From: "Mickaël Salaün" <mic@digikod.net> To: linux-kernel@vger.kernel.org Cc: "Mickaël Salaün" <mic@digikod.net>, "Aleksa Sarai" <cyphar@cyphar.com>, "Alexei Starovoitov" <ast@kernel.org>, "Al Viro" <viro@zeniv.linux.org.uk>, "Andy Lutomirski" <luto@kernel.org>, "Christian Heimes" <christian@python.org>, "Daniel Borkmann" <daniel@iogearbox.net>, "Eric Chiang" <ericchiang@google.com>, "Florian Weimer" <fweimer@redhat.com>, "James Morris" <jmorris@namei.org>, "Jan Kara" <jack@suse.cz>, "Jann Horn" <jannh@google.com>, "Jonathan Corbet" <corbet@lwn.net>, "Kees Cook" <keescook@chromium.org>, "Matthew Garrett" <mjg59@google.com>, "Matthew Wilcox" <willy@infradead.org>, "Michael Kerrisk" <mtk.manpages@gmail.com>, "Mickaël Salaün" <mickael.salaun@ssi.gouv.fr>, "Mimi Zohar" <zohar@linux.ibm.com>, "Philippe Trébuchet" <philippe.trebuchet@ssi.gouv.fr>, "Scott Shell" <scottsh@microsoft.com>, "Sean Christopherson" <sean.j.christopherson@intel.com>, "Shuah Khan" <shuah@kernel.org>, "Song Liu" <songliubraving@fb.com>, "Steve Dower" <steve.dower@python.org>, "Steve Grubb" <sgrubb@redhat.com>, "Thibaut Sautereau" <thibaut.sautereau@ssi.gouv.fr>, "Vincent Strubel" <vincent.strubel@ssi.gouv.fr>, "Yves-Alexis Perez" <yves-alexis.perez@ssi.gouv.fr>, kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org Subject: [PATCH v2 5/5] doc: Add documentation for the fs.open_mayexec_enforce sysctl Date: Fri, 6 Sep 2019 17:24:55 +0200 [thread overview] Message-ID: <20190906152455.22757-6-mic@digikod.net> (raw) In-Reply-To: <20190906152455.22757-1-mic@digikod.net> Changes since v1: * move from LSM/Yama to sysctl/fs Signed-off-by: Mickaël Salaün <mic@digikod.net> Reviewed-by: Philippe Trébuchet <philippe.trebuchet@ssi.gouv.fr> Reviewed-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> Cc: Jonathan Corbet <corbet@lwn.net> Cc: Kees Cook <keescook@chromium.org> Cc: Mickaël Salaün <mickael.salaun@ssi.gouv.fr> --- Documentation/admin-guide/sysctl/fs.rst | 43 +++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/Documentation/admin-guide/sysctl/fs.rst b/Documentation/admin-guide/sysctl/fs.rst index 2a45119e3331..f2f5bbe428d6 100644 --- a/Documentation/admin-guide/sysctl/fs.rst +++ b/Documentation/admin-guide/sysctl/fs.rst @@ -37,6 +37,7 @@ Currently, these files are in /proc/sys/fs: - inode-nr - inode-state - nr_open +- open_mayexec_enforce - overflowuid - overflowgid - pipe-user-pages-hard @@ -165,6 +166,48 @@ system needs to prune the inode list instead of allocating more. +open_mayexec_enforce +-------------------- + +The ``O_MAYEXEC`` flag can be passed to :manpage:`open(2)` to only open regular +files that are expected to be executable. If the file is not identified as +executable, then the syscall returns -EACCES. This may allow a script +interpreter to check executable permission before reading commands from a file. +One interesting use case is to enforce a "write xor execute" policy through +interpreters. + +Thanks to this flag, it is possible to enforce the ``noexec`` mount option +(i.e. the underlying mount point of the file is mounted with MNT_NOEXEC or its +underlying superblock is SB_I_NOEXEC) not only on ELF binaries but also on +scripts. This may be possible thanks to script interpreters using the +``O_MAYEXEC`` flag. The executable permission is then checked before reading +commands from a file, and thus can enforce the ``noexec`` at the interpreter +level by propagating