Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp4269953yba; Wed, 17 Apr 2019 08:06:22 -0700 (PDT) X-Google-Smtp-Source: APXvYqyaiPjh+qiRiyIGsiDZdC4SF63CQvrW08USnYWMY5iqghg1fV98MHY1wh0qffueURwK5dxW X-Received: by 2002:a17:902:9a85:: with SMTP id w5mr47514930plp.157.1555513582249; Wed, 17 Apr 2019 08:06:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555513582; cv=none; d=google.com; s=arc-20160816; b=oMBejDh8OGzevE25k6rKTFp4oM5v8RXkB8x3m50ASUZ5HCEPlOVbJ9SdGFzzF5noLv ERwgDmnbmLEkCix5x0GZ2F6qOmvX/Hy7ZnOhhoE+DjiSdMtWo30FyGepiXYfqiNnVgbW eWkub5xkYAGeHd3WJAzg4z0VbTJNirX/bN2gDBWVndr1LlrvYtao/pxsznlNZN9ZXvDE PGmsP9LQUGv4Zi1i0byYzaC4TTFwV3ecikQhWeai/lbrgTKVUOj26nCaywjbf6dCgMh4 xyD2/+hmrlLMIHRpjYLakr1lo8ZyANJPAksIg41EVxHlGNQ/yzgTjyVBP3r977oPYnJP B3GQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=jNWAc5bSvpclXrM8/MCSI49btZbiMeM1trnOa/yyO7k=; b=w0yzzWXSEYogfGyhvQ/YBcWZGSJRU1OXYKZdpLxkMTci0YzOdQN/XwmvIUMBrfufMC nFB7ODIpk+aQ11Qz5rPELEPfOHR3WjmhLPujICSvmU6/aLlSVW0Ehb7FaP/Iq9qVdKiS edcojSwZUmmKfLQJBW3OnyBhfucqde27BPxX/fU2BXZG5D9d9vNqJy7Ocvq2ntETa2xO XIzxoMU8+EeXan4j6mPoL2uaVRNHk+01o7p0SA4UOe0qj3BE08P31rG+s8hnpZY/6t+s Q+FnX7r5ZgvJbAvThC0cxl+guTCacJrOFiD89GbjbnIl5dMCEqn01DdyN51uby0woMil 1seg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ssi.gouv.fr header.s=20160407 header.b=jV8MxviG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j65si15444608plb.159.2019.04.17.08.05.58; Wed, 17 Apr 2019 08:06:22 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@ssi.gouv.fr header.s=20160407 header.b=jV8MxviG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732352AbfDQPEh (ORCPT + 99 others); Wed, 17 Apr 2019 11:04:37 -0400 Received: from smtp-out.ssi.gouv.fr ([86.65.182.90]:58753 "EHLO smtp-out.ssi.gouv.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729940AbfDQPEh (ORCPT ); Wed, 17 Apr 2019 11:04:37 -0400 Received: from smtp-out.ssi.gouv.fr (localhost [127.0.0.1]) by smtp-out.ssi.gouv.fr (Postfix) with ESMTP id D8105D00072; Wed, 17 Apr 2019 17:04:42 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ssi.gouv.fr; s=20160407; t=1555513482; bh=bWo7dnLioagPdYzeH6OkizN9W/LfrOvfG5WnkrxndVw=; h=Subject:To:CC:References:From:Date:In-Reply-To:From:Subject; b=jV8MxviGAxdH+OunhCErssEvmPHeF5oMM0dJwXZGbLsBnQBYC9fjrZVbkqxoix+z6 fGco0gKIhKr6uZOsQmD2Xcq3eyBCTtHKeqV1Ey4oawf62voYRXB//2fmMoLsIADZpw N/jraYDvIUwiBLDvPGGo5hODncdzH7hqmo95k1uyU9n7wM8tmB+fSS0QvkNlZTQXDk h3DGsO7tJZmcbppX2R+l3sOwg5x7hLdctG5mQspxmvgJYTHIsJrot07zmb8uvloTGu /wrosttuAMbxalRCK/WP9Pc+GJcvt1uYnmxJiODolngESMD85YdxsJjGe4wTyloqAV yIVgV30KDqvzw== Subject: Re: [RFC PATCH v1 1/5] fs: Add support for an O_MAYEXEC flag on sys_open() To: Florian Weimer , Steve Grubb CC: Jan Kara , =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= , , Al Viro , James Morris , Jonathan Corbet , Kees Cook , Matthew Garrett , Michael Kerrisk , Mimi Zohar , =?UTF-8?Q?Philippe_Tr=c3=a9buchet?= , Shuah Khan , Thibaut Sautereau , Vincent Strubel , Yves-Alexis Perez , , , , , Matthew Bobrowski References: <20181212081712.32347-1-mic@digikod.net> <3452959.b6JmBh7Lnt@x2> <87wojuxj8s.fsf@oldenburg2.str.redhat.com> <2361288.r9sZr2NHLB@x2> <875zrd7xy8.fsf@oldenburg2.str.redhat.com> From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= Message-ID: <7da3a491-232a-5a02-63a2-65aa9df413ea@ssi.gouv.fr> Date: Wed, 17 Apr 2019 17:04:41 +0200 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <875zrd7xy8.fsf@oldenburg2.str.redhat.com> Content-Type: text/plain; charset="utf-8" Content-Language: en-GB Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 