Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2070083imu; Wed, 12 Dec 2018 09:02:10 -0800 (PST) X-Google-Smtp-Source: AFSGD/XVdl+/w0QvfTT91Xsjx3HMhCouFG5h9WPOzcs8HCYJ+PrRpxsJV+IzECNN/n+ZWOOqqNzf X-Received: by 2002:a62:7796:: with SMTP id s144mr20751630pfc.26.1544634130401; Wed, 12 Dec 2018 09:02:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544634130; cv=none; d=google.com; s=arc-20160816; b=WnxyRWIfacm1Re8dbH7KqroiPED57a3m5a7DJm5vqu0ZQwIobcfBO1BOqJD97cXZNS AF4NGIP2HtewNB+8YT0CCO8gfsIdWYzQxNnVN1gyYpRr45B4mKHuXqAgh+VJ+XeHtbFK 5eaSNkobA2o3kIMgShf3q3HjHiENHk05PHFv4NrD/yVooQWCmDU59nJrIjAnj4Ror5U4 F4aGxxN6HuWEXfEbW/OUtntfQN+wCFONuUW4URQY5Ncg6UJYObVOdJVwNSF4pqOxFZ68 lEky6dHAjCTcXdhtS6dOwciea0KPZ17E2kqfCEkPnBgxolgmeBpbFrWpOs+d1il47DVy ZUNQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=ihOtmNqY6SVpSEpo+JHarD+jucKAimXrsTh73fhWD90=; b=P7lsg3JU98L5j/D4mbOkwcbzm54EHfVLe6opc+pjeTeo9/3JLZmTNkScQK5/+Mul0H NBR93TKrdZqY17zjURaqTED2gy2RN8cxSj6498OkHmAHdmMB4yDul8sQ+v/Bb1ARNSSl Xxm7evDCAWTDNXHSvtJiaXLb0J60oSpPEL8UPUlz1aIYDPV1QUVGYyqaRv1lv+4+un39 jjKbosiYCljRQ2n2HV4AIzyME65HTJJATiWod34jGljH7XjgshIDZEsyVK4Amfj/t1P8 mz7aFoMEDc1aMC1v5wG0KeFfjpRnIrJG64HHCfYzrpBvSLJ+JIQ9X25Ke7XiY0WC+4F2 f7Iw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ssi.gouv.fr header.s=20160407 header.b="Ph/RkYFS"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j70si14518517pgd.138.2018.12.12.09.01.54; Wed, 12 Dec 2018 09:02:10 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@ssi.gouv.fr header.s=20160407 header.b="Ph/RkYFS"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727937AbeLLRBA (ORCPT + 99 others); Wed, 12 Dec 2018 12:01:00 -0500 Received: from smtp-out.ssi.gouv.fr ([86.65.182.90]:50040 "EHLO smtp-out.ssi.gouv.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727681AbeLLRA7 (ORCPT ); Wed, 12 Dec 2018 12:00:59 -0500 Received: from smtp-out.ssi.gouv.fr (localhost [127.0.0.1]) by smtp-out.ssi.gouv.fr (Postfix) with ESMTP id 02B7DD0006B; Wed, 12 Dec 2018 18:01:06 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ssi.gouv.fr; s=20160407; t=1544634066; bh=PGQIfl8GvoOs1KqhFUvGy6lVfeojWfWYhz5V40aZpE4=; h=Subject:To:CC:References:From:Date:In-Reply-To:From:Subject; b=Ph/RkYFSEdsJ4++lI5qLDDZdMG1C1S6JQeFJOud5umJUer1+Aaze6y3zUKMwIxXXx JDeBkS4r3nl2u2jwYAxNqkbp6MlRJewHdi9rmMz5vJvzr8Nl4f+0zRe72vwsrUHYc2 FDJWuGTpwsugXGEMKFliheCe4aCNBhi+AJqPGOvJ/yertoUPer5SKpore4AqQRV5/3 r5yTCgLBPUKWiiV8dFtR/bn5FBh93kSq+24YNL32eShjmjsA5qwR6m1flvj7yN8Bx1 NfziqZgwIYMhKwfXE2LK0a5Sm/f7KWV+T7ZvhgvR1KTd3V+805WZGxLVRI3vvJhq// 8fRwnG5ZFPDXg== Subject: Re: [RFC PATCH v1 0/5] Add support for O_MAYEXEC To: Jordan Glover , =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= CC: "linux-kernel@vger.kernel.org" , Al Viro , James Morris , Jonathan Corbet , Kees Cook , Matthew Garrett , Michael Kerrisk , Mimi Zohar , =?UTF-8?Q?Philippe_Tr=c3=a9buchet?= , Shuah Khan , Thibaut Sautereau , Vincent Strubel , Yves-Alexis Perez , "kernel-hardening@lists.openwall.com" , "linux-api@vger.kernel.org" , "linux-security-module@vger.kernel.org" , "linux-fsdevel@vger.kernel.org" References: <20181212081712.32347-1-mic@digikod.net> From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= Message-ID: <7c498761-7d74-956c-01df-1c8f39c10519@ssi.gouv.fr> Date: Wed, 12 Dec 2018 18:01:04 +0100 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset="utf-8" Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Le 12/12/2018 à 17:29, Jordan Glover a écrit : > On Wednesday, December 12, 2018 9:17 AM, Mickaël Salaün wrote: > >> Hi, >> >> The goal of this patch series is to control script interpretation. A >> new O_MAYEXEC flag used by sys_open() is added to enable userland script >> interpreter to delegate to the kernel (and thus the system security >> policy) the permission to interpret scripts or other files containing >> what can be seen as commands. >> >> The security policy is the responsibility of an LSM. A basic >> system-wide policy is implemented with Yama and configurable through a >> sysctl. >> >> The initial idea come from CLIP OS and the original implementation has >> been used for more than 10 years: >> https://github.com/clipos-archive/clipos4_doc >> >> An introduction to O_MAYEXEC was given at the Linux Security Summit >> Europe 2018 - Linux Kernel Security Contributions by ANSSI: >> https://www.youtube.com/watch?v=chNjCRtPKQY&t=17m15s >> The "write xor execute" principle was explained at Kernel Recipes 2018 - >> CLIP OS: a defense-in-depth OS: >> https://www.youtube.com/watch?v=PjRE0uBtkHU&t=11m14s >> >> This patch series can be applied on top of v4.20-rc6. This can be >> tested with CONFIG_SECURITY_YAMA. I would really appreciate >> constructive comments on this RFC. >> >> Regards, >> > > Are various interpreters upstreams interested in adding support > for O_MAYEXEC if it land in kernel? Did you contacted them about this? I think the first step is to be OK on the kernel side. We will then be able to help upstream interpreters implement this feature. It should be OK because the behavior doesn't change by default, i.e. if the sysadmin doesn't configure (and test) the whole system. Some examples of modified interpreters can be found at https://github.com/clipos-archive/clipos4_portage-overlay/search?q=O_MAYEXEC . Mickaël