Received: by 2002:a25:b794:0:0:0:0:0 with SMTP id n20csp2062428ybh; Sun, 4 Aug 2019 16:57:40 -0700 (PDT) X-Google-Smtp-Source: APXvYqw/YODBMm56rmn7mqUQ8//Hdm+NuP6tk9SGx6CnzdN62GmT3Za23hhflU3T1Cr+KXhXHl9t X-Received: by 2002:a63:3fc9:: with SMTP id m192mr12951529pga.429.1564963060553; Sun, 04 Aug 2019 16:57:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564963060; cv=none; d=google.com; s=arc-20160816; b=fABhEa4dOWXkidOqZkocr51CWvLjXyI7IQqgDdQNrVKxGhdbX3rAyfw4CvFVC4zDSm wT9eHhanCR6BNXBeW7Bs0n8gKCVUVfh0Zwq9zBK4HibSXJqXvQs8ajXahlvkt7VViRG5 U88aj1zW3wrNVpEWemxsREQ+gfLqhPBdnxzooJWRqOXuwZmNtYnbykipbw94bFaNSSS4 yeZGcR7GgbOYAN4cnUYd2pjqyNUiuXSQKOF4kTT+8DP7YsJ2IJmRFgmiRRpr89kKk5ly g5IGANcwzukD9zpWpFGQ7/oHdw2VB+hhaRrUPidaJ1q5AnCuWYPA+GND03OlgPQPWeYr W5cA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=tKb1cuc8xk3b22r7x5QCey5AHZBG8xCRSUthm3fIzWg=; b=ygDvJnuBfrcYR/uti/wB2qEwSf4K01GvzSZAHGtF/dYL59Mods28pINbMHkj0pDdvx hzLXye407+TAQpbKIXUgOj1Uwmfrm8I5hrynB6DURVHzXhgDnbO6bOInwgL2EVvjrV76 XHJiY3kkrCq5R0HU/GGDuhOQtEbGiD5DkrOnhsqx9FPnme4vJlu5ABHe7razOSqciztF 0tDARp+HNDL42A3XWYvjQNYQHAWW5uTuHDTFaNSTWiwwDyNqmyst7UxDDLyxMOpOENUD ruaP/jorfwVeB4UKS9nM/G+LjTDq65d1YCH/GMefKp5H8oZ1Cfyohp51bk948AvNXx92 5n/g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Tin6aimq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x10si45049717pfj.93.2019.08.04.16.57.11; Sun, 04 Aug 2019 16:57:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Tin6aimq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726779AbfHDX4M (ORCPT + 99 others); Sun, 4 Aug 2019 19:56:12 -0400 Received: from mail.kernel.org ([198.145.29.99]:51888 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726526AbfHDX4M (ORCPT ); Sun, 4 Aug 2019 19:56:12 -0400 Received: from mail-wr1-f48.google.com (mail-wr1-f48.google.com [209.85.221.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 04A7F2184D for ; Sun, 4 Aug 2019 23:56:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1564962971; bh=hacK3bFBwtrAv/U9OhwzLwLEIvnI+bjiQ7pJZVwvUsc=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=Tin6aimqbUktCSVyh2pQFl4yew/nSKUAarqqu6+FjM/1ZGclyH0ae5exjIwkdtmAw mitkSm0fmUi/JQiSXSP2ej80UFkIHnZjEuVPkW5YC15UuQ8G5GCCM/WZH84R6qCsiF /KAfzb0sgjDZCPMIW+Wbqph1Ydij/bEzq/WTkUe8= Received: by mail-wr1-f48.google.com with SMTP id p17so82555791wrf.11 for ; Sun, 04 Aug 2019 16:56:10 -0700 (PDT) X-Gm-Message-State: APjAAAVab7ig959nyo4ENTeL2Js3KvInEKD4z+ZGqU52WUEU1xiU58n0 KCk9QNOKi7OiGJmcSLoDehPzpcK8lJUC0CRNJoFf9A== X-Received: by 2002:adf:dd0f:: with SMTP id a15mr3574634wrm.265.1564962969300; Sun, 04 Aug 2019 16:56:09 -0700 (PDT) MIME-Version: 1.0 References: <20181212081712.32347-1-mic@digikod.net> <20181212081712.32347-2-mic@digikod.net> <20181212144306.GA19945@quack2.suse.cz> In-Reply-To: <20181212144306.GA19945@quack2.suse.cz> From: Andy Lutomirski Date: Sun, 4 Aug 2019 16:55:58 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [RFC PATCH v1 1/5] fs: Add support for an O_MAYEXEC flag on sys_open() To: Jan Kara , Song Liu , Alexei Starovoitov , Daniel Borkmann Cc: =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= , LKML , Al Viro , James Morris , Jonathan Corbet , Kees Cook , Matthew Garrett , Michael Kerrisk , =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= , Mimi Zohar , =?UTF-8?Q?Philippe_Tr=C3=A9buchet?