Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp78069ybk; Tue, 12 May 2020 15:58:47 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzMGvR6QGMEl1jSXdZdvPbV6ezvu1AixcuWsNPoLat4mnNiKUjYnx6OVLaD9DUKp8t10QKw X-Received: by 2002:a17:907:1189:: with SMTP id uz9mr9100141ejb.53.1589324327225; Tue, 12 May 2020 15:58:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1589324327; cv=none; d=google.com; s=arc-20160816; b=n98h5CYLI5fIHrUwybF4ETxoiPl39Vuf9+AqgJsj67UIPiMUfv8XGzRyfDPbnCSITY FTBEX5NDyWH0OGvoh/fkauOo2qoSAQpMks37GD7TbBih6qg/og3AIixNguiLMkAW9iNx 1M3A7/Q/lvibBxD0AkI3J320wet2dESd+5tEN7ZRHZfe1ojkcQE76IfMaPvccUwab16l WwtQo1VAbEzynZfXpISyZySanO2+i6a3yYdzhFWRL2qr+0CiQOhf0fYWKxvRj7P3pgtO qR/cBkthFqhWeZ/H7eeTGmJY1ATw5etU4AWdwVL6x399Iu+JkeneQRaaX9GeSB2dZiJN 5wcQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=IXpIsoQged7M/ri/embTMdJh9eC3HGIEafUuSr0Sgp4=; b=PW0w3o1TCt4/YIvrfbnHPGbwrV6mapU60suCFuFacOMZpf3KQsgVLv+NyrOjwUiiCA gk3MCXMvRTEfHi55P8DzeJBvGFJ2PkJ3akfuGtdW9UA708kj2ASi2AO6ajjJgJYpCSlA PsU+dmTOgDul6MPnEFb/Ei/RQY721gCOQvldJqy4UkXVnxeHmw8Aj3DLt+8fdyKNgaiW XJ70fNLsahLGigzHtxGc//5Gxosio4jBFW2ag2cVfsivyxQMQoUR4K+ukH8fwnIAirp/ FMGXYygbnIi12OAid3FICkNhWGiwKIVszKi8zrT3tTzpTblJf2/iU2T8I2rfhpqdma+o 5DJA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b="N9/eEWjx"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b10si8712734ejd.323.2020.05.12.15.58.24; Tue, 12 May 2020 15:58:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b="N9/eEWjx"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731454AbgELW4t (ORCPT + 99 others); Tue, 12 May 2020 18:56:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60784 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728220AbgELW4t (ORCPT ); Tue, 12 May 2020 18:56:49 -0400 Received: from mail-pj1-x1044.google.com (mail-pj1-x1044.google.com [IPv6:2607:f8b0:4864:20::1044]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 365CFC061A0C for ; Tue, 12 May 2020 15:56:49 -0700 (PDT) Received: by mail-pj1-x1044.google.com with SMTP id a5so10253372pjh.2 for ; Tue, 12 May 2020 15:56:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to; bh=IXpIsoQged7M/ri/embTMdJh9eC3HGIEafUuSr0Sgp4=; b=N9/eEWjx4KryymG7ZL/gSXanLr0DYNDcTqpqniqQuUXfGEZEOCiOVCUM31Rkg5hbPF RYrLa1KR6sZdrXCo182VyfY9tc7Dc8vFc162i/vIcqYJQGy8FcEAaac5BV+8lc+P9xKZ wBGT4FqmIHHPX2e1wzE8uLoPmiAHm59yHXR8U= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to; bh=IXpIsoQged7M/ri/embTMdJh9eC3HGIEafUuSr0Sgp4=; b=oJ/ztDwd5czbEB4SnbD9kfPnNVBlSb+jeiJ+j7Bc3yBZM3ctPTiMYKz6rC9Pveq/dG eFhvORT3Jst3sDlJpziyoitUQkiv3vnyJyfcdEmUvwUetDfqDaxDdYbrgglhtQufJmWQ spww+W25USVDwNlI+nbDz+IFtaB6wCWYk45ysBgbSrgb1eil37gtgs5aB1E+5nOs2b7u wzyg4jM+fkdi3YtempKIvqvbaFglgjvf8Io6nHP2a1fc3KeDLUWMVwQmOgbKHUhXeEsp VTN5uGnzGIVLKV6+pSvH9yK3GjBb9QSc8zmBQ1pabWm2wyLNCNJ+xpOSeoF/JC5sLJgn 1xAw== X-Gm-Message-State: AGi0PubEtyJWYuWIc0CYgiyD9VRWGNY1gm3SYf6yU74tkxcL8Tp5tEZS p5LN+E3G+cMPlOYycyS+jC3nTQ== X-Received: by 2002:a17:90a:7788:: with SMTP id v8mr30342795pjk.111.1589324208728; Tue, 12 May 2020 15:56:48 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id u5sm11217857pgi.70.2020.05.12.15.56.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 May 2020 15:56:47 -0700 (PDT) Date: Tue, 12 May 2020 15:56:46 -0700 From: Kees Cook To: Christian Heimes Cc: =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= , linux-kernel@vger.kernel.org, Aleksa Sarai , Alexei Starovoitov , Al Viro , Andy Lutomirski , Daniel Borkmann , Deven Bowers , Eric Chiang , Florian Weimer , James Morris , Jan Kara , Jann Horn , Jonathan Corbet , Lakshmi Ramasubramanian , Matthew Garrett , Matthew Wilcox , Michael Kerrisk , =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= , Mimi Zohar , Philippe =?iso-8859-1?Q?Tr=E9buchet?