Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp1576797ybk; Thu, 14 May 2020 12:23:26 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzDZJE3GiHndtN1xpGe9B9L8RbcGMg8e/gavis3Wn8oYEUtUHtSuTcHqczXAExrprpVIlz9 X-Received: by 2002:a05:6402:783:: with SMTP id d3mr5298033edy.295.1589484206432; Thu, 14 May 2020 12:23:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1589484206; cv=none; d=google.com; s=arc-20160816; b=YGx//JZ4Lk8GDwXfKt6CFLy5Ffd4NZzfWqOlKkoiD6sHF07VInzTYfoumm1xFgWS/p df29HKlFqmXIk2S0gRPf9+PdLJe94m7HLpNd/IvG+DTv0Bt4JIjUsJ9i7wH4lYyUtKaB GAeHEr9zO0RuxQ0U24v/jIhJ7E5Tg39JYZkD+HrRr2hzzSze8ZEWKp90iflj2r9BWpUT Nq9GEXPomb/nWI0HzgVQxTy3sXSvNyIjGE+xixctCzGD/fgQIgB7Q9sTn7Juqs6HQbYR kSfsDHcP80qUxvv5JvmYFcbC6yNQD2BU06DOYCIrSsGdYjUPo+2J5WnN7lD9VOlbzvUF LQ3Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=xynLb3I5kAr3L4TLsEkLiPC8sGAEv5W71Umh4VX3mEo=; b=XYelfFlHqF/vHq6wBwaX21bpdHRzldwXNw0FVCIqyIe1Fh/gW8M9e3JQAvWa/yZN5w OGa8nzOqUPWjxtifr5aIshzJVEfS7BCn662+Z1b0bYMdpY1Oi2MIavgXMZxf5wlOV+oQ ofkqUB4Sn5yNJ+4UM3nyf+RxpqT0zymTxHxrDEF7ifaM1452bFjWCpWnrrj2somdRd2q kLYm63E4gAh5rYQZCrkazsGaZ2yGbi93TBxQUumcpdEDUjuWMkrg8d5dSJ95xAbuiUJd qzKKuy+rzGBz5eM4PwFEMbJSD5lcd8PrL+SKh857MsPHjajgYFPgcE/HLJwcOs8cC+Ca DwnA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h6si1137025edl.466.2020.05.14.12.23.01; Thu, 14 May 2020 12:23:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727956AbgENTV2 (ORCPT + 99 others); Thu, 14 May 2020 15:21:28 -0400 Received: from smtp-bc0f.mail.infomaniak.ch ([45.157.188.15]:52189 "EHLO smtp-bc0f.mail.infomaniak.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727835AbgENTV2 (ORCPT ); Thu, 14 May 2020 15:21:28 -0400 Received: from smtp-2-0001.mail.infomaniak.ch (unknown [10.5.36.108]) by smtp-2-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 49NLxc0FXZzlhNp2; Thu, 14 May 2020 21:21:24 +0200 (CEST) Received: from ns3096276.ip-94-23-54.eu (unknown [94.23.54.103]) by smtp-2-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 49NLxZ3CmQzljTrx; Thu, 14 May 2020 21:21:22 +0200 (CEST) Subject: Re: [PATCH v5 3/6] fs: Enable to enforce noexec mounts or file exec through O_MAYEXEC To: Kees Cook , Stephen Smalley Cc: linux-kernel , Aleksa Sarai , Alexei Starovoitov , Al Viro , Andy Lutomirski , Christian Heimes , Daniel Borkmann , Deven Bowers , Eric Chiang , Florian Weimer , James Morris , Jan Kara , Jann Horn , Jonathan Corbet , Lakshmi Ramasubramanian , Matthew Garrett , Matthew Wilcox , Michael Kerrisk , =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= , Mimi Zohar , =?UTF-8?Q?Philippe_Tr=c3=a9buchet?= , Scott Shell , Sean Christopherson , Shuah Khan , Steve Dower , Steve Grubb , Thibaut Sautereau , Vincent Strubel , kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-integrity@vger.kernel.org, LSM List , Linux FS Devel References: <20200505153156.925111-1-mic@digikod.net> <20200505153156.925111-4-mic@digikod.net> <202005131525.D08BFB3@keescook> From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= Message-ID: <0e654c90-bec5-6ba1-771e-648da94ef547@digikod.net> Date: Thu, 14 May 2020 21:21:21 +0200 User-Agent: MIME-Version: 1.0 In-Reply-To: <202005131525.D08BFB3@keescook> Content-Type: text/plain; charset=iso-8859-15 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8 X-Antivirus-Code: 0x100000 