| Message ID | 20200428175129.634352-3-mic@digikod.net (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Add support for RESOLVE_MAYEXEC | expand |
On Tue, 28 Apr 2020, Mickaël Salaün wrote: > An LSM doesn't get path information related to an access request to open > an inode. This new (internal) MAY_EXECMOUNT flag enables an LSM to > check if the underlying mount point of an inode is marked as executable. > This is useful to implement a security policy taking advantage of the > noexec mount option. > > This flag is set according to path_noexec(), which checks if a mount > point is mounted with MNT_NOEXEC or if the underlying superblock is > SB_I_NOEXEC. > > Signed-off-by: Mickaël Salaün <mic@digikod.net> > Reviewed-by: Philippe Trébuchet <philippe.trebuchet@ssi.gouv.fr> > Reviewed-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> > Cc: Aleksa Sarai <cyphar@cyphar.com> > Cc: Al Viro <viro@zeniv.linux.org.uk> > Cc: Kees Cook <keescook@chromium.org> Are there any existing LSMs which plan to use this aspect?
On 01/05/2020 06:02, James Morris wrote: > On Tue, 28 Apr 2020, Mickaël Salaün wrote: > >> An LSM doesn't get path information related to an access request to open >> an inode. This new (internal) MAY_EXECMOUNT flag enables an LSM to >> check if the underlying mount point of an inode is marked as executable. >> This is useful to implement a security policy taking advantage of the >> noexec mount option. >> >> This flag is set according to path_noexec(), which checks if a mount >> point is mounted with MNT_NOEXEC or if the underlying superblock is >> SB_I_NOEXEC. >> >> Signed-off-by: Mickaël Salaün <mic@digikod.net> >> Reviewed-by: Philippe Trébuchet <philippe.trebuchet@ssi.gouv.fr> >> Reviewed-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> >> Cc: Aleksa Sarai <cyphar@cyphar.com> >> Cc: Al Viro <viro@zeniv.linux.org.uk> >> Cc: Kees Cook <keescook@chromium.org> > > Are there any existing LSMs which plan to use this aspect? This commit message was initially for the first version of O_MAYEXEC, which extended Yama. The current enforcement implementation is now directly in the FS subsystem (as requested by Kees Cook). However, this MAY_EXECMOUNT flag is still used by the current FS implementation and it could still be useful for LSMs.
diff --git a/fs/namei.c b/fs/namei.c index a320371899cf..33b6d372e74a 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -2849,6 +2849,8 @@ static int may_open(const struct path *path, int acc_mode, int flag) break; } + /* Pass the mount point executability. */ + acc_mode |= path_noexec(path) ? 0 : MAY_EXECMOUNT; error = inode_permission(inode, MAY_OPEN | acc_mode); if (error) return error; diff --git a/include/linux/fs.h b/include/linux/fs.h index f5be4be7c01d..9213147d8636 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -103,6 +103,8 @@ typedef int (dio_iodone_t)(struct kiocb *iocb, loff_t offset, #define MAY_NOT_BLOCK 0x00000080 /* the inode is opened with RESOLVE_MAYEXEC */ #define MAY_OPENEXEC 0x00000100 +/* the mount point is marked as executable */ +#define MAY_EXECMOUNT 0x00000200 /* * flags in file.f_mode. Note that FMODE_READ and FMODE_WRITE must correspond