From: Igor Zhbanov <i.zhbanov@omprussia.ru>
To: Matthew Wilcox <willy@infradead.org>, Al Viro <viro@zeniv.linux.org.uk>
Cc: "Mickaël Salaün" <mic@digikod.net>,
"Mimi Zohar" <zohar@linux.ibm.com>,
linux-kernel@vger.kernel.org, "Aleksa Sarai" <cyphar@cyphar.com>,
"Alexei Starovoitov" <ast@kernel.org>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Andy Lutomirski" <luto@kernel.org>,
"Arnd Bergmann" <arnd@arndb.de>,
"Casey Schaufler" <casey@schaufler-ca.com>,
"Christian Brauner" <christian.brauner@ubuntu.com>,
"Christian Heimes" <christian@python.org>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"Deven Bowers" <deven.desai@linux.microsoft.com>,
"Dmitry Vyukov" <dvyukov@google.com>,
"Eric Biggers" <ebiggers@kernel.org>,
"Eric Chiang" <ericchiang@google.com>,
"Florian Weimer" <fweimer@redhat.com>,
"James Morris" <jmorris@namei.org>, "Jan Kara" <jack@suse.cz>,
"Jann Horn" <jannh@google.com>,
"Jonathan Corbet" <corbet@lwn.net>,
"Kees Cook" <keescook@chromium.org>,
"Lakshmi Ramasubramanian" <nramas@linux.microsoft.com>,
"Matthew Garrett" <mjg59@google.com>,
"Michael Kerrisk" <mtk.manpages@gmail.com>,
"Miklos Szeredi" <mszeredi@redhat.com>,
"Philippe Trébuchet" <philippe.trebuchet@ssi.gouv.fr>,
"Scott Shell" <scottsh@microsoft.com>,
"Sean Christopherson" <sean.j.christopherson@intel.com>,
"Shuah Khan" <shuah@kernel.org>,
"Steve Dower" <steve.dower@python.org>,
"Steve Grubb" <sgrubb@redhat.com>,
"Tetsuo Handa" <penguin-kernel@i-love.sakura.ne.jp>,
"Thibaut Sautereau" <thibaut.sautereau@clip-os.org>,
"Vincent Strubel" <vincent.strubel@ssi.gouv.fr>,
kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org
Subject: Re: [RFC PATCH v9 0/3] Add introspect_access(2) (was O_MAYEXEC)
Date: Fri, 11 Sep 2020 17:15:10 +0300 [thread overview]
Message-ID: <c77abad8-55a6-d66a-8d4d-dfc598fe5251@omprussia.ru> (raw)
In-Reply-To: <20200910200543.GY6583@casper.infradead.org>
On 10.09.2020 23:05, Matthew Wilcox wrote:
> On Thu, Sep 10, 2020 at 09:00:10PM +0100, Al Viro wrote:
>> On Thu, Sep 10, 2020 at 07:40:33PM +0100, Matthew Wilcox wrote:
>>> On Thu, Sep 10, 2020 at 08:38:21PM +0200, Mickaël Salaün wrote:
>>>> There is also the use case of noexec mounts and file permissions. From
>>>> user space point of view, it doesn't matter which kernel component is in
>>>> charge of defining the policy. The syscall should then not be tied with
>>>> a verification/integrity/signature/appraisal vocabulary, but simply an
>>>> access control one.
>>>
>>> permission()?
>>
>> int lsm(int fd, const char *how, char *error, int size);
>>
>> Seriously, this is "ask LSM to apply special policy to file"; let's
>> _not_ mess with flags, etc. for that; give it decent bandwidth
>> and since it's completely opaque for the rest of the kernel,
>> just a pass a string to be parsed by LSM as it sees fit.
>
> Hang on, it does have some things which aren't BD^W^WLSM. It lets
> the interpreter honour the mount -o noexec option. I presume it's
> not easily defeated by
> cat /home/salaun/bin/bad.pl | perl -
Hi!