= , Scott Shell , Sean Christopherson , Shuah Khan , Steve Dower , Steve Grubb , Thibaut Sautereau , Vincent Strubel , kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org Subject: Re: [PATCH v5 1/6] fs: Add support for an O_MAYEXEC flag on openat2(2) Message-ID: <202005121555.0A446763@keescook> References: <20200505153156.925111-1-mic@digikod.net> <20200505153156.925111-2-mic@digikod.net> <202005121258.4213DC8A2@keescook> <0c70debd-e79e-d514-06c6-4cd1e021fa8b@python.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <0c70debd-e79e-d514-06c6-4cd1e021fa8b@python.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, May 12, 2020 at 11:40:35PM +0200, Christian Heimes wrote: > On 12/05/2020 23.05, Kees Cook wrote: > > On Tue, May 05, 2020 at 05:31:51PM +0200, Micka?l Sala?n wrote: > >> When the O_MAYEXEC flag is passed, openat2(2) may be subject to > >> additional restrictions depending on a security policy managed by the > >> kernel through a sysctl or implemented by an LSM thanks to the > >> inode_permission hook. This new flag is ignored by open(2) and > >> openat(2). > >> > >> The underlying idea is to be able to restrict scripts interpretation > >> according to a policy defined by the system administrator. For this to > >> be possible, script interpreters must use the O_MAYEXEC flag > >> appropriately. To be fully effective, these interpreters also need to > >> handle the other ways to execute code: command line parameters (e.g., > >> option -e for Perl), module loading (e.g., option -m for Python), stdin, > >> file sourcing, environment variables, configuration files, etc. > >> According to the threat model, it may be acceptable to allow some script > >> interpreters (e.g. Bash) to interpret commands from stdin, may it be a > >> TTY or a pipe, because it may not be enough to (directly) perform > >> syscalls. Further documentation can be found in a following patch. > > > > You touch on this lightly in the cover letter, but it seems there are > > plans for Python to restrict stdin parsing? Are there patches pending > > anywhere for other interpreters? (e.g. does CLIP OS have such patches?) > > > > There's always a push-back against adding features that have external > > dependencies, and then those external dependencies can't happen without > > the kernel first adding a feature. :) I like getting these catch-22s > > broken, and I think the kernel is the right place to start, especially > > since the threat model (and implementation) is already proven out in > > CLIP OS, and now with IMA. So, while the interpreter side of this is > > still under development, this gives them the tool they need to get it > > done on the kernel side. So showing those pieces (as you've done) is > > great, and I think finding a little bit more detail here would be even > > better. > > Hi, > > Python core dev here. > > Yes, there are plans to use feature for Python in combination with > additional restrictions. For backwards compatibility reasons we cannot > change the behavior of the default Python interpreter. I have plans to > provide a restricted Python binary that prohibits piping from stdin, > disables -c "some_code()", restricts import locations, and a couple of > other things. O_MAYEXEC flag makes it easier to block imports from > noexec filesystems. > > My PoC [1] for a talk [2] last year is inspired by IMA appraisal and a > previous talk by Micka?l on O_MAYEXEC. > > Christian > > [1] https://github.com/zooba/spython/blob/master/linux_xattr/spython.c > [2] > https://speakerdeck.com/tiran/europython-2019-auditing-hooks-and-security-transparency-for-cpython Ah, fantastic; thank you! Yes, this will go a long way for helping demonstration to other folks that there are people who will be using this feature. :) -- Kees Cook