• Kees Cook's avatar
    exec: move path_noexec() check earlier · 0fd338b2
    Kees Cook authored
    The path_noexec() check, like the regular file check, was happening too
    late, letting LSMs see impossible execve()s.  Check it earlier as well in
    may_open() and collect the redundant fs/exec.c path_noexec() test under
    the same robustness comment as the S_ISREG() check.
    
    My notes on the call path, and related arguments, checks, etc:
    
    do_open_execat()
        struct open_flags open_exec_flags = {
            .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC,
            .acc_mode = MAY_EXEC,
            ...
        do_filp_open(dfd, filename, open_flags)
            path_openat(nameidata, open_flags, flags)
                file = alloc_empty_file(open_flags, current_cred());
                do_open(nameidata, file, open_flags)
                    may_open(path, acc_mode, open_flag)
                        /* new location of MAY_EXEC vs path_noexec() test */
                        inode_permission(inode, MAY_OPEN | acc_mode)
                            security_inode_permission(inode, acc_mode)
                    vfs_open(path, file)
                        do_dentry_open(file, path->dentry->d_inode, open)
                            security_file_open(f)
                            open()
        /* old location of path_noexec() test */
    Signed-off-by: default avatarKees Cook <keescook@chromium.org>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Cc: Alexander Viro <viro@zeniv.linux.org.uk>
    Cc: Aleksa Sarai <cyphar@cyphar.com>
    Cc: Christian Brauner <christian.brauner@ubuntu.com>
    Cc: Dmitry Vyukov <dvyukov@google.com>
    Cc: Eric Biggers <ebiggers3@gmail.com>
    Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Link: http://lkml.kernel.org/r/20200605160013.3954297-4-keescook@chromium.orgSigned-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    0fd338b2
exec.c 51 KB