From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.3 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BC9E1C4360D for ; Mon, 9 Sep 2019 00:17:59 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 9AF3521479 for ; Mon, 9 Sep 2019 00:17:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731815AbfIIAR6 (ORCPT ); Sun, 8 Sep 2019 20:17:58 -0400 Received: from namei.org ([65.99.196.166]:43320 "EHLO namei.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731443AbfIIAR6 (ORCPT ); Sun, 8 Sep 2019 20:17:58 -0400 Received: from localhost (localhost [127.0.0.1]) by namei.org (8.14.4/8.14.4) with ESMTP id x890GNJt027077; Mon, 9 Sep 2019 00:16:24 GMT Date: Sun, 8 Sep 2019 17:16:23 -0700 (PDT) From: James Morris To: =?ISO-8859-15?Q?Micka=EBl_Sala=FCn?= cc: linux-kernel@vger.kernel.org, Aleksa Sarai , Alexei Starovoitov , Al Viro , Andy Lutomirski , Christian Heimes , Daniel Borkmann , Eric Chiang , Florian Weimer , Jan Kara , Jann Horn , Jonathan Corbet , Kees Cook , Matthew Garrett , Matthew Wilcox , Michael Kerrisk , =?ISO-8859-15?Q?Micka=EBl_Sala=FCn?= , Mimi Zohar , =?ISO-8859-15?Q?Philippe_Tr=E9buchet?= , Scott Shell , Sean Christopherson , Shuah Khan , Song Liu , Steve Dower , Steve Grubb , Thibaut Sautereau , Vincent Strubel , Yves-Alexis Perez , kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, Mimi Zohar Subject: Re: [PATCH v2 0/5] Add support for O_MAYEXEC In-Reply-To: <20190906152455.22757-1-mic@digikod.net> Message-ID: References: <20190906152455.22757-1-mic@digikod.net> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: multipart/mixed; BOUNDARY="1665246916-1947903910-1567986261=:20426" Content-ID: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --1665246916-1947903910-1567986261=:20426 Content-Type: text/plain; CHARSET=ISO-8859-15 Content-Transfer-Encoding: 8BIT Content-ID: On Fri, 6 Sep 2019, Mickaël Salaün wrote: > Furthermore, the security policy can also be delegated to an LSM, either > a MAC system or an integrity system. For instance, the new kernel > MAY_OPENEXEC flag closes a major IMA measurement/appraisal interpreter > integrity gap by bringing the ability to check the use of scripts [2]. To clarify, scripts are already covered by IMA if they're executed directly, and the gap is when invoking a script as a parameter to the interpreter (and for any sourced files). In that case only the interpreter is measured/appraised, unless there's a rule also covering the script file(s). See: https://en.opensuse.org/SDB:Ima_evm#script-behaviour In theory you could probably also close the gap by modifying the interpreters to check for the execute bit on any file opened for interpretation (as earlier suggested by Steve Grubb), and then you could have IMA measure/appraise all files with +x. I suspect this could get messy in terms of unwanted files being included, and the MAY_OPENEXEC flag has cleaner semantics. -- James Morris --1665246916-1947903910-1567986261=:20426--