= , Shuah Khan , Thibaut Sautereau , Vincent Strubel , Yves-Alexis Perez , Kernel Hardening , Linux API , LSM List , Linux FS Devel , Steve Grubb , Matthew Bobrowski Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Dec 12, 2018 at 6:43 AM Jan Kara wrote: > > On Wed 12-12-18 09:17:08, Micka=C3=ABl Sala=C3=BCn wrote: > > When the O_MAYEXEC flag is passed, sys_open() may be subject to > > additional restrictions depending on a security policy implemented by a= n > > LSM through the inode_permission hook. > > > > The underlying idea is to be able to restrict scripts interpretation > > according to a policy defined by the system administrator. For this to > > be possible, script interpreters must use the O_MAYEXEC flag > > appropriately. To be fully effective, these interpreters also need to > > handle the other ways to execute code (for which the kernel can't help)= : > > command line parameters (e.g., option -e for Perl), module loading > > (e.g., option -m for Python), stdin, file sourcing, environment > > variables, configuration files... According to the threat model, it ma= y > > be acceptable to allow some script interpreters (e.g. Bash) to interpre= t > > commands from stdin, may it be a TTY or a pipe, because it may not be > > enough to (directly) perform syscalls. > > > > A simple security policy implementation is available in a following > > patch for Yama. > > > > This is an updated subset of the patch initially written by Vincent > > Strubel for CLIP OS: > > https://github.com/clipos-archive/src_platform_clip-patches/blob/f5cb33= 0d6b684752e403b4e41b39f7004d88e561/1901_open_mayexec.patch > > This patch has been used for more than 10 years with customized script > > interpreters. Some examples can be found here: > > https://github.com/clipos-archive/clipos4_portage-overlay/search?q=3DO_= MAYEXEC > > > > Signed-off-by: Micka=C3=ABl Sala=C3=BCn > > Signed-off-by: Thibaut Sautereau > > Signed-off-by: Vincent Strubel > > Reviewed-by: Philippe Tr=C3=A9buchet > > Cc: Al Viro > > Cc: Kees Cook > > Cc: Micka=C3=ABl Sala=C3=BCn > > ... > > > diff --git a/fs/open.c b/fs/open.c > > index 0285ce7dbd51..75479b79a58f 100644 > > --- a/fs/open.c > > +++ b/fs/open.c > > @@ -974,6 +974,10 @@ static inline int build_open_flags(int flags, umod= e_t mode, struct open_flags *o > > if (flags & O_APPEND) > > acc_mode |=3D MAY_APPEND; > > > > + /* Check execution permissions on open. */ > > + if (flags & O_MAYEXEC) > > + acc_mode |=3D MAY_OPENEXEC; > > + > > op->acc_mode =3D acc_mode; > > > > op->intent =3D flags & O_PATH ? 0 : LOOKUP_OPEN; > > I don't feel experienced enough in security to tell whether we want this > functionality or not. But if we do this, shouldn't we also set FMODE_EXEC > on the resulting struct file? That way also security_file_open() can be > used to arbitrate such executable opens and in particular > fanotify permission event FAN_OPEN_EXEC will get properly generated which= I > guess is desirable (support for it is sitting in my tree waiting for the > merge window) - adding some audit people involved in FAN_OPEN_EXEC to > CC. Just an idea... > I would really like to land this patch. I'm fiddling with making bpffs handle permissions intelligently, and the lack of a way to say "hey, I want to open this bpf program so that I can run it" is annoying. --Andy