From patchwork Wed Jan 24 19:22:32 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kees Cook X-Patchwork-Id: 13529597 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id ED351C46CD2 for ; Wed, 24 Jan 2024 19:22:41 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 811828D0002; Wed, 24 Jan 2024 14:22:41 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 7C1D08D0001; Wed, 24 Jan 2024 14:22:41 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 662BC8D0002; Wed, 24 Jan 2024 14:22:41 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 5172C8D0001 for ; Wed, 24 Jan 2024 14:22:41 -0500 (EST) Received: from smtpin18.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id 29DF61602CD for ; Wed, 24 Jan 2024 19:22:41 +0000 (UTC) X-FDA: 81715176522.18.DBE7AE9 Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com [209.85.214.177]) by imf09.hostedemail.com (Postfix) with ESMTP id 593E314002A for ; Wed, 24 Jan 2024 19:22:39 +0000 (UTC) Authentication-Results: imf09.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=LY50dn6q; spf=pass (imf09.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.177 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1706124159; a=rsa-sha256; cv=none; b=OrsmzF6ZldqivuUrxjC6uDYbEgamVpnUvnqR8kiRgutW/uKMs4C73dhtrFueasMYTNDjbu ZviG+GtLfGpkDDJavCbW2yel+Xr6N527FOY8dwMFr2sOgTq8TwFgPsYw1DYcYnY0Fe6a4c nYO0nDDGo75NoyOn+tgPftYUNe1PhQI= ARC-Authentication-Results: i=1; imf09.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=LY50dn6q; spf=pass (imf09.hostedemail.com: domain of keescook@chromium.org designates 209.85.214.177 as permitted sender) smtp.mailfrom=keescook@chromium.org; dmarc=pass (policy=none) header.from=chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1706124159; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=zmd6L4iLZNNyzU97sSrER5LIO6nwo17DPDhcgnpVxag=; b=0sYwhPcyrGBHLSGRVifRuo5TePv0A+pOOcZjzQI4uoNLXsD3cJDt2Jqev8/2GmEKa6TuE5 mNENQz6Mv0kxg3zJJUs7AiqhkbB4bmHU+tbEHg6b9BlhOB4rAukL/lkc/0SNbUIIjooLmT m4LI9cu6FBVB1lEs2BP9B+ulk4Bo79Y= Received: by mail-pl1-f177.google.com with SMTP id d9443c01a7336-1d76671e5a4so22674455ad.0 for ; Wed, 24 Jan 2024 11:22:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1706124158; x=1706728958; darn=kvack.