On 29/04/2020 00.01, Jann Horn wrote: > On Tue, Apr 28, 2020 at 11:21 PM Florian Weimer <fw@xxxxxxxxxxxxx> wrote: >> * Jann Horn: >> >>> Just as a comment: You'd probably also have to use RESOLVE_MAYEXEC in >>> the dynamic linker. >> >> Absolutely. In typical configurations, the kernel does not enforce >> that executable mappings must be backed by files which are executable. >> It's most obvious with using an explicit loader invocation to run >> executables on noexec mounts. RESOLVE_MAYEXEC is much more useful >> than trying to reimplement the kernel permission checks (or what some >> believe they should be) in userspace. > > Oh, good point. > > That actually seems like something Mickaël could add to his series? If > someone turns on that knob for "When an interpreter wants to execute > something, enforce that we have execute access to it", they probably > also don't want it to be possible to just map files as executable? So > perhaps when that flag is on, the kernel should either refuse to map > anything as executable if it wasn't opened with RESOLVE_MAYEXEC or > (less strict) if RESOLVE_MAYEXEC wasn't used, print a warning, then > check whether the file is executable and bail out if not? > > A configuration where interpreters verify that scripts are executable, > but other things can just mmap executable pages, seems kinda > inconsistent... +1 I worked with Steve Downer on Python PEP 578 [1] that added audit hooks and PyFile_OpenCode() to CPython. A PyFile_OpenCode() implementation with RESOLVE_MAYEXEC will hep to secure loading of Python code. But Python also includes a wrapper of libffi. ctypes or cffi can load native code from either shared libraries with dlopen() or execute native code from mmap() regions. For example SnakeEater [2] is a clever attack that abused memfd_create syscall and proc filesystem to execute code. A consistent security policy must also ensure that mmap() PROT_EXEC enforces the same restrictions as RESOLVE_MAYEXEC. The restriction doesn't have be part of this patch, though. Christian [1] https://www.python.org/dev/peps/pep-0578/ [2] https://github.com/nullbites/SnakeEater/blob/master/SnakeEater2.py
