Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2081924imu; Wed, 12 Dec 2018 09:11:46 -0800 (PST) X-Google-Smtp-Source: AFSGD/XYLnc2BS4/1t/z1+y0YoVZaqf03jXkpKkF3VSSwd8S6wVO1ng1qRlcRFOGikGbSPWj74Rf X-Received: by 2002:a63:d70e:: with SMTP id d14mr19080057pgg.159.1544634706468; Wed, 12 Dec 2018 09:11:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544634706; cv=none; d=google.com; s=arc-20160816; b=KR5Fdr/X7bEIm89zKjOM27DCptpaW2bWsbbVYXyN+Tz1TAfN5RxChOpKNTCITQFetA 7rZdDgSWq/GBrzpdpoICryxlP2wwRrJQ/WyNbMiGmKh/CuhXEzeT5hHO59+SFXTlUK9A GxnIKMrPq/tJEQGQ7n+S9ng5UyNYm/JbbfkRdx9qkpS6/D/yjuTK1klKchIM/BYMj5x6 CsfpQ/B6RQ3jYVMDpcdmf4W5D1pojA/38wBb6xo8DHjjfK3nLtI2PKiBFJFhCLQ75BPq 2eFR5cUlSp+TYK3PjsSLbylu5bqtZeUwY8Og6jv+z8rcEVa4U3EJTr5J1ltSt5Xa+I4w sjKg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=0UpYAArALNPV0Ls7qwdpTpm9SuJifCwPV6+Csd8Fa20=; b=QcqYdTzYFm1ecKxzpOfXsFW4oTq2MdoZEgRogtOIW/c091tFKU6m/FTciWWgXaW/90 ZWxuDwnXVGd166Zzt+S28Ptjfpt8PaglFvD7wkstxd3yUcvsbz6hhBaEjs2HtM8cl2+e Utm4IqwCe8BaMAf0tYb1Vw6fbqbBOo+F3DLaEqbOr3FP3wXjQt8Hry4ukkLmobGLT6Do H3/Cbg4e+SCcRilWQFCeUkD1D1CtbpcWGnTdbWLkpYu24bRp/2kOqw5bD+rkiZzeDXGR lbkBQPNPLUN30hT1jxKLZZuHjpl+iCGpvAWNYIUKRNyDQgmIPwPcPEBxn11zxn6P7G+5 SVtQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ssi.gouv.fr header.s=20160407 header.b=u3tODT7l; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i1si14014185pgs.417.2018.12.12.09.11.31; Wed, 12 Dec 2018 09:11:46 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@ssi.gouv.fr header.s=20160407 header.b=u3tODT7l; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728004AbeLLRJT (ORCPT + 99 others); Wed, 12 Dec 2018 12:09:19 -0500 Received: from smtp-out.ssi.gouv.fr ([86.65.182.90]:50046 "EHLO smtp-out.ssi.gouv.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726358AbeLLRJT (ORCPT ); Wed, 12 Dec 2018 12:09:19 -0500 Received: from smtp-out.ssi.gouv.fr (localhost [127.0.0.1]) by smtp-out.ssi.gouv.fr (Postfix) with ESMTP id 4DB36D00069; Wed, 12 Dec 2018 18:09:25 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ssi.gouv.fr; s=20160407; t=1544634565; bh=/2EdBYDF1x4Bv+s1m1OiAsJzbKSCXU6nFgHX81HEsvE=; h=Subject:To:CC:References:From:Date:In-Reply-To:From:Subject; b=u3tODT7lMVoVpR9s4XePWkv24U9Xeg2KkcCHWRvx3fAMym+9eS7wEVqkAjjygMuIW jKqNW2Vx0rPnN+B0c14uCwnPXXm/VeYprdX0pk9jzHcfvqjEX+6DXozOyfUezfXsmD HN9Hwfb5lGsEy6oYB1zV+XTR8+XdUD4t5CP+gNynieGxDPQzcXIZi4rVPZRXBObqcB 2TVJ2BcuI/5xEoFwCDUY8naVX6jW5HDmdXPS4tHok1Uiiz79Aa++unzEU3Zw3liZgT hSC275Lg5GQbHgMvb/geUUl7wujwX+MwEg7CoZPuYora9LfSW+RLAMMUzm+u5lfztv f4zQ1y8ds5xQw== Subject: Re: [RFC PATCH v1 1/5] fs: Add support for an O_MAYEXEC flag on sys_open() To: Jan Kara , =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= CC: , Al Viro , James Morris , Jonathan Corbet , Kees Cook , Matthew Garrett , Michael Kerrisk , Mimi Zohar , =?UTF-8?Q?Philippe_Tr=c3=a9buchet?