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 14/05/2020 01:27, Kees Cook wrote: > On Wed, May 13, 2020 at 11:37:16AM -0400, Stephen Smalley wrote: >> On Tue, May 5, 2020 at 11:33 AM Micka?l Sala?n wrote: >>> >>> Enable to forbid access to files open with O_MAYEXEC. Thanks to the >>> noexec option from the underlying VFS mount, or to the file execute >>> permission, userspace can enforce these execution policies. This may >>> allow script interpreters to check execution permission before reading >>> commands from a file, or dynamic linkers to allow shared object loading. >>> >>> Add a new sysctl fs.open_mayexec_enforce to enable system administrators >>> to enforce two complementary security policies according to the >>> installed system: enforce the noexec mount option, and enforce >>> executable file permission. Indeed, because of compatibility with >>> installed systems, only system administrators are able to check that >>> this new enforcement is in line with the system mount points and file >>> permissions. A following patch adds documentation. >>> >>> For tailored Linux distributions, it is possible to enforce such >>> restriction at build time thanks to the CONFIG_OMAYEXEC_STATIC option. >>> The policy can then be configured with CONFIG_OMAYEXEC_ENFORCE_MOUNT and >>> CONFIG_OMAYEXEC_ENFORCE_FILE. >>> >>> Being able to restrict execution also enables to protect the kernel by >>> restricting arbitrary syscalls that an attacker could perform with a >>> crafted binary or certain script languages. It also improves multilevel >>> isolation by reducing the ability of an attacker to use side channels >>> with specific code. These restrictions can natively be enforced for ELF >>> binaries (with the noexec mount option) but require this kernel >>> extension to properly handle scripts (e.g., Python, Perl). To get a >>> consistent execution policy, additional memory restrictions should also >>> be enforced (e.g. thanks to SELinux). >>> >>> Signed-off-by: Micka?l Sala?n >>> Reviewed-by: Thibaut Sautereau >>> Cc: Aleksa Sarai >>> Cc: Al Viro >>> Cc: Kees Cook >>> --- >> >>> diff --git a/fs/namei.c b/fs/namei.c >>> index 33b6d372e74a..70f179f6bc6c 100644 >>> --- a/fs/namei.c >>> +++ b/fs/namei.c >>> @@ -411,10 +412,90 @@ static int sb_permission(struct super_block *sb, struct inode *inode, int mask) >> >>> +#if defined(CONFIG_SYSCTL) && !defined(CONFIG_OMAYEXEC_STATIC) >>> +int proc_omayexec(struct ctl_table *table, int write, void __user *buffer, >>> + size_t *lenp, loff_t *ppos) >>> +{ >>> + int error; >>> + >>> + if (write) { >>> + struct ctl_table table_copy; >>> + int tmp_mayexec_enforce; >>> + >>> + if (!capable(CAP_MAC_ADMIN)) >>> + return -EPERM; >> >> Not fond of using CAP_MAC_ADMIN here (or elsewhere outside of security >> modules). The ability to set this sysctl is not equivalent to being >> able to load a MAC policy, set arbitrary MAC labels on >> processes/files, etc. > > That's fair. In that case, perhaps this could just use the existing > _sysadmin helper? (Though I should note that these perm checks actually > need to be in the open, not the read/write ... I thought there was a > series to fix that, but I can't find it now. Regardless, that's > orthogonal to this series.) OK, I'll switch to CAP_SYS_ADMIN with proc_dointvec_minmax_sysadmin().