Re: [GIT PULL] Add trusted_for(2) (was O_MAYEXEC)

From: Mickaël Salaün
Date: Thu Feb 09 2023 - 10:54:41 EST



On 08/02/2023 20:32, Kees Cook wrote:
*thread necromancy*

On Tue, Apr 05, 2022 at 06:09:03PM +0200, Mickaël Salaün wrote:

On 05/04/2022 01:26, Linus Torvalds wrote:
On Mon, Apr 4, 2022 at 3:25 PM Kees Cook <keescook@xxxxxxxxxxxx> wrote:

[...]


I think this already exists as AT_EACCESS? It was added with
faccessat2() itself, if I'm reading the history correctly.

Yeah, I noticed myself, I just hadn't looked (and I don't do enough
user-space programming to be aware of if that way).

I think AT_EACCESS should be usable with the new EXECVE_OK too.



(a) "what about suid bits that user space cannot react to"

What do you mean here? Do you mean setid bits on the file itself?

Right.

Maybe we don't care.

I think we don't. I think the only corner case that could be different is
for files that are executable, SUID and non-readable. In this case it
wouldn't matter because userspace could not read the file, which is required
for interpretation/execution. Anyway, S[GU]ID bits in scripts are just
ignored by execve and we want to follow the same semantic.

Hi Mickaël,

Is there a new version of this being worked on? It would be really nice
to have the O_MAYEXEC/faccessat2() visibility for script execution control
in userspace. It seems like it would be mainly a respin of an earlier
version of this series before trusted_for() was proposed.

Yes, I plan to send a new version in a few weeks.


-Kees