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=zmd6L4iLZNNyzU97sSrER5LIO6nwo17DPDhcgnpVxag=; b=LY50dn6qmo5GlFVUJoL9QkXZjOA3DAZ8fq2P622DC0VHRxfE2x4p3ZaL+nJynm2mn3 VDy00d9sAkQgJxttzdQeeuXIp/qDRXD5RX02dPWHxdR+6GQFwTGRi/Kq1vYfzqbYni3Q VtoK+IANTWZIbTNCHZT1YpgToFCMwZkh52Iqc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706124158; x=1706728958; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=zmd6L4iLZNNyzU97sSrER5LIO6nwo17DPDhcgnpVxag=; b=TQnMEGYk7odNuqNww/7wyZLgL5Zv5fQsIytW4HzDN66ZZ0UEpY2/7bHgrXpML3rBab ql5x/lT/FeHUQcX7EFI0ByncK0ahLEoFyKm2emIXRzwrvp89eEopb+YpAdfRFM5nWIW6 b4O4vdCuTH1Khwb7d5j/o1VOre9p8omeZUpHWE+QVxL0AmsujXIhuwjzRlA3wMZjEIvI Goapr4PqyDz6jKhwC9ciGBKM4G+dUttmOwxzata+htP3jsCtmX4Yb/y4DK4QPo+I2AnY e22pfda624EsMIPObyxzWUvQ2/PAFnKuZykwbEaQCp832ryhHUKm2EgFTRQ3NDRg9qb4 2SGg== X-Gm-Message-State: AOJu0Yzow5aHannjCZ/UGbmyB4do8KB/0uDbLDJWJeFTss3hFKUi0byT lv9K1zr2uc/sWuYLJtgPs1FoGNN8WX+PuEq0KGZTu5WZBw+fKDOe7sUTC6auvzLIAwv3gaSQS+A = X-Google-Smtp-Source: AGHT+IF0/ne04PCSUjBX3tqlCMh/doof5H2bjt5d6Ac8doIh9yQFPCSnvtLvQuFNGnyGzSnBUJ/aAA== X-Received: by 2002:a17:902:6949:b0:1d4:b50d:dba9 with SMTP id k9-20020a170902694900b001d4b50ddba9mr1254455plt.71.1706124158168; Wed, 24 Jan 2024 11:22:38 -0800 (PST) Received: from www.outflux.net ([198.0.35.241]) by smtp.gmail.com with ESMTPSA id s21-20020a17090330d500b001d6fbaaeb56sm8636308plc.145.2024.01.24.11.22.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Jan 2024 11:22:37 -0800 (PST) From: Kees Cook To: Josh Triplett , Kevin Locke Cc: Kees Cook , Linus Torvalds , John Johansen , Paul Moore , James Morris , "Serge E. Hallyn" , Kentaro Takeda , Tetsuo Handa , Alexander Viro , Christian Brauner , Jan Kara , Eric Biederman , Andrew Morton , Sebastian Andrzej Siewior , linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, apparmor@lists.ubuntu.com, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH] exec: Check __FMODE_EXEC instead of in_execve for LSMs Date: Wed, 24 Jan 2024 11:22:32 -0800 Message-Id: <20240124192228.work.788-kees@kernel.org> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2841; i=keescook@chromium.org; h=from:subject:message-id; bh=1gaILVY/H6stGS/EvSXd6ZL/n9yg9wEbY6RbWPaWb/g=; b=owEBbQKS/ZANAwAKAYly9N/cbcAmAcsmYgBlsWN4cgMm3ifa4AxYv0rR1P9nb2T7XG8BeE5dh dQdKGdd8U+JAjMEAAEKAB0WIQSlw/aPIp3WD3I+bhOJcvTf3G3AJgUCZbFjeAAKCRCJcvTf3G3A Jj8eEACdqWJsXSjCuU2ZGkwBhmHssL73vpbJm9vow7VcgTvUcgVoF7WjPAqU3SkkUee2vuDuEEC uG3G42UgwdGwzUcascCCo7wkaex/Ac7gDV7BRBywIyjF/vLDCeQ5HhIqatIu/mH44Ebni5aTAQU hUYp/I3213FNl/oN3a+PJoqHHB5ORr/0z+NOMW3XT/pJ5DU0fMqAxTHtrF2s/IE9WWreJ4PP9dD X5FSgLuUtR0LuJ8/8gRd5EFCycwwUXuvOBcR9Nt4fBBQcU02uF3kcXzm4eF9JJyib+jYDu2tNP3 eouwdnVwePLu9Xbr2l2lFju9lrgM9QjR7aLXB4J6Bw1nlyZHuj6Hjrc+EYzI1fpVDfrBSTQtFfj