It could be bypassed this way. There are several ways of executing some
script:
1) /unsigned.sh (Already handled by IMA)
2) bash /unsigned.sh (Not handled. Works even with "-o noexec" mount)
3) bash < /unsigned.sh (Not handled. Works even with "-o noexec" mount)
4) cat /unsigned.sh | bash (Not handled. Works even with "-o noexec" mount)
AFAIK, the proposed syscall solves #2 and may be #3. As for #4 in security
critical environments there should be system-wide options to disable
interpreting scripts from the standard input. I suppose, executing commands
from the stdin is a rare case, and could be avoided entirely in security
critical environments. And yes, some help from the interpreters is needed
for that.
As for the usage of the system call, I have a proposal to extend its usage
to validate systemd unit files. Because a unit file could specify what UID
to use for a service, also it contains ExecStartPre which is actually a script
and is running as root (for the system session services).
For the syscall name it could be:
- trusted_file()
- trusted_file_content()
- valid_file()
- file_integrity()
because what we are checking here is the file content integrity (IMA) and
may be file permissions/attrs integrity (EVM).
next prev parent reply other threads:[~2020-09-11 16:33 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-10 16:46 [RFC PATCH v9 0/3] Add introspect_access(2) (was O_MAYEXEC) Mickaël Salaün
2020-09-10 16:46 ` [RFC PATCH v9 1/3] fs: Add introspect_access(2) syscall implementation and related sysctl Mickaël Salaün
2020-09-10 16:46 ` [RFC PATCH v9 2/3] arch: Wire up introspect_access(2) Mickaël Salaün
2020-09-15 13:32 ` Arnd Bergmann
2020-09-10 16:46 ` [RFC PATCH v9 3/3] selftest/interpreter: Add tests for introspect_access(2) policies Mickaël Salaün
2020-09-10 17:04 ` [RFC PATCH v9 0/3] Add introspect_access(2) (was O_MAYEXEC) Matthew Wilcox
2020-09-10 17:21 ` Mickaël Salaün
2020-09-10 17:47 ` Mickaël Salaün
2020-09-10 18:08 ` Mimi Zohar
2020-09-10 18:38 ` Mickaël Salaün
2020-09-10 18:40 ` Matthew Wilcox
2020-09-10 20:00 ` Al Viro
2020-09-10 20:05 ` Matthew Wilcox
2020-09-11 12:16 ` Mickaël Salaün
2020-09-11 14:15 ` Igor Zhbanov [this message]
2020-09-12 0:28 ` James Morris
2020-09-14 16:43 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c77abad8-55a6-d66a-8d4d-dfc598fe5251@omprussia.ru \
--to=i.zhbanov@omprussia.ru \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=ast@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=christian.brauner@ubuntu.com \
--cc=christian@python.org \
--cc=corbet@lwn.net \
--cc=cyphar@cyphar.com \
--cc=daniel@iogearbox.net \
--cc=deven.desai@linux.microsoft.com \
--cc=dvyukov@google.com \
--cc=ebiggers@kernel.org \
--cc=ericchiang@google.com \
--cc=fweimer@redhat.com \
--cc=jack@suse.cz \
--cc=jannh@google.com \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mic@digikod.net \
--cc=mjg59@google.com \
--cc=mszeredi@redhat.com \
--cc=mtk.manpages@gmail.com \
--cc=nramas@linux.microsoft.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=philippe.trebuchet@ssi.gouv.fr \
--cc=scottsh@microsoft.com \
--cc=sean.j.christopherson@intel.com \
--cc=sgrubb@redhat.com \
--cc=shuah@kernel.org \
--cc=steve.dower@python.org \
--cc=thibaut.sautereau@clip-os.org \
--cc=vincent.strubel@ssi.gouv.fr \
--cc=viro@zeniv.linux.org.uk \
--cc=willy@infradead.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.