this security policy to the scripts. To be fully +effective, these interpreters also need to handle the other ways to execute +code (for which the kernel can't help): command line parameters (e.g., option +``-e`` for Perl), module loading (e.g., option ``-m`` for Python), stdin, file +sourcing, environment variables, configuration files... According to the +threat model, it may be acceptable to allow some script interpreters (e.g. +Bash) to interpret commands from stdin, may it be a TTY or a pipe, because it +may not be enough to (directly) perform syscalls. + +There is two complementary security policies: enforce the ``noexec`` mount +option, or enforce executable file permission. These policies are handled by +the ``fs.open_mayexec_enforce`` sysctl (writable only with ``CAP_MAC_ADMIN``) +as a bitmask: + +1 - mount restriction: + check that the mount options for the underlying VFS mount do not prevent + execution. + +2 - file permission restriction: + check that the to-be-opened file is marked as executable for the current + process (e.g., POSIX permissions). + +Code samples can be found in tools/testing/selftests/exec/omayexec.c and +https://github.com/clipos-archive/clipos4_portage-overlay/search?q=O_MAYEXEC . + + overflowgid & overflowuid ------------------------- -- 2.23.0
WARNING: multiple messages have this Message-ID (diff)
From: "Mickaël Salaün" <mic@digikod.net> To: linux-kernel@vger.kernel.org Cc: "Mickaël Salaün" <mic@digikod.net>, "Aleksa Sarai" <cyphar@cyphar.com>, "Alexei Starovoitov" <ast@kernel.org>, "Al Viro" <viro@zeniv.linux.org.uk>, "Andy Lutomirski" <luto@kernel.org>, "Christian Heimes" <christian@python.org>, "Daniel Borkmann" <daniel@iogearbox.net>, "Eric Chiang" <ericchiang@google.com>, "Florian Weimer" <fweimer@redhat.com>, "James Morris" <jmorris@namei.org>, "Jan Kara" <jack@suse.cz>, "Jann Horn" <jannh@google.com>, "Jonathan Corbet" <corbet@lwn.net>, "Kees Cook" <keescook@chromium.org>, "Matthew Garrett" <mjg59@google.com>, "Matthew Wilcox" <willy@infradead.org>, "Michael Kerrisk" <mtk.manpages@gmail.com>, "Mickaël Salaün" <mickael.salaun@ssi.gouv.fr>, "Mimi Zohar" <zohar@linux.ibm.com> Subject: [PATCH v2 5/5] doc: Add documentation for the fs.open_mayexec_enforce sysctl Date: Fri, 6 Sep 2019 17:24:55 +0200 [thread overview] Message-ID: <20190906152455.22757-6-mic@digikod.net> (raw) In-Reply-To: <20190906152455.22757-1-mic@digikod.net> Changes since v1: * move from LSM/Yama to sysctl/fs Signed-off-by: Mickaël Salaün <mic@digikod.net> Reviewed-by: Philippe Trébuchet <philippe.trebuchet@ssi.gouv.fr> Reviewed-by: Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr> Cc: Jonathan Corbet <corbet@lwn.net> Cc: Kees Cook <keescook@chromium.org> Cc: Mickaël Salaün <mickael.salaun@ssi.gouv.fr> --- Documentation/admin-guide/sysctl/fs.rst | 43 +++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/Documentation/admin-guide/sysctl/fs.rst b/Documentation/admin-guide/sysctl/fs.rst index 2a45119e3331..f2f5bbe428d6 100644 --- a/Documentation/admin-guide/sysctl/fs.rst +++ b/Documentation/admin-guide/sysctl/fs.rst @@ -37,6 +37,7 @@ Currently, these files are in /proc/sys/fs: - inode-nr - inode-state - nr_open +- open_mayexec_enforce - overflowuid - overflowgid - pipe-user-pages-hard @@ -165,6 +166,48 @@ system needs to prune the inode list instead of allocating more. +open_mayexec_enforce +-------------------- + +The ``O_MAYEXEC`` flag