Skv/zZriwMgLINYrOds5qiWwNPLT7pTEychRittwryFFuoqSyJwLS/5PkycmxUNlwqaQl4NU5S5 aP++f2Hfr2S7lrzFV1waa0HOn4J2drH3GfOqw+oPKvq/DxMlScVwY76Uvpncoov/alR5EnKKzn4 Pr66BX8S4pcrokYTbSm4BLat0ulOpUJgRCL1ixDnhwT4ftGIkEFBz8KiIYbfwT/bZCe9VHxD8/s bpXJ4Z6N1DuM1EnVnoMQy4GyH63CVXzi2u+ZM1eMNszMiKfYeeWkpZ+ljiyoNyt9iy/mx7u3pPW 6+jc5CV pbke/Mtw== X-Developer-Key: i=keescook@chromium.org; a=openpgp; fpr=A5C3F68F229DD60F723E6E138972F4DFDC6DC026 X-Rspamd-Server: rspam08 X-Rspamd-Queue-Id: 593E314002A X-Stat-Signature: 3oxhgqhxuspc45bzni1e4mabcqrqiaz4 X-Rspam-User: X-HE-Tag: 1706124159-912295 X-HE-Meta: U2FsdGVkX1/yllXzoJB1DjWeHC6p25hdWUHAtJCyAc1eUeJrcraOqIXI5XCeQ1bzLd7CEllkgWso5BgvlVL7z0zdfmC1FJtqiuucI8Nu9j1iw8F+elGMm8+bnuvLgTBSEUFcHMIeLeNajjZHHAMZuzOPLJ0R6BRiMtd4zoJ7oEiprT9gOmCO5qU1xD4TZA9ZcOAb9W6nhBe/XAJbCFcCEfF/jzUwDIelXc6rdbCNQIHkNSLWWUgLh5jqKh6rnUE2mh8PL2TTomcsPwjfecQ8Mnwa8Ww1inJoBAZkBMPxGnFz7ab/Jr7jZZf/X1Bdo2ot0qf3etCQCG0Dj96VdA2nl47Iun6ZPg+4hhquYY22fKtvuBxNXzxYfqmBhgaOJECZyFG5MTs8O2BTJCbqooh4TSzHbZRsttL5VL5IfaETgGY0Fp5va8n1COVYw5TzRX2z2bKWIQX99plnCMlGPH1NZt+wKnVLbdxFmj+0judZSLaIVh/Y2ogAqqNdpF4mEdCLBL+yc2IKhKqAFjMz4eLbu85ERkIYeLzp5h7Lb2QWKr4PbZMP/gZ2uwb1aTma1qFT5b1iMd0MhM4Rz7or1D0sjrR8uULRUTzq7D+7Zg9a4TGDuu5Du+cMe5upKGkU2WFVIDwl5eDojvSk1aeqbaL6VeD9Zdnyrh7GQbAhaXUVD+YbP5ro7k93G8gja+FguKUV2aAqqzoPYuWyrN9mjAbI4nPQ4hxsMrg5Juc4vbq5GG6hqvakMLlQ6BIjX5YSnQIkzIiJHtZFxS4URdprftj2YAJJemy/UvN4hgg/zcSAyKFn41s4TQrY+LiDzYgxwyaMSlTJoSMz+MDBC5HALPgWlObZaHidHrMzgqVRi5qfMlcmVCfHjJLrKOPI9a73q2NbbshEqhQVdsBDxfhyaXX6wcOvTJiBufaIS5RblP8oxtm4tAO9q1oMkARmAIAqRfTccdj6TkeZafhvc/83Uly d05MvDhV Me2nf5qeFudOsF1YiVNO2XT7/GbADh4BGuije4kE7dP572elZz7WQP4LMzVDClUirPtDN73I/pijJWXbGvxZJ9afABkkY+SBE0JzWyGvGNWU9JzMNGwFWMDMW9/Ih6KYne5cBKMD9cdW6FXkL8xuQSb1bybj433U24VHn4z4/CFe5SlBmAAV5S9whP9VskgnASZtaRI5JJ5UFOqA3awTHTaMOHkQptLvQqv12c49qeGAseWjffw6EECxp0Oy+X4zLE+ilwo2OUhFuEJ+nJVXak7vvlWue7CE1A4Nx6QXemTiWY583evsFWOK6HLhgy2V8ZmOgMA6NtLuZWYvODzvi0mYAtTPo0Ab4rE4WANsqyYDMs5Asdi/gURUSlWCPleWTOaJt707DvWlL7h1tSf8epK1k3t4NZh9bdXgx+t08E7QW3Hck3ily9PqVElH8UPS/Ui3+cnyaA6/n8bfNlNrMKp2dcG+xCbyVYS2rD5ZbdkCGQBfYWtxAqbytQNrzrP8r8XCGXCXvmpGSU+w+cLwzOpl3MywG0y/FtO+i5HDZjTK5VJwRiSK06IDaaaKGHrq3bb/4OdGz37bpB6opBTfnedJ94gaxT9M6gSCewzlvcU6YMTdWu3efUWw23goGv/XadQ3Hq6ruW2r88ZuUmvahFVt0AsHNHEkfOPaQdqfh7+l5EkOoilZFXLjjc3Erd36ThUXB4ju9FHfRrUk5w74TydxwuLsIPFE7Ogesq+xyDiPBOBGjT3RdbjvfpTSLnt9sqg6ceTcwtv6h4FUZm7wEfmJAiT6AZOhhNFJEa9yMAmTmr3acElN9Flod3vnaptI5wmBxljWm3CxSQS3jOYL1wH7ogQae9C5jpkijNUDuQyLFodOoQ0vRdzAowU5XVz6ojcEyB4Rq7E6EIsc/9WeKwhGOf5SqsD9NZ0tXpnNrBBK9T1NE9d4doQQxwgdMC5QnwNBZJEsrgDhX7Q1uMReEUDagTsXA