Re: [PATCH v7 4/7] fs: Introduce O_MAYEXEC flag for openat2(2)

From: MickaÃl SalaÃn
Date: Mon Jul 27 2020 - 15:47:08 EST

Next message: Andy Shevchenko: "Re: Kernel panic - not syncing: IO-APIC + timer doesn't work!"
Previous message: David Miller: "Re: [PATCH] qed: fix assignment of n_rq_elems to incorrect params field"
In reply to: Florian Weimer: "Re: [PATCH v7 4/7] fs: Introduce O_MAYEXEC flag for openat2(2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 27/07/2020 07:27, Florian Weimer wrote:
> * Al Viro:
>
>> On Thu, Jul 23, 2020 at 07:12:24PM +0200, MickaÃÂl SalaÃÂn wrote:
>>> When the O_MAYEXEC flag is passed, openat2(2) may be subject to
>>> additional restrictions depending on a security policy managed by the
>>> kernel through a sysctl or implemented by an LSM thanks to the
>>> inode_permission hook. This new flag is ignored by open(2) and
>>> openat(2) because of their unspecified flags handling. When used with
>>> openat2(2), the default behavior is only to forbid to open a directory.
>>
>> Correct me if I'm wrong, but it looks like you are introducing a magical
>> flag that would mean "let the Linux S&M take an extra special whip
>> for this open()".

There is nothing magic, it doesn't only work with the LSM framework, and
there is nothing painful nor humiliating here (except maybe this language).

>>
>> Why is it done during open? If the caller is passing it deliberately,
>> why not have an explicit request to apply given torture device to an
>> already opened file? Why not sys_masochism(int fd, char *hurt_flavour),
>> for that matter?
>
> While I do not think this is appropriate language for a workplace, Al
> has a point: If the auditing event can be generated on an already-open
> descriptor, it would also cover scenarios like this one:
>
> perl < /path/to/script
>
> Where the process that opens the file does not (and cannot) know that it
> will be used for execution purposes.

The check is done during open because the goal of this patch series is
to address the problem of script execution when opening a script in well
controlled systems (e.g. to enforce a "write xor execute" policy, to do
an atomic integrity check [1], to check specific execute/read
permissions, etc.). As discussed multiple times, controlling other means
to interpret commands (stdin, environment variables, etc.) is out of
scope and should be handled by interpreters (in userspace). Someone
could still extend fcntl(2) to enable to check file descriptors, but it
is an independent change not required for now.
Specific audit features are also out of scope for now [2].

[1] https://lore.kernel.org/lkml/1544699060.6703.11.camel@xxxxxxxxxxxxx/
[2] https://lore.kernel.org/lkml/202007160822.CCDB5478@keescook/

Next message: Andy Shevchenko: "Re: Kernel panic - not syncing: IO-APIC + timer doesn't work!"
Previous message: David Miller: "Re: [PATCH] qed: fix assignment of n_rq_elems to incorrect params field"
In reply to: Florian Weimer: "Re: [PATCH v7 4/7] fs: Introduce O_MAYEXEC flag for openat2(2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]