Re: [PATCH v7 0/7] Add support for O_MAYEXEC
From: Mickaël Salaün <mic@digikod.net>
Date: 2020-08-11 08:49:59
Also in:
linux-fsdevel, linux-integrity, linux-security-module, lkml
On 11/08/2020 01:05, Al Viro wrote:
On Tue, Aug 11, 2020 at 12:43:52AM +0200, Mickaël Salaün wrote:quoted
Hooking on open is a simple design that enables processes to check files they intend to open, before they open them.Which is a good thing, because...?quoted
From an API point of view, this series extends openat2(2) with one simple flag: O_MAYEXEC. The enforcement is then subject to the system policy (e.g. mount points, file access rights, IMA, etc.).That's what "unspecified" means - as far as the kernel concerned, it's "something completely opaque, will let these hooks to play, semantics is entirely up to them".
I see it as an access controls mechanism; access may be granted or denied, as for O_RDONLY, O_WRONLY or (non-Linux) O_EXEC. Even for common access controls, there are capabilities to bypass them (i.e. CAP_DAC_OVERRIDE), but multiple layers may enforce different complementary policies.
quoted
Checking on open enables to not open a file if it does not meet some requirements, the same way as if the path doesn't exist or (for whatever reasons, including execution permission) if access is denied. It is a good practice to check as soon as possible such properties, and it may enables to avoid (user space) time-of-check to time-of-use (TOCTOU) attacks (i.e. misuse of already open resources).????? You explicitly assume a cooperating caller.
As said in the below (removed) reply, no, quite the contrary.
If it can't be trusted to issue the check between open and use, or can be manipulated (ptraced, etc.) into not doing so, how can you rely upon the flag having been passed in the first place? And TOCTOU window is definitely not wider that way.
OK, I guess it would be considered a bug in the application (e.g. buggy resource management between threads).
If you want to have it done immediately after open(), bloody well do it immediately after open. If attacker has subverted your control flow to the extent that allows them to hit descriptor table in the interval between these two syscalls, you have already lost - they'll simply prevent that flag from being passed. What's the point of burying it inside openat2()? A convenient multiplexor to hook into? We already have one - it's called do_syscall_...
To check as soon as possible without opening something that should not be opened in the first place. Isn't a dedicated syscall a bit too much for this feature? What about adding a new command/flag to fcntl(2)?