Re: [PATCH v6 5/7] fs,doc: Enable to enforce noexec mounts or file exec... | linux-fsdevel

[PATCH v6 0/7] Add support for O_MAYEXEC · Mickaël Salaün <mic@digikod.net> · 2020-07-14
[PATCH v6 5/7] fs,doc: Enable to enforce noexec mounts or file exec through O_MAYEXEC · Mickaël Salaün <mic@digikod.net> · 2020-07-14
Re: [PATCH v6 5/7] fs,doc: Enable to enforce noexec mounts or file exec through O_MAYEXEC · Randy Dunlap <hidden> · 2020-07-14
Re: [PATCH v6 5/7] fs,doc: Enable to enforce noexec mounts or file exec through O_MAYEXEC · Mickaël Salaün <mic@digikod.net> · 2020-07-16
Re: [PATCH v6 5/7] fs,doc: Enable to enforce noexec mounts or file exec through O_MAYEXEC · Kees Cook <hidden> · 2020-07-15
Re: [PATCH v6 5/7] fs,doc: Enable to enforce noexec mounts or file exec through O_MAYEXEC · Mickaël Salaün <mic@digikod.net> · 2020-07-16
Re: [PATCH v6 5/7] fs,doc: Enable to enforce noexec mounts or file exec through O_MAYEXEC · Thibaut Sautereau <hidden> · 2020-07-22
Re: [PATCH v6 5/7] fs,doc: Enable to enforce noexec mounts or file exec through O_MAYEXEC · Mickaël Salaün <mic@digikod.net> · 2020-07-22
Re: [PATCH v6 5/7] fs,doc: Enable to enforce noexec mounts or file exec through O_MAYEXEC · Kees Cook <hidden> · 2020-07-22
[PATCH v6 6/7] selftest/openat2: Add tests for O_MAYEXEC enforcing · Mickaël Salaün <mic@digikod.net> · 2020-07-14
Re: [PATCH v6 6/7] selftest/openat2: Add tests for O_MAYEXEC enforcing · Kees Cook <hidden> · 2020-07-15
[PATCH v6 7/7] ima: add policy support for the new file open MAY_OPENEXEC flag · Mickaël Salaün <mic@digikod.net> · 2020-07-14
Re: [PATCH v6 7/7] ima: add policy support for the new file open MAY_OPENEXEC flag · Kees Cook <hidden> · 2020-07-15
Re: [PATCH v6 7/7] ima: add policy support for the new file open MAY_OPENEXEC flag · Mickaël Salaün <mic@digikod.net> · 2020-07-16
Re: [PATCH v6 7/7] ima: add policy support for the new file open MAY_OPENEXEC flag · Randy Dunlap <hidden> · 2020-07-16
Re: [PATCH v6 7/7] ima: add policy support for the new file open MAY_OPENEXEC flag · Mickaël Salaün <mic@digikod.net> · 2020-07-16
Re: [PATCH v6 7/7] ima: add policy support for the new file open MAY_OPENEXEC flag · Kees Cook <hidden> · 2020-07-16
Re: [PATCH v6 7/7] ima: add policy support for the new file open MAY_OPENEXEC flag · Kees Cook <hidden> · 2020-07-16
[PATCH v6 2/7] exec: Move S_ISREG() check earlier · Mickaël Salaün <mic@digikod.net> · 2020-07-14
[PATCH v6 3/7] exec: Move path_noexec() check earlier · Mickaël Salaün <mic@digikod.net> · 2020-07-14
[PATCH v6 1/7] exec: Change uselib(2) IS_SREG() failure to EACCES · Mickaël Salaün <mic@digikod.net> · 2020-07-14
[PATCH v6 4/7] fs: Introduce O_MAYEXEC flag for openat2(2) · Mickaël Salaün <mic@digikod.net> · 2020-07-14
Re: [PATCH v6 4/7] fs: Introduce O_MAYEXEC flag for openat2(2) · Kees Cook <hidden> · 2020-07-15
Re: [PATCH v6 4/7] fs: Introduce O_MAYEXEC flag for openat2(2) · Mickaël Salaün <mic@digikod.net> · 2020-07-16
Re: [PATCH v6 4/7] fs: Introduce O_MAYEXEC flag for openat2(2) · Kees Cook <hidden> · 2020-07-16

Re: [PATCH v6 5/7] fs,doc: Enable to enforce noexec mounts or file exec through O_MAYEXEC

From: Mickaël Salaün <mic@digikod.net>
Date: 2020-07-22 19:04:55
Also in: linux-api, linux-integrity, linux-security-module, lkml

On 22/07/2020 18:16, Thibaut Sautereau wrote:

On Thu, Jul 16, 2020 at 04:39:14PM +0200, Mickaël Salaün wrote:

quoted

On 15/07/2020 22:37, Kees Cook wrote:

quoted

On Tue, Jul 14, 2020 at 08:16:36PM +0200, Mickaël Salaün wrote:

quoted

@@ -2849,7 +2855,7 @@ static int may_open(const struct path *path, int acc_mode, int flag)
 	case S_IFLNK:
 		return -ELOOP;
 	case S_IFDIR:
-		if (acc_mode & (MAY_WRITE | MAY_EXEC))
+		if (acc_mode & (MAY_WRITE | MAY_EXEC | MAY_OPENEXEC))
 			return -EISDIR;
 		break;

(I need to figure out where "open for reading" rejects S_IFDIR, since
it's clearly not here...)

Doesn't it come from generic_read_dir() in fs/libfs.c?

quoted

 	case S_IFBLK:

@@ -2859,13 +2865,26 @@ static int may_open(const struct path *path, int acc_mode, int flag)
 		fallthrough;
 	case S_IFIFO:
 	case S_IFSOCK:
-		if (acc_mode & MAY_EXEC)
+		if (acc_mode & (MAY_EXEC | MAY_OPENEXEC))
 			return -EACCES;
 		flag &= ~O_TRUNC;
 		break;

This will immediately break a system that runs code with MAY_OPENEXEC
set but reads from a block, char, fifo, or socket, even in the case of
a sysadmin leaving the "file" sysctl disabled.

As documented, O_MAYEXEC is for regular files. The only legitimate use
case seems to be with pipes, which should probably be allowed when
enforcement is disabled.

By the way Kees, while we fix that for the next series, do you think it
would be relevant, at least for the sake of clarity, to add a
WARN_ON_ONCE(acc_mode & MAY_OPENEXEC) for the S_IFSOCK case, since a
socket cannot be open anyway?

We just did some more tests (for the next patch series) and it turns out
that may_open() can return EACCES before another part returns ENXIO.

As a reminder, the next series will deny access to block devices,
character devices, fifo and socket when opened with O_MAYEXEC *and* if
any policy is enforced (via the sysctl).

The question is then: do we prefer to return EACCES when a policy is
enforced (on a socket), or do we stick to the ENXIO? The EACCES approach
will be more consistent with devices and fifo handling, and seems safer
(belt and suspenders) thought.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help