can be passed to :manpage:`open(2)` to only open regular +files that are expected to be executable. If the file is not identified as +executable, then the syscall returns -EACCES. This may allow a script +interpreter to check executable permission before reading commands from a file. +One interesting use case is to enforce a "write xor execute" policy through +interpreters. + +Thanks to this flag, it is possible to enforce the ``noexec`` mount option +(i.e. the underlying mount point of the file is mounted with MNT_NOEXEC or its +underlying superblock is SB_I_NOEXEC) not only on ELF binaries but also on +scripts. This may be possible thanks to script interpreters using the +``O_MAYEXEC`` flag. The executable permission is then checked before reading +commands from a file, and thus can enforce the ``noexec`` at the interpreter +level by propagating this security policy to the scripts. To be fully +effective, these interpreters also need to handle the other ways to execute +code (for which the kernel can't help): command line parameters (e.g., option +``-e`` for Perl), module loading (e.g., option ``-m`` for Python), stdin, file +sourcing, environment variables, configuration files... According to the +threat model, it may be acceptable to allow some script interpreters (e.g. +Bash) to interpret commands from stdin, may it be a TTY or a pipe, because it +may not be enough to (directly) perform syscalls. + +There is two complementary security policies: enforce the ``noexec`` mount +option, or enforce executable file permission. These policies are handled by +the ``fs.open_mayexec_enforce`` sysctl (writable only with ``CAP_MAC_ADMIN``) +as a bitmask: + +1 - mount restriction: + check that the mount options for the underlying VFS mount do not prevent + execution. + +2 - file permission restriction: + check that the to-be-opened file is marked as executable for the current + process (e.g., POSIX permissions). + +Code samples can be found in tools/testing/selftests/exec/omayexec.c and +https://github.com/clipos-archive/clipos4_portage-overlay/search?q=O_MAYEXEC . + + overflowgid & overflowuid ------------------------- -- 2.23.0
next prev parent reply other threads:[~2019-09-06 15:26 UTC|newest] Thread overview: 90+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-09-06 15:24 [PATCH v2 0/5] Add support for O_MAYEXEC Mickaël Salaün 2019-09-06 15:24 ` Mickaël Salaün 2019-09-06 15:24 ` [PATCH v2 1/5] fs: Add support for an O_MAYEXEC flag on sys_open() Mickaël Salaün 2019-09-06 15:24 ` Mickaël Salaün 2019-09-06 15:56 ` Florian Weimer 2019-09-06 15:56 ` Florian Weimer 2019-09-06 16:06 ` Mickaël Salaün 2019-09-06 16:06 ` Mickaël Salaün 2019-09-06 16:48 ` Jeff Layton 2019-09-06 16:48 ` Jeff Layton 2019-09-06 17:13 ` Aleksa Sarai 2019-09-06 17:13 ` Aleksa Sarai 2019-09-06 19:43 ` Jeff Layton 2019-09-06 19:43 ` Jeff Layton 2019-09-06 20:06 ` Andy Lutomirski 2019-09-06 20:06 ` Andy Lutomirski 2019-09-06 20:51 ` Jeff Layton 2019-09-06 20:51 ` Jeff Layton 2019-09-06 21:27 ` Andy Lutomirski 2019-09-06 21:27 ` Andy Lutomirski 2019-09-06 22:12 ` Aleksa Sarai 2019-09-06 22:12 ` Aleksa Sarai 2019-09-09 9:33 ` Mickaël Salaün 2019-09-09 9:33 ` Mickaël Salaün 2019-09-06 22:05 ` Aleksa Sarai 2019-09-06 22:05 ` Aleksa Sarai 2019-09-06 22:18 ` Aleksa Sarai 2019-09-06 22:18 ` Aleksa Sarai 2019-09-06 17:14 ` Mickaël Salaün 2019-09-06 17:14 ` Mickaël Salaün 2019-09-06 18:38 ` Jeff