17/04/2019 12:01, Florian Weimer wrote: > * Steve Grubb: > >> On Tuesday, April 16, 2019 7:49:39 AM EDT Florian Weimer wrote: >>> * Steve Grubb: >>>> This flag that is being proposed means that you would have to patch al= l >>>> interpreters to use it. If you are sure that upstreams will accept tha= t, >>>> why not just change the policy to interpreters shouldn't execute >>>> anything unless the execute bit is set? That is simpler and doesn't ne= ed >>>> a kernel change. And setting the execute bit is an auditable event. >>> >>> I think we need something like O_MAYEXEC so that security policies can >>> be enforced and noexec mounts can be detected. >> >> Application whitelisting can already today stop unknown software without >> needing O_MAYEXEC. Whitelisting may be a lot of thing (path/TPE, signed binaries=E2=80=A6), bu= t being able to handle this with a global system configuration (instead of app-specific hardcoded configuration) is a good idea. ;) > > I'm somewhat interested in using this to add a proper check for > executability to explicit dynamic loader invocations. In other words, > this > > /lib64/ld-linux-x86-64.so.2 /path/to/noexec/fs/program > > should refuse to run the program if the program is located on a file > system mounted with the noexec attribute. What if a sysadmin need to do this on an executable mount point? Being able to enforce a security policy according to a configuration may fit to much more use cases. > >> The problem is that passing O_MAYEXEC is opt-in. You can use ptrace/secc= omp/ >> bpf/LD_PRELOAD/LD_AUDIT to remove that bit from an otherwise normal prog= ram. >> This does not require privs to do so. > > That doesn't really help with the above. Right, ptrace/LD_PRELOAD and so on must be addressed by something else than only O_MAYEXEC. > >> But let's consider that this comes to pass and every interpreter is >> updated and IMA can see the O_MAYEXEC flag. Attackers now simply pivot >> to running programs via stdin. It never touches disk and therefore >> nothing enforces security policy. This already is among the most >> common ways that malware runs today to evade detection. As my previous reply, use cases like stdin may be restricted as well. > > Are you referring to Windows malware using Powershell? > > I'm not sure this is applicable to Linux. We do not have much > behavioral monitoring anyway. > > Thanks, > Florian > -- Micka=C3=ABl Sala=C3=BCn ANSSI/SDE/ST/LAM Les donn=C3=A9es =C3=A0 caract=C3=A8re personnel recueillies et trait=C3=A9= es dans le cadre de cet =C3=A9change, le sont =C3=A0 seule fin d=E2=80=99ex= =C3=A9cution d=E2=80=99une relation professionnelle et s=E2=80=99op=C3=A8re= nt dans cette seule finalit=C3=A9 et pour la dur=C3=A9e n=C3=A9cessaire =C3= =A0 cette relation. Si vous souhaitez faire usage de vos droits de consulta= tion, de rectification et de suppression de vos donn=C3=A9es, veuillez cont= acter contact.rgpd@sgdsn.gouv.fr. Si vous avez re=C3=A7u ce message par err= eur, nous vous remercions d=E2=80=99en informer l=E2=80=99exp=C3=A9diteur e= t de d=C3=A9truire le message. The personal data collected and processed du= ring this exchange aims solely at completing a business relationship and is= limited to the necessary duration of that relationship. If you wish to use= your rights of consultation, rectification and deletion of your data, plea= se contact: contact.rgpd@sgdsn.gouv.fr. If you have received this message i= n error, we thank you for informing the sender and destroying the message.