Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1600345imu; Wed, 12 Dec 2018 00:35:46 -0800 (PST) X-Google-Smtp-Source: AFSGD/VuHU/7Jt7k5hq+VBtGN2TT2/zx4/GPtmeZJU4WVeykYArnzQj8m/ZgevpZvJsR7sAB/p0e X-Received: by 2002:a63:4f20:: with SMTP id d32mr17499735pgb.47.1544603746919; Wed, 12 Dec 2018 00:35:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544603746; cv=none; d=google.com; s=arc-20160816; b=GXZzF5XbvE0P7kTmqrD+ZNGZgzWk4afUWs2OBDoK8lTUAP/oKznZWZVjxOM4GVfiGU mW9KmLcMnqBRnZACKvZIcETXRkaAcEsPpyn1tP9Dp25Z0pKovRpGqhquuKrR+X5HW775 Up7nRm1ZxupF8wzRt1wBLksEtM70bZYbVPNZbXxpKwMA9tKCDpZZlGud/nml+CqhYsC+ uQ2oDmA/fAkJ+aTJVOuP0PR9MR6qKFEb0BHMbXPUnuQNDz+d9E7+CgkEG9HuPFxFMHpZ RaeMNU8vZ13sUHmmKpGjob6CxKptT+/re+rJ4MVS5QfoocChCllKNGkO/zDQJDkptM9M yReQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=L0Eq5NXdG6nD9dX7BKxmSptROX1ZiBdBkuQBfBQZIZk=; b=nMpkCgAEy5DfpQNYjRlzJrMlLrhoNoScpjuTpEq8VX9sDTxkTIzpdimHwWNDocHBC0 urvSZKqdXcMm3VeycGdcKmsDgBxtbgJc6pyGf+6FqxCzpuYTLVMKXZdgUqg1yWYlqTY6 Nm26euMa9teXqKPlJSMRWfwtSfzLmysOTb9+uhH3qKyZsLHNooUlC6GeB9P/3kmvEfE5 MjcmCFEIT0tbvCcnUyew5XMSGCZUr+5FcDAWSTSDswDIh2ZxcxjgpbiD17SF1B7UeviR QpFm5VL9dICLnJ4zKRzbXHmBqYe70ERmqeFcRpdApxgQail7I52iBGpDRTIhs+V8v8TB NBcg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m75si13915352pga.432.2018.12.12.00.35.31; Wed, 12 Dec 2018 00:35:46 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726844AbeLLIeK (ORCPT + 99 others); Wed, 12 Dec 2018 03:34:10 -0500 Received: from smtp-sh2.infomaniak.ch ([128.65.195.6]:56329 "EHLO smtp-sh2.infomaniak.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726242AbeLLIeK (ORCPT ); Wed, 12 Dec 2018 03:34:10 -0500 Received: from smtp6.infomaniak.ch (smtp6.infomaniak.ch [83.166.132.19]) by smtp-sh.infomaniak.ch (8.14.5/8.14.5) with ESMTP id wBC8Hpqe022900 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 12 Dec 2018 09:17:51 +0100 Received: from localhost (ns3096276.ip-94-23-54.eu [94.23.54.103]) (authenticated bits=0) by smtp6.infomaniak.ch (8.14.5/8.14.5) with ESMTP id wBC8HoSC003779; Wed, 12 Dec 2018 09:17:50 +0100 From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= To: linux-kernel@vger.kernel.org Cc: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , Al Viro , James Morris , Jonathan Corbet , Kees Cook , Matthew Garrett , Michael Kerrisk , =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , Mimi Zohar , =?UTF-8?q?Philippe=20Tr=C3=A9buchet?= , Shuah Khan , Thibaut Sautereau , Vincent Strubel , Yves-Alexis Perez , kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org Subject: [RFC PATCH v1 5/5] doc: Add documentation for Yama's open_mayexec_enforce Date: Wed, 12 Dec 2018 09:17:12 +0100 Message-Id: <20181212081712.32347-6-mic@digikod.net> X-Mailer: git-send-email 2.20.0.rc2 In-Reply-To: <20181212081712.32347-1-mic@digikod.net> References: <20181212081712.32347-1-mic@digikod.net> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8 X-Antivirus-Code: 0x100000 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Signed-off-by: Mickaël Salaün Reviewed-by: Philippe Trébuchet Reviewed-by: Thibaut Sautereau Cc: Jonathan Corbet Cc: Kees Cook Cc: Mickaël Salaün --- Documentation/admin-guide/LSM/Yama.rst | 41 ++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/Documentation/admin-guide/LSM/Yama.rst b/Documentation/admin-guide/LSM/Yama.rst index d0a060de3973..a72c86a24b35 100644 --- a/Documentation/admin-guide/LSM/Yama.rst +++ b/Documentation/admin-guide/LSM/Yama.rst @@ -72,3 +72,44 @@ The sysctl settings (writable only with ``CAP_SYS_PTRACE``) are: ``PTRACE_TRACEME``. Once set, this sysctl value cannot be changed. The original children-only logic was based on the restrictions in grsecurity. + +open_mayexec_enforce +==================== + +The ``O_MAYEXEC`` flag can be passed to :manpage:`open(2)` to only open files +(or directories) that are executable. If the file is not identified as +executable, then the syscall returns -EACCES. This may allow a script +interpreter to check executable permission before reading commands from a file. +One interesting use case is to enforce a "write xor execute" policy through +interpreters. + +Thanks to this flag, Yama enables to enforce the ``noexec`` mount option (i.e. +the underlying mount point of the file is mounted with MNT_NOEXEC or its +underlying superblock is SB_I_NOEXEC) not only on ELF binaries but also on +scripts. This may be possible thanks to script interpreters using the +``O_MAYEXEC`` flag. The executable permission is then checked before reading +commands from a file, and thus can enforce the ``noexec`` at the interpreter +level by propagating this security policy to the scripts. To be fully +effective, these interpreters also need to handle the other ways to execute +code (for which the kernel can't help): command line parameters (e.g., option +``-e`` for Perl), module loading (e.g., option ``-m`` for Python), stdin, file +sourcing, environment variables, configuration files... According to the +threat model, it may be acceptable to allow some script interpreters (e.g. +Bash) to interpret commands from stdin, may it be a TTY or a pipe, because it +may not be enough to (directly) perform syscalls. + +Yama implements two complementary security policies to propagate the ``noexec`` +mount option or the executable file permission. These policies are handled by +the ``kernel.yama.open_mayexec_enforce`` sysctl (writable only with +``CAP_MAC_ADMIN``) as a bitmask: + +1 - mount restriction: + check that the mount options for the underlying VFS mount do not prevent + execution. + +2 - file permission restriction: + check that the to-be-opened file is marked as executable for the current + process (e.g., POSIX permissions). + +Code samples can be found in tools/testing/selftests/yama/test_omayexec.c and +https://github.com/clipos-archive/clipos4_portage-overlay/search?q=O_MAYEXEC . -- 2.20.0.rc2