Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp4268825yba; Wed, 17 Apr 2019 08:05:15 -0700 (PDT) X-Google-Smtp-Source: APXvYqwobd/kvY2Mhh/gfBqQs5Biwucy31C9DIlxTKhg8Rv8+mWOvDXRcspY9VBqYc2XoRr4i12O X-Received: by 2002:a65:50c2:: with SMTP id s2mr79335011pgp.112.1555513515568; Wed, 17 Apr 2019 08:05:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555513515; cv=none; d=google.com; s=arc-20160816; b=NtvRjH73kg5G3C2VZlvbZIihw4K/1rf8Xiqn91eG1ujSkrqJuStagEO3cdvixgC9OI rvh1RRnZcuD2FoDVOFFF+yhRNqmkDzcsB3p4MrOpZibd0tdP/N+Be8NcQgPy2eR+hUyk tkd2/IbSkS6TGIF6+50+SMGqBKCNRsQArkZQwksyDypSyuapevtF8wpK+Ow17JGp5rou BObpfnVybRIThBGWX///O4Dgn2EHTxuz9ieREgmF/rHjek8t+oxWlnU+FhuUCQXuKTNq f7NDZ+PqsgZVLxx6WHJbnKakEElOrWc2Otq2X/7Xsq49g7HeTJi9T7yRMWQ19mc0vzQu vo3Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=6fQFQs4KvaXVa7ifdPQzGXV05GkLsYeL3YFhWax6qXc=; b=jb0/hBkXRw0a/VcCZtIW7Kdyfv1ffPUYqSXtyUG+sLRAKN7Hc92x6aZBoCmiF/D6Fp wVqAhbPioRJsxQ09VAbACT2EJGR6Rw6U3RwEUQod9C5WZZJHFSlUQaa6UyJlCYPxYETf XMcuMldj1+Xi0ElSKXL/h7ytv9i59z1Yq3JgS1mJPt7H/SPiPgJT9nuHk8cfWbJjxd7h wAstszkSJckUmBfXwGG+Rbz7AumMV0mklBPaXdeIqXzBBiHb/Kh0nOe+xZaDZq4SXLM2 yKLfYgVJCttwNXs3POJATXlJ69baz2YerB/A/6mrpmBANSkXUgoh+uFeimdiFKj4T1FK Zpeg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ssi.gouv.fr header.s=20160407 header.b="RzWPzk4/"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f1si52840125pld.32.2019.04.17.08.04.51; Wed, 17 Apr 2019 08:05:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@ssi.gouv.fr header.s=20160407 header.b="RzWPzk4/"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732635AbfDQPDg (ORCPT + 99 others); Wed, 17 Apr 2019 11:03:36 -0400 Received: from smtp-out.ssi.gouv.fr ([86.65.182.90]:52954 "EHLO smtp-out.ssi.gouv.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729940AbfDQPDg (ORCPT ); Wed, 17 Apr 2019 11:03:36 -0400 X-Greylist: delayed 488 seconds by postgrey-1.27 at vger.kernel.org; Wed, 17 Apr 2019 11:03:35 EDT Received: from smtp-out.ssi.gouv.fr (localhost [127.0.0.1]) by smtp-out.ssi.gouv.fr (Postfix) with ESMTP id 62F61D00070; Wed, 17 Apr 2019 16:55:33 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ssi.gouv.fr; s=20160407; t=1555512933; bh=uxjxZs6u+OwhN0aN3it9qhbwninzmheDD/wW/7ncIL0=; h=Subject:To:CC:References:From:Date:In-Reply-To:From:Subject; b=RzWPzk4/p+ERW6Kmm2jUlSvngbthsaqSJ4QY7LsqW++O+4g4CX7luGBn3v0meGRwd fG0o+rRxiDJ2qgnRK7WBP94uWSphuOylgqEbXqLuhzX0zeCh4LOV9XH0NhZTw/dVQb tfv3uJ0Jgo8g9L2lYeIW0srKLrec5StaW4Mwh4ObN+LR7Z3AeSeuSRttThR1MC8tj5 Zsw3SVWQmq9cCWceOyebPRTZ1frleNWLYJAyD5bBGOBPMcwcBUOQiMUPcDGeXtgTGR ygm48mcbYcbutj2K8wqSAyzZD58ATnEnt4nPuvQdGYLbUwVoQpHN8qwRi4uVffvlSb ZmzHwhjevmLhw== Subject: Re: [RFC PATCH v1 1/5] fs: Add support for an O_MAYEXEC flag on sys_open() To: Steve Grubb , Jan Kara CC: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= , , Al Viro , James Morris , Jonathan Corbet , Kees Cook , Matthew Garrett , Michael Kerrisk , Mimi Zohar , =?UTF-8?Q?Philippe_Tr=c3=a9buchet?= , Shuah Khan , Thibaut Sautereau , Vincent Strubel , Yves-Alexis Perez , , , , , Matthew Bobrowski , Florian Weimer References: <20181212081712.32347-1-mic@digikod.net> <20181212081712.32347-2-mic@digikod.net> <20181212144306.GA19945@quack2.suse.cz> <3452959.b6JmBh7Lnt@x2> From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= Message-ID: <55d06e21-9a38-1297-615c-bc1e6e9f33ef@ssi.gouv.fr> Date: Wed, 17 Apr 2019 16:55:31 +0200 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <3452959.b6JmBh7Lnt@x2> Content-Type: text/plain; charset="utf-8" Content-Language: en-US Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 15/04/2019 20:47, Steve Grubb wrote: > Hello, > > On Wednesday, December 12, 2018 9:43:06 AM EDT Jan Kara wrote: >> On Wed 12-12-18 09:17:08, Micka=C3=ABl Sala=C3=BCn wrote: >>> When the O_MAYEXEC flag is passed, sys_open() may be subject to >>> additional restrictions depending on a security policy implemented by a= n >>> LSM through the inode_permission hook. >>> >>> The underlying idea is to be able to restrict scripts interpretation >>> according to a policy defined by the system administrator. For this to >>> be possible, script interpreters must use the O_MAYEXEC flag >>> appropriately. To be fully effective, these interpreters also need to >>> handle the other ways to execute code (for which the kernel can't help)= : >>> command line