E0CYwNXW CZ5vzF7uJ8Vw6H2H2qhybvDK6UPJC5IOvwlqYGXAsMg= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: After commit 978ffcbf00d8 ("execve: open the executable file before doing anything else"), current->in_execve was no longer in sync with the open(). This broke AppArmor and TOMOYO which depend on this flag to distinguish "open" operations from being "exec" operations. Instead of moving around in_execve, switch to using __FMODE_EXEC, which is where the "is this an exec?" intent is stored. Note that TOMOYO still uses in_execve around cred handling. Reported-by: Kevin Locke Closes: https://lore.kernel.org/all/ZbE4qn9_h14OqADK@kevinlocke.name Suggested-by: Linus Torvalds Fixes: 978ffcbf00d8 ("execve: open the executable file before doing anything else") Cc: Josh Triplett Cc: John Johansen Cc: Paul Moore Cc: James Morris Cc: "Serge E. Hallyn" Cc: Kentaro Takeda Cc: Tetsuo Handa Cc: Alexander Viro Cc: Christian Brauner Cc: Jan Kara Cc: Eric Biederman Cc: Andrew Morton Cc: Sebastian Andrzej Siewior Cc: linux-fsdevel@vger.kernel.org Cc: linux-mm@kvack.org Cc: apparmor@lists.ubuntu.com Cc: linux-security-module@vger.kernel.org Signed-off-by: Kees Cook Tested-by: Kevin Locke --- security/apparmor/lsm.c | 4 +++- security/tomoyo/tomoyo.c | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 7717354ce095..98e1150bee9d 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -469,8 +469,10 @@ static int apparmor_file_open(struct file *file) * Cache permissions granted by the previous exec check, with * implicit read and executable mmap which are required to * actually execute the image. + * + * Illogically, FMODE_EXEC is in f_flags, not f_mode. */ - if (current->in_execve) { + if (file->f_flags & __FMODE_EXEC) { fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP; return 0; } diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index 3c3af149bf1c..04a92c3d65d4 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -328,7 +328,8 @@ static int tomoyo_file_fcntl(struct file *file, unsigned int cmd, static int tomoyo_file_open(struct file *f) { /* Don't check read permission here if called from execve(). */ - if (current->in_execve) + /* Illogically, FMODE_EXEC is in f_flags, not f_mode. */ + if (f->f_flags & __FMODE_EXEC) return 0; return tomoyo_check_open_permission(tomoyo_domain(), &f->f_path, f->f_flags);