-of-use (TOCTOU)
attacks (i.e. misuse of already open resources).
?????  You explicitly assume a cooperating caller.
As said in the below (removed) reply, no, quite the contrary.
 If it can't be trusted
to issue the check between open and use, or can be manipulated (ptraced,
etc.) into not doing so, how can you rely upon the flag having been passed
in the first place?  And TOCTOU window is definitely not wider that way.
OK, I guess it would be considered a bug in the application (e.g. buggy
resource management between threads).
If you want to have it done immediately after open(), bloody well do it
immediately after open.  If attacker has subverted your control flow to the
extent that allows them to hit descriptor table in the interval between
these two syscalls, you have already lost - they'll simply prevent that
flag from being passed.

What's the point of burying it inside openat2()?  A convenient multiplexor
to hook into?  We already have one - it's called do_syscall_...
To check as soon as possible without opening something that should not
be opened in the first place.

Isn't a dedicated syscall a bit too much for this feature? What about
adding a new command/flag to fcntl(2)?
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help