Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp111249imu; Tue, 8 Jan 2019 15:42:34 -0800 (PST) X-Google-Smtp-Source: ALg8bN40XYnF0xeRhM7KLbD2jnEBULR9ZO9ZkxPZdFJesTie1aLNtGh2lfaTS2YnbXIJaDZZtrAv X-Received: by 2002:a63:88c7:: with SMTP id l190mr3276241pgd.110.1546990954542; Tue, 08 Jan 2019 15:42:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1546990954; cv=none; d=google.com; s=arc-20160816; b=W+9Uf/Y+rXwhIapJeHwQrYAVXBORt5gaj51akPQk9vTUlYAWB/grCeQDzYbPV7Eu/w dUNPXcE+Y4hHzgHxbjlhYpeUMo6dGlKCn2FXuRlue8fzIbVZRE9OvBriEUUH2vE/FukY tBfU/uL7apUYAdpc3xz58Crz5eWHTbK16Fved3QVV27kvUwqVRbXvLUZaBvyLefZmdfx cNc/AEBAus+0DiAGwNtpX6GIMEvj6NwdK7DM0uKEPFtauwnV7P83oeTxm8AlkwTW3+hV sF21q+62geShuULH1WG239ushjbhpejAMooRGu14EOdRlMJPPV3qOf+8j9KiMDfdC5aN is3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=fj1hGcIq46+n7srV6RvX7Dt1TPMiykx9jEzwUwjBvIY=; b=AL3UEWpMpbx0JwBLXdNq7IZlzXdBk4IASkMA59uYpoiJA9J5KziyyEdjeeDrILV39p OMZ1UdHR2+U9kPpEM44Qzi047dPurkfx2Kuzj+HtPXthA+6oR7d/iJAxIC51mvUArA/i geOYx0RRSeeyovtgmEh/zZX2OPV7SPybd2tBoKmOlcy+JyegdsGRiQQHq6Xv1pGRVeDJ 23snesXZyQZEHrdHbuF+3zNRYJjyENK3QparRCpuQ84jM5ILJqOpYe1cjiSQWZ30KXBZ ic13JeOH1LZylYvYTH+GCL72TwpvwA1Jssw+7BzQrP5/PhYsyiGvuxEfzQfmLsJDUgu6 0Cjg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b="RINc9Z/o"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k91si12418574pld.283.2019.01.08.15.42.17; Tue, 08 Jan 2019 15:42:34 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b="RINc9Z/o"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729347AbfAHXbG (ORCPT + 99 others); Tue, 8 Jan 2019 18:31:06 -0500 Received: from mail-ua1-f68.google.com ([209.85.222.68]:43895 "EHLO mail-ua1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728469AbfAHXbF (ORCPT ); Tue, 8 Jan 2019 18:31:05 -0500 Received: by mail-ua1-f68.google.com with SMTP id z11so1842946uaa.10 for ; Tue, 08 Jan 2019 15:31:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=fj1hGcIq46+n7srV6RvX7Dt1TPMiykx9jEzwUwjBvIY=; b=RINc9Z/oBU9n/IiWeg9VoFbkVbXqBq4w0FD27eLdMWabbZLjrmSBNFOsGpEFa8A/bR oYiqTw2sln/Iowse0uRNjuG2y4+5aTOizsgcRPXrqzqsZY6a6Z+un43x6oNHNJO1rgLh z61iNZSHdc4T96fhOcPNU3UmZiId8PLEGRMso= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=fj1hGcIq46+n7srV6RvX7Dt1TPMiykx9jEzwUwjBvIY=; b=rINDWisjt1j+cxTh1LycQ84Oj+5SQnvWAr/lfvCgY4qkknC/gR3tVLZ2TMednkGbTc 4/qY+9P04CuPng0G3OkdMkgmpe0d+Lko4ikEtY09Se6kkcBNItqnqQ8lI/brEWNFK4wW UpONGfYF3mKEdjV1OOLJAATQrxTrQJeQDMRWH8BEt6lZfhJLmBgcw7MZbyNsbeq8/ICZ rqqtBQoa+eX2SfZTI5hha1eDF9We8uvkIafz3o+mu7KpmMbA7fhvEyKAvwDUmx3BNqVv CjHsUC9MTiO2kppr7IkOo+qXXlEY4BS8DXLYqJImMB29g5E0bolSOPcBXAzgGkhckyQx EMVw== X-Gm-Message-State: AJcUukc0ukoKp4Wr43sS+u3vnqmYwqs0tNmD+VZ5Xp0czz4Wk1mxuuAd RzXb+5QKfAqqZC9776fUDvh3F0b3N5Q= X-Received: by 2002:ab0:1393:: with SMTP id m19mr1323419uae.75.1546990263112; Tue, 08 Jan 2019 15:31:03 -0800 (PST) Received: from mail-vk1-f169.google.com (mail-vk1-f169.google.com. [209.85.221.169]) by smtp.gmail.com with ESMTPSA id q193sm23541023vsd.0.2019.01.08.15.31.01 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 08 Jan 2019 15:31:01 -0800 (PST) Received: by mail-vk1-f169.google.com with SMTP id s184so1276353vkd.6 for ; Tue, 08 Jan 2019 15:31:01 -0800 (PST) X-Received: by 2002:a1f:3d10:: with SMTP id k16mr1401233vka.13.1546990261237; Tue, 08 Jan 2019 15:31:01 -0800 (PST) MIME-Version: 1.0 References: <20181212081712.32347-1-mic@digikod.net> <20181212081712.32347-4-mic@digikod.net> <0f7d39f8-035b-8566-94c9-ea836b280e24@ssi.gouv.fr> In-Reply-To: <0f7d39f8-035b-8566-94c9-ea836b280e24@ssi.gouv.fr> From: Kees Cook Date: Tue, 8 Jan 2019 15:30:49 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [RFC PATCH v1 3/5] Yama: Enforces noexec mounts or file executability through O_MAYEXEC To: =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= Cc: Jann Horn , =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= , kernel list , Al Viro , James Morris , Jonathan Corbet , Matthew Garrett , Michael Kerrisk-manpages , Mimi Zohar , philippe.trebuchet@ssi.gouv.fr, Shuah Khan , thibaut.sautereau@ssi.gouv.fr, vincent.strubel@ssi.gouv.fr, Perez Yves-Alexis , Kernel Hardening , Linux API , linux-security-module , "linux-fsdevel@vger.kernel.org" , Andy Lutomirski Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jan 8, 2019 at 5:29 AM Micka=C3=ABl Sala=C3=BCn wrote: > > > On 03/01/2019 12:17, Jann Horn wrote: > > On Thu, Dec 13, 2018 at 3:49 PM Micka=C3=ABl Sala=C3=BCn > > wrote: > >> On 12/12/2018 18:09, Jann Horn wrote: > >>> On Wed, Dec 12, 2018 at 9:18 AM Micka=C3=ABl Sala=C3=BCn wrote: > >>>> Enable to either propagate the mount options from the underlying VFS > >>>> mount to prevent execution, or to propagate the file execute permiss= ion. > >>>> This may allow a script interpreter to check execution permissions > >>>> before reading commands from a file. > >>>> > >>>> The main goal is to be able to protect the kernel by restricting > >>>> arbitrary syscalls that an attacker could perform with a crafted bin= ary > >>>> or certain script languages. It also improves multilevel isolation > >>>> by reducing the ability of an attacker to use side channels with > >>>> specific code. These restrictions can natively be enforced for ELF > >>>> binaries (with the noexec mount option) but require this kernel > >>>> extension to properly handle scripts (e.g., Python, Perl). I like this idea, but I think it shouldn't live in Yama (since it is currently intended to be a ptrace-policy-only LSM). It was _originally_ designed to do various DAC improvements, but the agreement was that those should live directly in the VFS instead (i.e. the symlink, hardlink and now fifo and regular file defenses). This should likely go in similarly. (But if not, it could also be its own L= SM.) --=20 Kees Cook