[PATCH v7 0/7] Add support for O_MAYEXEC
Deven Bowers
deven.desai at linux.microsoft.com
Tue Aug 11 17:18:08 UTC 2020
On 8/11/2020 1:48 AM, Mickaël Salaün wrote:
[...snip]
>>> It is a
>>> good practice to check as soon as possible such properties, and it may
>>> enables to avoid (user space) time-of-check to time-of-use (TOCTOU)
>>> attacks (i.e. misuse of already open resources).
>>
>> The assumption that security checks should happen as early as possible
>> can actually cause security problems. For example, because seccomp was
>> designed to do its checks as early as possible, including before
>> ptrace, we had an issue for a long time where the ptrace API could be
>> abused to bypass seccomp filters.
>>
>> Please don't decide that a check must be ordered first _just_ because
>> it is a security check. While that can be good for limiting attack
>> surface, it can also create issues when the idea is applied too
>> broadly.
>
> I'd be interested with such security issue examples.
>
> I hope that delaying checks will not be an issue for mechanisms such as
> IMA or IPE:
> https://lore.kernel.org/lkml/1544699060.6703.11.camel@linux.ibm.com/
>
> Any though Mimi, Deven, Chrome OS folks?
>
I don't see an issue with IPE. As long as the hypothetical new syscall
and associated security hook have the file struct available in the
hook, it should integrate fairly easily.
[...snip]
More information about the Linux-security-module-archive
mailing list