Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp79166imu; Wed, 12 Dec 2018 12:44:01 -0800 (PST) X-Google-Smtp-Source: AFSGD/VB6k3UP11Bezaer/waJbwJNCFKCRMKsUM/HUEvPR5o9JH9MhTS5TOR/8GB5/AQdhBbtnVi X-Received: by 2002:a17:902:96a:: with SMTP id 97mr20560805plm.45.1544647440993; Wed, 12 Dec 2018 12:44:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544647440; cv=none; d=google.com; s=arc-20160816; b=fgQtcfVqcE0YA49CZBUiKnqZ+b1HaQD53KM174CpL1I8frspXvL2xeVX6GuWDWqyiR GhYPe+zcZ+ChjopIZ2g910IuZxeoBEyfE5Fb4wp2uzPVxXWFBZRGz0SFlUbY3xwTSNcC mGSsTi0mJk/ydJfR+YTbkDsOXP521VOPz7cmUOAf/DXAB7Hzyywma2VphB+62pAXQNWw xX7s1VTjMWVQIQRiIbg64Wg4BbI9tnlZJ+ho+SyhfhEZqmryD/wqY50ogfcG2nQvyWyj 5glWOATgy/f+FoLpG+HKPZtj9UrAyxUvGMGhiQSfmEhxknvo+Cb49nVWNQtoK+IL6lea ln+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-transfer-encoding :mime-version:references:in-reply-to:date:cc:to:from:subject; bh=6Cv4q2/VHUJPL1fi8nmK40MXpooXnP/9JWlQB3y7q0k=; b=KD2yFwD1hQobdqm7Uv21AZO4/BBWp6kQ3XrnpjJqwHjG8v//dXlfObBu5C3hlQOAdu y4/PsFXW4pIJL3qweaUnqIBdyhvrpI+210Cdk34ToIPovZ7OQMwEUhHKqQp1N4fiYr9F Mi5Upn31Xh7+y/DHOPftU2Nx5bb9FFXUOg7FzAxhZiRHX6Ux2xcbwq7Hh8xwC1cHrNBc 1cdfBZj61o6v6sOkTCnyT+BQ0iFhFNCBfzAiV/UHxzjemmL1BJkqE6aSglCy1Wr0j6XM tmM5awpSvtfhPFBUFHSmSydvwR3yKn68w/QZQd+gu1P2uUtOv309E1sL/b2JFAKkjIVu q9Sw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e25si14568527pgv.486.2018.12.12.12.43.45; Wed, 12 Dec 2018 12:44:00 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727121AbeLLUmu (ORCPT + 99 others); Wed, 12 Dec 2018 15:42:50 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:46854 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726297AbeLLUmu (ORCPT ); Wed, 12 Dec 2018 15:42:50 -0500 Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id wBCKXiIY039753 for ; Wed, 12 Dec 2018 15:42:48 -0500 Received: from e06smtp03.uk.ibm.com (e06smtp03.uk.ibm.com [195.75.94.99]) by mx0b-001b2d01.pphosted.com with ESMTP id 2pb8nn2by9-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 12 Dec 2018 15:42:48 -0500 Received: from localhost by e06smtp03.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 12 Dec 2018 20:42:46 -0000 Received: from b06cxnps4076.portsmouth.uk.ibm.com (9.149.109.198) by e06smtp03.uk.ibm.com (192.168.101.133) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Wed, 12 Dec 2018 20:42:40 -0000 Received: from d06av24.portsmouth.uk.ibm.com (d06av24.portsmouth.uk.ibm.com [9.149.105.60]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id wBCKgdwh9044340 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 12 Dec 2018 20:42:39 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 174EE42041; Wed, 12 Dec 2018 20:42:39 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 249984203F; Wed, 12 Dec 2018 20:42:37 +0000 (GMT) Received: from dhcp-9-31-102-82.watson.ibm.com (unknown [9.31.102.82]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Wed, 12 Dec 2018 20:42:37 +0000 (GMT) Subject: Re: [RFC PATCH v1 1/5] fs: Add support for an O_MAYEXEC flag on sys_open() From: Mimi Zohar To: Jan Kara , =?ISO-8859-1?Q?Micka=EBl_Sala=FCn?= Cc: linux-kernel@vger.kernel.org, Al Viro , James Morris , Jonathan Corbet , Kees Cook , Matthew Garrett , Michael Kerrisk , =?ISO-8859-1?Q?Micka=EBl_Sala=FCn?= , Philippe =?ISO-8859-1?Q?Tr=E9buchet?= , Shuah Khan , Thibaut Sautereau , Vincent Strubel , Yves-Alexis Perez , kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, sgrubb@redhat.com, Matthew Bobrowski Date: Wed, 12 Dec 2018 15:42:36 -0500 In-Reply-To: <20181212144306.GA19945@quack2.suse.cz> References: <20181212081712.32347-1-mic@digikod.net> <20181212081712.32347-2-mic@digikod.net> <20181212144306.GA19945@quack2.suse.cz> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-TM-AS-GCONF: 00 x-cbid: 18121220-0012-0000-0000-000002D831B5 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18121220-0013-0000-0000-0000210DAE40 Message-Id: <1544647356.4028.105.camel@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-12-12_04:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=3 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1812120176 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 2018-12-12 at 15:43 +0100, Jan Kara wrote: > > diff --git a/fs/open.c b/fs/open.c > > index 0285ce7dbd51..75479b79a58f 100644 > > --- a/fs/open.c > > +++ b/fs/open.c > > @@ -974,6 +974,10 @@ static inline int build_open_flags(int flags, umode_t mode, struct open_flags *o > > if (flags & O_APPEND) > > acc_mode |= MAY_APPEND; > > > > + /* Check execution permissions on open. */ > > + if (flags & O_MAYEXEC) > > + acc_mode |= MAY_OPENEXEC; > > + > > op->acc_mode = acc_mode; > > > > op->intent = flags & O_PATH ? 0 : LOOKUP_OPEN; > > I don't feel experienced enough in security to tell whether we want this > functionality or not. But if we do this, shouldn't we also set FMODE_EXEC > on the resulting struct file? That way also security_file_open() can be > used to arbitrate such executable opens and in particular > fanotify permission event FAN_OPEN_EXEC will get properly generated which I > guess is desirable (support for it is sitting in my tree waiting for the > merge window) - adding some audit people involved in FAN_OPEN_EXEC to > CC. Just an idea... Assuming the interpreters are properly modified (and signed), MAY_OPENEXEC closes a major IMA measurement/appraisal gap.  The kernel has no insight into the files that the interpreter is opening.  Having the interpreter annotate the file open, allows IMA to differentiate scripts opening data files from code. IMA policy rules could then be written requiring code to be signed. Example IMA policy rules: measure func=FILE_CHECK mask=MAY_OPENEXEC appraise func=FILE_CHECK mask=MAY_OPENEXEC appraise_type=imasig Mimi