Re: [PATCH v7 3/7] exec: Move path_noexec() check earlier
From: Mickaël Salaün <mic@digikod.net>
Date: 2020-08-13 15:32:08
Also in:
linux-api, linux-fsdevel, linux-integrity, lkml
Possibly related (same subject, not in this thread)
- 2020-07-23 · [PATCH v7 3/7] exec: Move path_noexec() check earlier · Mickaël Salaün <mic@digikod.net>
Kees Cook wrote this patch, which is in Andrew Morton's tree, but I think you're talking about O_MAYEXEC, not this patch specifically. On 11/08/2020 21:36, Eric W. Biederman wrote:
Mickaël Salaün [off-list ref] writes:quoted
From: Kees Cook <redacted> The path_noexec() check, like the regular file check, was happening too late, letting LSMs see impossible execve()s. Check it earlier as well in may_open() and collect the redundant fs/exec.c path_noexec() test under the same robustness comment as the S_ISREG() check. My notes on the call path, and related arguments, checks, etc:A big question arises, that I think someone already asked.
Al Viro and Jann Horn expressed such concerns for O_MAYEXEC: https://lore.kernel.org/lkml/0cc94c91-afd3-27cd-b831-8ea16ca8ca93@digikod.net/ (local)
Why perform this test in may_open directly instead of moving it into inode_permission. That way the code can be shared with faccessat, and any other code path that wants it?
This patch is just a refactoring. About O_MAYEXEC, path-based LSM, IMA and IPE need to work on a struct file, whereas inode_permission() only gives a struct inode. However, faccessat2(2) (with extended flags) seems to be the perfect candidate if we want to be able to check file descriptors.
That would look to provide a more maintainable kernel.
Why would it be more maintainable?
Ericquoted
do_open_execat() struct open_flags open_exec_flags = { .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC, .acc_mode = MAY_EXEC, ... do_filp_open(dfd, filename, open_flags) path_openat(nameidata, open_flags, flags) file = alloc_empty_file(open_flags, current_cred()); do_open(nameidata, file, open_flags) may_open(path, acc_mode, open_flag) /* new location of MAY_EXEC vs path_noexec() test */ inode_permission(inode, MAY_OPEN | acc_mode) security_inode_permission(inode, acc_mode) vfs_open(path, file) do_dentry_open(file, path->dentry->d_inode, open) security_file_open(f) open() /* old location of path_noexec() test */ Signed-off-by: Mickaël Salaün <mic@digikod.net> Signed-off-by: Kees Cook <redacted> Link: https://lore.kernel.org/r/20200605160013.3954297-4-keescook@chromium.org (local) --- fs/exec.c | 12 ++++-------- fs/namei.c | 4 ++++ 2 files changed, 8 insertions(+), 8 deletions(-)diff --git a/fs/exec.c b/fs/exec.c index bdc6a6eb5dce..4eea20c27b01 100644 --- a/fs/exec.c +++ b/fs/exec.c@@ -147,10 +147,8 @@ SYSCALL_DEFINE1(uselib, const char __user *, library) * and check again at the very end too. */ error = -EACCES; - if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode))) - goto exit; - - if (path_noexec(&file->f_path)) + if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode) || + path_noexec(&file->f_path))) goto exit; fsnotify_open(file);@@ -897,10 +895,8 @@ static struct file *do_open_execat(int fd, struct filename *name, int flags) * and check again at the very end too. */ err = -EACCES; - if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode))) - goto exit; - - if (path_noexec(&file->f_path)) + if (WARN_ON_ONCE(!S_ISREG(file_inode(file)->i_mode) || + path_noexec(&file->f_path))) goto exit; err = deny_write_access(file);diff --git a/fs/namei.c b/fs/namei.c index a559ad943970..ddc9b25540fe 100644 --- a/fs/namei.c +++ b/fs/namei.c@@ -2863,6 +2863,10 @@ static int may_open(const struct path *path, int acc_mode, int flag) return -EACCES; flag &= ~O_TRUNC; break; + case S_IFREG: + if ((acc_mode & MAY_EXEC) && path_noexec(path)) + return -EACCES; + break; } error = inode_permission(inode, MAY_OPEN | acc_mode);