Layton 2019-09-06 18:38 ` Jeff Layton 2019-09-06 18:41 ` Andy Lutomirski 2019-09-06 18:41 ` Andy Lutomirski 2019-09-09 9:18 ` Mickaël Salaün 2019-09-09 9:18 ` Mickaël Salaün 2019-09-09 15:49 ` Andy Lutomirski 2019-09-09 15:49 ` Andy Lutomirski 2019-09-06 18:44 ` Florian Weimer 2019-09-06 18:44 ` Florian Weimer 2019-09-06 19:03 ` James Morris 2019-09-06 19:03 ` James Morris 2019-09-09 9:25 ` Mickaël Salaün 2019-09-09 9:25 ` Mickaël Salaün 2019-09-09 10:12 ` James Morris 2019-09-09 10:12 ` James Morris 2019-09-09 10:54 ` Mickaël Salaün 2019-09-09 10:54 ` Mickaël Salaün 2019-09-09 12:28 ` Aleksa Sarai 2019-09-09 12:28 ` Aleksa Sarai 2019-09-09 12:33 ` Mickaël Salaün 2019-09-09 12:33 ` Mickaël Salaün 2019-09-09 11:54 ` Aleksa Sarai 2019-09-09 11:54 ` Aleksa Sarai 2019-09-09 12:28 ` Mickaël Salaün 2019-09-09 12:28 ` Mickaël Salaün 2019-09-06 17:07 ` Aleksa Sarai 2019-09-06 17:07 ` Aleksa Sarai 2019-09-06 17:20 ` Christian Brauner 2019-09-06 17:20 ` Christian Brauner 2019-09-06 17:24 ` Mickaël Salaün 2019-09-06 17:24 ` Mickaël Salaün 2019-09-06 17:40 ` Tycho Andersen 2019-09-06 17:40 ` Tycho Andersen 2019-09-06 18:27 ` Florian Weimer 2019-09-06 18:27 ` Florian Weimer 2019-09-06 18:46 ` Tycho Andersen 2019-09-06 18:46 ` Tycho Andersen 2019-09-06 15:24 ` [PATCH v2 2/5] fs: Add a MAY_EXECMOUNT flag to infer the noexec mount propertie Mickaël Salaün 2019-09-06 15:24 ` Mickaël Salaün 2019-09-06 15:24 ` [PATCH v2 3/5] fs: Enable to enforce noexec mounts or file exec through O_MAYEXEC Mickaël Salaün 2019-09-06 15:24 ` Mickaël Salaün 2019-09-06 15:24 ` [PATCH v2 4/5] selftest/exec: Add tests for O_MAYEXEC enforcing Mickaël Salaün 2019-09-06 15:24 ` Mickaël Salaün 2019-09-06 15:24 ` Mickaël Salaün [this message] 2019-09-06 15:24 ` [PATCH v2 5/5] doc: Add documentation for the fs.open_mayexec_enforce sysctl Mickaël Salaün 2019-09-06 18:50 ` [PATCH v2 0/5] Add support for O_MAYEXEC Steve Grubb 2019-09-06 18:50 ` Steve Grubb 2019-09-06 18:57 ` Florian Weimer 2019-09-06 18:57 ` Florian Weimer 2019-09-06 19:07 ` Steve Grubb 2019-09-06 19:07 ` Steve Grubb 2019-09-06 19:26 ` Andy Lutomirski 2019-09-06 19:26 ` Andy Lutomirski 2019-09-06 22:44 ` Aleksa Sarai 2019-09-06 22:44 ` Aleksa Sarai 2019-09-09 9:09 ` Mickaël Salaün 2019-09-09 9:09 ` Mickaël Salaün 2019-09-09 0:16 ` James Morris 2019-09-09 0:16 ` James Morris
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20190906152455.22757-6-mic@digikod.net \ --to=mic@digikod.net \ --cc=ast@kernel.org \ --cc=christian@python.org \ --cc=corbet@lwn.net \ --cc=cyphar@cyphar.com \ --cc=daniel@iogearbox.net \ --cc=ericchiang@google.com \ --cc=fweimer@redhat.com \ --cc=jack@suse.cz \ --cc=jannh@google.com \ --cc=jmorris@namei.org \ --cc=keescook@chromium.org \ --cc=kernel-hardening@lists.openwall.com \ --cc=linux-api@vger.kernel.org \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=luto@kernel.org \ --cc=mickael.salaun@ssi.gouv.fr \ --cc=mjg59@google.com \ --cc=mtk.manpages@gmail.com \ --cc=philippe.trebuchet@ssi.gouv.fr \ --cc=scottsh@microsoft.com \ --cc=sean.j.christopherson@intel.com \ --cc=sgrubb@redhat.com \ --cc=shuah@kernel.org \ --cc=songliubraving@fb.com \ --cc=steve.dower@python.org \ --cc=thibaut.sautereau@ssi.gouv.fr \ --cc=vincent.strubel@ssi.gouv.fr \ --cc=viro@zeniv.linux.org.uk \ --cc=willy@infradead.org \ --cc=yves-alexis.perez@ssi.gouv.fr \ --cc=zohar@linux.ibm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.