On 29/04/2020 00:01, Jann Horn wrote: > On Tue, Apr 28, 2020 at 11:21 PM Florian Weimer <fw@xxxxxxxxxxxxx> wrote: >> * Jann Horn: >> >>> Just as a comment: You'd probably also have to use RESOLVE_MAYEXEC in >>> the dynamic linker. >> >> Absolutely. In typical configurations, the kernel does not enforce >> that executable mappings must be backed by files which are executable. >> It's most obvious with using an explicit loader invocation to run >> executables on noexec mounts. RESOLVE_MAYEXEC is much more useful >> than trying to reimplement the kernel permission checks (or what some >> believe they should be) in userspace. Indeed it makes sense to use RESOLVE_MAYEXEC for the dynamic linker too. Only the noexec mount option is taken into account for mmap(2) with PROT_EXEC, and if you can trick the dynamic linker with JOP as Jann explained, it may enable to execute new code. However, a kernel which forbids remapping memory with PROT_EXEC still enables to implement a W^X policy. Any JOP/ROP still enables unexpected code execution though. > > Oh, good point. > > That actually seems like something Mickaël could add to his series? If > someone turns on that knob for "When an interpreter wants to execute > something, enforce that we have execute access to it", they probably > also don't want it to be possible to just map files as executable? So > perhaps when that flag is on, the kernel should either refuse to map > anything as executable if it wasn't opened with RESOLVE_MAYEXEC or > (less strict) if RESOLVE_MAYEXEC wasn't used, print a warning, then > check whether the file is executable and bail out if not? > > A configuration where interpreters verify that scripts are executable, > but other things can just mmap executable pages, seems kinda > inconsistent... As it is written in the documentation patch, this RESOLVE_MAYEXEC feature is an important missing piece, but to implement a consistent security policy we need to enable other restrictions starting with a noexec mount point policy. The purpose of this patch series is not to bring a full-feature LSM with process states handling, but it brings what is needed for LSMs such as SELinux, IMA or IPE to extend their capabilities to reach what you would expect.