parameters (e.g., option -e for Perl), module loading >>> (e.g., option -m for Python), stdin, file sourcing, environment >>> variables, configuration files... According to the threat model, it ma= y >>> be acceptable to allow some script interpreters (e.g. Bash) to interpre= t >>> commands from stdin, may it be a TTY or a pipe, because it may not be >>> enough to (directly) perform syscalls. >>> >>> A simple security policy implementation is available in a following >>> patch for Yama. >>> >>> This is an updated subset of the patch initially written by Vincent >>> Strubel for CLIP OS: >>> https://github.com/clipos-archive/src_platform_clip-patches/blob/f5cb33= 0d >>> 6b684752e403b4e41b39f7004d88e561/1901_open_mayexec.patch This patch has >>> been used for more than 10 years with customized script interpreters. >>> Some examples can be found here: >>> https://github.com/clipos-archive/clipos4_portage-overlay/search?q=3DO_= MAYE >>> XEC >>> >>> Signed-off-by: Micka=C3=ABl Sala=C3=BCn >>> Signed-off-by: Thibaut Sautereau >>> Signed-off-by: Vincent Strubel >>> Reviewed-by: Philippe Tr=C3=A9buchet >>> Cc: Al Viro >>> Cc: Kees Cook >>> Cc: Micka=C3=ABl Sala=C3=BCn >> >> ... >> >>> diff --git a/fs/open.c b/fs/open.c >>> index 0285ce7dbd51..75479b79a58f 100644 >>> --- a/fs/open.c >>> +++ b/fs/open.c >>> @@ -974,6 +974,10 @@ static inline int build_open_flags(int flags, >>> umode_t mode, struct open_flags *o> >>> if (flags & O_APPEND) >>> >>> acc_mode |=3D MAY_APPEND; >>> >>> + /* Check execution permissions on open. */ >>> + if (flags & O_MAYEXEC) >>> + acc_mode |=3D MAY_OPENEXEC; >>> + >>> >>> op->acc_mode =3D acc_mode; >>> >>> op->intent =3D flags & O_PATH ? 0 : LOOKUP_OPEN; >> >> I don't feel experienced enough in security to tell whether we want this >> functionality or not. But if we do this, shouldn't we also set FMODE_EXE= C >> on the resulting struct file? That way also security_file_open() can be >> used to arbitrate such executable opens and in particular >> fanotify permission event FAN_OPEN_EXEC will get properly generated whic= h I >> guess is desirable (support for it is sitting in my tree waiting for the >> merge window) - adding some audit people involved in FAN_OPEN_EXEC to CC= . >> Just an idea... > > Late in replying. But I think it's important to have a deep look into the > issue. > > TL;DR - This is a gentle man's handshake. It won't _really_ solve the > problem. Thanks for your comments. You should find most answers in this thread: https://lore.kernel.org/lkml/20181212081712.32347-4-mic@digikod.net/ The threat model targets persistent attacks. This O_MAYEXEC flag is not a silver bullet but it's a needed block to enforce a security policy on a trusted system. This means that every component executable on the system must be controlled, which means they may need some bit of customization. Today no userspace application use this flag (except in CLIP OS), but we need to first create a feature before it can be used. It is very important to have in mind that a system security policy need to have a (central) security manager, in this case the kernel thanks to Yama's policy (but it could be SELinux, IMA or any other LSM). The goal is not to give to the developer the job of defining a security policy for the *system*; this job is for the system administrator (or the distro). > > This flag that is being proposed means that you would have to patch all > interpreters to use it. If you are sure that upstreams will accept that, = why > not just change the policy to interpreters shouldn't execute anything unl= ess > the execute bit is set? That is simpler and doesn't need a kernel change.= And > setting the execute bit is an auditable event. As said above, the definition of a the security policy is the job of the system administrator. Moreover, the security policy may be defined by the mount point restrictions (i.e. noexec) but it should be definable with something else (e.g. a SELinux or IMA policy which may be agnostic to the mount points). > > The bottom line is that any interpreter has to become a security policy > enforcement point whether by indicating it wants to execute by setting a = flag > or by refusing to use a file without execute bit set. But this just moves= the > problem to one that is harder to fix. Why in the world does any programmi= ng > language