Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp404173ybk; Wed, 13 May 2020 03:17:56 -0700 (PDT) X-Google-Smtp-Source: APiQypK9J3WKe3MaOHuILsc64AmaYxXtHpQvsgfNLJeT2QcCm39mnegH4lZivBGE4IHM6esAOm2I X-Received: by 2002:a05:6402:357:: with SMTP id r23mr13267106edw.230.1589365076504; Wed, 13 May 2020 03:17:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1589365076; cv=none; d=google.com; s=arc-20160816; b=LDqlhF8EyJTO5tWw+UPeGsm74KN3m3u+EncOHyA3zmDwvrGD6iwZDhLTLbqXIIV/3j WjA/9bnFRDFat3oaw+71PvX+4cEHqZV1bGwBEJmLShmilYcujnk58FE0SIDRYNhpHypb Z/few5ELVZM53ouyUQgvfh3SZs0bwnrhEEbF2HiZyU28CnG6wVaFcwhxmC4vxDvilO4p 9rcBRimuqpGGfiEVj70I1gdvAl7sdwA6OwNGtPan24j7VFg5uua9QohNaSYN4mWimb2s EwpJ1zF8lNLtab/U69PCq5dP/2nqyOQcVRYTJpkY8jXIidr1gbkkJblXJOmSdwORaThT ZQew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=2J1yV4S7aZEIVNj/9oCtrZ53yO4XLV+ehfnPyyr9sgU=; b=MxdOR+scGH/9p9oObDEw9m2Ip3zrzmEPYR0oWMTlGl9YPQwlu0hUbNeLf1H7+C2D7R GepPyU7rHtF8a8hW9fjtNisGYVlyBdCMEeKSkRN04tsi9q9p+HRe7ki8xtGnrGclna8r bZdA8gL7szodpt63bCXLnXt7Lu4wezdzqRCkcdUF906ojHETT1M6IBSVb1kuWHcaP09y Zeyas/HuotOfwlv1jRiQ/EewBvobZQoRFYmu5FPV2dNFlB5yB8ihbqvqQhnow3dPXFpH o97nCHbME88kSiOibB6iAukv/a3sBcSlU9xXNHfyS1mpYWcyJvcPFLZwd+nbq7Sbmonf AT4g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o14si5807908eja.223.2020.05.13.03.17.32; Wed, 13 May 2020 03:17:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732382AbgEMKNz (ORCPT + 99 others); Wed, 13 May 2020 06:13:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53020 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732620AbgEMKNy (ORCPT ); Wed, 13 May 2020 06:13:54 -0400 Received: from smtp-bc09.mail.infomaniak.ch (smtp-bc09.mail.infomaniak.ch [IPv6:2001:1600:3:17::bc09]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7E291C061A0F for ; Wed, 13 May 2020 03:13:54 -0700 (PDT) Received: from smtp-3-0000.mail.infomaniak.ch (unknown [10.4.36.107]) by smtp-2-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 49MVrD08xhzlhGkd; Wed, 13 May 2020 12:13:48 +0200 (CEST) Received: from ns3096276.ip-94-23-54.eu (unknown [94.23.54.103]) by smtp-3-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 49MVr10GnBzlhBZN; Wed, 13 May 2020 12:13:36 +0200 (CEST) Subject: Re: [PATCH v5 1/6] fs: Add support for an O_MAYEXEC flag on openat2(2) To: Kees Cook Cc: linux-kernel@vger.kernel.org, Aleksa Sarai , Alexei Starovoitov , Al Viro , Andy Lutomirski , Christian Heimes , Daniel Borkmann , Deven Bowers , Eric Chiang , Florian Weimer , James Morris , Jan Kara , Jann Horn , Jonathan Corbet , Lakshmi Ramasubramanian , Matthew Garrett , Matthew Wilcox , Michael Kerrisk , =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= , Mimi Zohar , =?UTF-8?Q?Philippe_Tr=c3=a9buchet?= , Scott Shell , Sean Christopherson , Shuah Khan , Steve Dower , Steve Grubb , Thibaut Sautereau , Vincent Strubel , kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org References: <20200505153156.925111-1-mic@digikod.net> <20200505153156.925111-2-mic@digikod.net> <202005121258.4213DC8A2@keescook> From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= Message-ID: <39141f3e-0a4a-6a0f-a86e-7c769fe06ffd@digikod.net> Date: Wed, 13 May 2020 12:13:36 +0200 User-Agent: MIME-Version: 1.0 In-Reply-To: <202005121258.4213DC8A2@keescook> Content-Type: text/plain; charset=iso-8859-15 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8 X-Antivirus-Code: 0x100000 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 12/05/2020 23:05, Kees Cook wrote: > On Tue, May 05, 2020 at 05:31:51PM +0200, Micka?l Sala?n wrote: >> When the O_MAYEXEC flag is passed, openat2(2) may be subject to >> additional restrictions depending on a security policy managed by the >> kernel through a sysctl or implemented by an LSM thanks to the >> inode_permission hook. This new flag is ignored by open(2) and >> openat(2). >> >> The underlying idea is to be able to restrict scripts interpretation >> according to a policy defined by the system administrator. For this to >> be possible, script interpreters must use the O_MAYEXEC flag >> appropriately. To be fully effective, these interpreters also need to >> handle the other ways to execute code: command line parameters (e.g., >> option -e for Perl), module loading (e.g., option -m for Python), stdin, >> file sourcing, environment variables, configuration files, etc. >> According to the threat model, it may be acceptable to allow some script >> interpreters (e.g. Bash) to interpret commands from stdin, may it be a >> TTY or a pipe, because it may not be enough to (directly) perform >> syscalls. Further documentation can be found in a following patch. > > You touch on this lightly in the cover letter, but it seems there are > plans for Python to restrict stdin parsing? Are there patches pending > anywhere for other interpreters? (e.g. does CLIP OS have such patches?) There is some example from CLIP OS 4 here : https://github.com/clipos-archive/clipos4_portage-overlay/search?q=O_MAYEXEC If you take a look at the whole pointed patches there is more than the O_MAYEXEC changes (which matches this search) e.g., to prevent Python interactive execution. There is patches for Bash, Wine, Java (Icedtea), Busybox's ash, Perl and Python. There is also some related patches which do not directly rely on O_MAYEXEC but which restrict the use of browser plugins and extensions, which may be seen as scripts too: https://github.com/clipos-archive/clipos4_portage-overlay/tree/master/www-client > > There's always a push-back against adding features that have external > dependencies, and then those external dependencies can't happen without > the kernel first adding a feature. :) I like getting these catch-22s > broken, and I think the kernel is the right place to start, especially > since the threat model (and implementation) is already proven out in > CLIP OS, and now with IMA. So, while the interpreter side of this is > still under development, this gives them the tool they need to get it > done on the kernel side. So showing those pieces (as you've done) is > great, and I think finding a little bit more detail here would be even > better. OK, I can add my previous comment in the next cover letter. > >> A simple security policy implementation, configured through a dedicated >> sysctl, is available in a following patch. >> >> This is an updated subset of the patch initially written by Vincent >> Strubel for CLIP OS 4: >> https://github.com/clipos-archive/src_platform_clip-patches/blob/f5cb330d6b684752e403b4e41b39f7004d88e561/1901_open_mayexec.patch >> This patch has been used for more than 11 years with customized script >> interpreters. Some examples (with the original name O_MAYEXEC) can be >> found here: >> https://github.com/clipos-archive/clipos4_portage-overlay/search?q=O_MAYEXEC >> >> Signed-off-by: Micka?l Sala?n >> Signed-off-by: Thibaut Sautereau >> Signed-off-by: Vincent Strubel > > nit: this needs to be reordered. It's expected that the final SoB > matches the sender. OK, I just sorted the list alphabetically. > If you're trying to show co-authorship, please > see: > > https://www.kernel.org/doc/html/latest/process/submitting-patches.html#when-to-use-acked-by-cc-and-co-developed-by > > Based on what I've inferred about author ordering, I think you want: > > Co-developed-by: Vincent Strubel > Signed-off-by: Vincent Strubel > Co-developed-by: Thibaut Sautereau > Signed-off-by: Thibaut Sautereau > Co-developed-by: Micka?l Sala?n > Signed-off-by: Micka?l Sala?n OK, according to the doc I'll remove myself as Co-developped-by because I'm already in the From, though. > >> Reviewed-by: Deven Bowers >> Cc: Aleksa Sarai >> Cc: Al Viro >> Cc: Kees Cook > > Everything else appears good to me, but Al and Aleksa know VFS internals > way better. :) > > Reviewed-by: Kees Cook > Thanks!