On March 15, 2024 1:22:39 PM PDT, Paul Moore [off-list ref] wrote:

On Fri, Mar 15, 2024 at 2:10 PM Christian Göttsche
[off-list ref] wrote:

quoted

Add a new hook guarding instantiations of programs with executable
stack.  They are being warned about since commit 47a2ebb7f505 ("execve:
warn if process starts with executable stack").  Lets give LSMs the
ability to control their presence on a per application basis.

Signed-off-by: Christian Göttsche <redacted>
---
 fs/exec.c                     |  4 ++++
 include/linux/lsm_hook_defs.h |  1 +
 include/linux/security.h      |  6 ++++++
 security/security.c           | 13 +++++++++++++
 4 files changed, 24 insertions(+)

Looking at the commit referenced above, I'm guessing the existing
security_file_mprotect() hook doesn't catch this?

quoted

diff --git a/fs/exec.c b/fs/exec.c
index 8cdd5b2dd09c..e6f9e980c6b1 100644
--- a/fs/exec.c
+++ b/fs/exec.c

@@ -829,6 +829,10 @@ int setup_arg_pages(struct linux_binprm *bprm,
        BUG_ON(prev != vma);

        if (unlikely(vm_flags & VM_EXEC)) {
+               ret = security_vm_execstack();
+               if (ret)
+                       goto out_unlock;
+
                pr_warn_once("process '%pD4' started with executable stack\n",
                             bprm->file);
        }

Instead of creating a new LSM hook, have you considered calling the
existing security_file_mprotect() hook?  The existing LSM controls
there may not be a great fit in this case, but I'd like to hear if
you've tried that, and if you have, what made you decide a new hook
was the better option?

Also, can't MDWE handle this already?
https://git.kernel.org/linus/b507808ebce23561d4ff8c2aa1fb949fe402bc61

-Kees

-- 
Kees Cook