allow programs to be loaded via stdin? > > It is possible to wget a program and pipe it into python which subsequent= ly > pulls down an ELF shared object and runs it all without touching disk via > memfd_create (e.g. SnakeEater). This is all direct to memory execution. A= nd > direct to memory bypasses anti-virus, selinux, IMA, application whitelist= ing, > and other integrity schemes. > > So, to fix this problem, you really need to not allow any programs to loa= d via > stdin so that everything that executes has to touch disk. This way you ca= n > get a fanotify event and see the application and vote yes/no on allowing = it. > And this will be particularly harder with the memfd_create fix for the ru= nc > container breakout. Prior to that, there were very few uses of that syste= m > call. Now it may be very common which means finding malicious use just go= t > harder to spot. As said above, stdin must be restricted in some way. You may want to take a look at the CLIP OS patches (which doesn't only add the O_MAYEXEC flag but restrict other way to interpret code). It may be foolish to block or restrict stdin for interpreters on a developer workstation, but it may make sense for an embedded custom system. The same apply for memfd_create. If you want to enforce a security policy on this kind of *file descriptor*, you should ask to the proper LSM to do so. The current Yama patch deal with this kind of FD if they are accessed through /proc/*/fd because the procfs is mounted with noexec. Anyway, the interpreter must *inform* the LSM that it wants to execute/interpret something from this FD, which is done thanks to the O_MAYEXEC flag. > > But assuming these problems got fixed, then we have yet another place to = look. > Many interpreters allow you to specify a command to run via arguments. So= me > have a small buffer and some allow lengthy programs to be entered as an > argument. One strategy might be that an attacker can bootstrap a lengthie= r > program across the network. Python for example allows loading modules acr= oss > a network. All you need to put in the commandline is the override for the > module loader and a couple modules to import. It then loads the modules > remotely. Getting rid of this hole will likely lead to some unhappy peopl= e - > meaning it can't be fixed. Again, this depend on the threat model and the corresponding product. If you want to handle everything on your system, then you may need some adjustments. > > And even if we get that fixed, we have one last hole to plug. Shells. One= can > simply start a shell and paste their program into the shell and then exec= ute > it. You can easily do this with bash or python or any language that has a > REPL (read=E2=80=93eval=E2=80=93print loop). To fix this means divorcing = the notion of a > language from a REPL. Production systems really do not need a Python shel= l, > they need the interpreter. I doubt that this would be popular. But fixing= each > of these issues is what it would take to prevent unknown software from > running. Not going this far leaves holes. This is also covered by the threat model defined in the patch 3/5 (i.e. protect the kernel by restricting arbitrary syscalls). Regards, -- Micka=C3=ABl Sala=C3=BCn ANSSI/SDE/ST/LAM Les donn=C3=A9es =C3=A0 caract=C3=A8re personnel recueillies et trait=C3=A9= es dans le cadre de cet =C3=A9change, le sont =C3=A0 seule fin d=E2=80=99ex= =C3=A9cution d=E2=80=99une relation professionnelle et s=E2=80=99op=C3=A8re= nt dans cette seule finalit=C3=A9 et pour la dur=C3=A9e n=C3=A9cessaire =C3= =A0 cette relation. Si vous souhaitez faire usage de vos droits de consulta= tion, de rectification et de suppression de vos donn=C3=A9es, veuillez cont= acter contact.rgpd@sgdsn.gouv.fr. Si vous avez re=C3=A7u ce message par err= eur, nous vous remercions d=E2=80=99en informer l=E2=80=99exp=C3=A9diteur e= t de d=C3=A9truire le message. The personal data collected and processed du= ring this exchange aims solely at completing a business relationship and is= limited to the necessary duration of that relationship. If you wish to use= your rights of consultation, rectification and deletion of your data, plea= se contact: contact.rgpd@sgdsn.gouv.fr. If you have received this message i= n error, we thank you for informing the sender and destroying the message.