= , Shuah Khan , Thibaut Sautereau , Vincent Strubel , Yves-Alexis Perez , , , , , , Matthew Bobrowski References: <20181212081712.32347-1-mic@digikod.net> <20181212081712.32347-2-mic@digikod.net> <20181212144306.GA19945@quack2.suse.cz> From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= Message-ID: Date: Wed, 12 Dec 2018 18:09:23 +0100 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <20181212144306.GA19945@quack2.suse.cz> Content-Type: text/plain; charset="utf-8" Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Le 12/12/2018 à 15:43, Jan Kara a écrit : > On Wed 12-12-18 09:17:08, Mickaël Salaün wrote: >> When the O_MAYEXEC flag is passed, sys_open() may be subject to >> additional restrictions depending on a security policy implemented by an >> LSM through the inode_permission hook. >> >> The underlying idea is to be able to restrict scripts interpretation >> according to a policy defined by the system administrator. For this to >> be possible, script interpreters must use the O_MAYEXEC flag >> appropriately. To be fully effective, these interpreters also need to >> handle the other ways to execute code (for which the kernel can't help): >> command line parameters (e.g., option -e for Perl), module loading >> (e.g., option -m for Python), stdin, file sourcing, environment >> variables, configuration files... According to the threat model, it may >> be acceptable to allow some script interpreters (e.g. Bash) to interpret >> commands from stdin, may it be a TTY or a pipe, because it may not be >> enough to (directly) perform syscalls. >> >> A simple security policy implementation is available in a following >> patch for Yama. >> >> This is an updated subset of the patch initially written by Vincent >> Strubel for CLIP OS: >> https://github.com/clipos-archive/src_platform_clip-patches/blob/f5cb330d6b684752e403b4e41b39f7004d88e561/1901_open_mayexec.patch >> This patch has been used for more than 10 years with customized script >> interpreters. Some examples can be found here: >> https://github.com/clipos-archive/clipos4_portage-overlay/search?q=O_MAYEXEC >> >> Signed-off-by: Mickaël Salaün >> Signed-off-by: Thibaut Sautereau >> Signed-off-by: Vincent Strubel >> Reviewed-by: Philippe Trébuchet >> Cc: Al Viro >> Cc: Kees Cook >> Cc: Mickaël Salaün > > ... > >> diff --git a/fs/open.c b/fs/open.c >> index 0285ce7dbd51..75479b79a58f 100644 >> --- a/fs/open.c >> +++ b/fs/open.c >> @@ -974,6 +974,10 @@ static inline int build_open_flags(int flags, umode_t mode, struct open_flags *o >> if (flags & O_APPEND) >> acc_mode |= MAY_APPEND; >> >> + /* Check execution permissions on open. */ >> + if (flags & O_MAYEXEC) >> + acc_mode |= MAY_OPENEXEC; >> + >> op->acc_mode = acc_mode; >> >> op->intent = flags & O_PATH ? 0 : LOOKUP_OPEN; > > I don't feel experienced enough in security to tell whether we want this > functionality or not. But if we do this, shouldn't we also set FMODE_EXEC > on the resulting struct file? That way also security_file_open() can be > used to arbitrate such executable opens and in particular > fanotify permission event FAN_OPEN_EXEC will get properly generated which I > guess is desirable (support for it is sitting in my tree waiting for the > merge window) - adding some audit people involved in FAN_OPEN_EXEC to > CC. Just an idea... Indeed, it may be useful for other LSM. Mickaël