Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp16566pxb; Wed, 30 Mar 2022 21:34:19 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwEBtTnwOFgsh+CAcbFLhvscYPmctDJCwbY/x1+ArnZnn5rH7Zh3miH1uKw5X6v4xHu08dr X-Received: by 2002:a63:fb01:0:b0:398:bb8b:5796 with SMTP id o1-20020a63fb01000000b00398bb8b5796mr2161719pgh.351.1648701259230; Wed, 30 Mar 2022 21:34:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1648701259; cv=none; d=google.com; s=arc-20160816; b=CtS1p1KU3cQW4vvBYSmmsOAw2J4KPkNrzbMmg2LaXrXBYvYUZ0x6giW16qxkEV0PWE Hzqb/EzlMVW7c47xiREqYX7BMJ5/vp4oMElPT9Jpm3HeWzrAcF7yOQeF+L4qRbmAtPKu WO5LlI/XIqe19mlZtuEMmqxO3s6QwJtoxnCnvUAFHO0NVQj0wjn+Sj0hC4YQ/FWi4CHj brdLOdr8CyaQ4F4DT3MESsZAmPJarDVp53XVGyJGDwgzmXP4mUE6jng+vbvMxLTjyy41 QAQwj8eDQu98QpTpnyXB/0gFgoG6LoABUHuYsRTpAfvxrW7H10Gu6ZAHNN8NnkvqMnVQ 8G4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:subject :from:references:cc:to:content-language:user-agent:mime-version:date :message-id:dkim-signature; bh=LKSGIjggNSZBIIx44JKjQC1f+kqMRAIjuynfYc+GDus=; b=mC7gjL4VrWkTrwtdE/q/mgtRjVvGjBanN8mW4rVfpEFeBGx7L0LnW2Rb4T8KNlgL6f +UoTvoiPBXgThwaM723WlTpCPV3gPklM6wYB0Y7bgJu/l3yk4I/DLF89k2zHGsWWraDB h/cRUuSElIWiEVSlZ297O5IMsOu1M0gTHjsb2rX97zl5gatK4MOitFUbSBHQ8UN7r+3q pFsGni2tgx4NsCi+JWEzjWcWK4r23ArCM7iXQA9zFdHM9j8FP9cKn1+aLz/r9l0RBlIb RLQ3L0Bc5kVOg9D634Wb2g03S6GKdodbaEj1GwI+FokVrSO2zcDwOHeY6yherQ2cKA9q jx1w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@digikod.net header.s=20191114 header.b=S2lhB0PW; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id il18-20020a17090b165200b001bd14e01fb8si2297352pjb.166.2022.03.30.21.34.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 30 Mar 2022 21:34:19 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@digikod.net header.s=20191114 header.b=S2lhB0PW; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id ED59D1E3E39; Wed, 30 Mar 2022 20:26:30 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1348671AbiC3QIb (ORCPT + 99 others); Wed, 30 Mar 2022 12:08:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33446 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1348696AbiC3QIW (ORCPT ); Wed, 30 Mar 2022 12:08:22 -0400 Received: from smtp-42ae.mail.infomaniak.ch (smtp-42ae.mail.infomaniak.ch [84.16.66.174]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D133B23D754 for ; Wed, 30 Mar 2022 09:06:34 -0700 (PDT) Received: from smtp-2-0001.mail.infomaniak.ch (unknown [10.5.36.108]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4KTBBc40cpzMprt9; Wed, 30 Mar 2022 18:06:32 +0200 (CEST) Received: from ns3096276.ip-94-23-54.eu (unknown [23.97.221.149]) by smtp-2-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4KTBBZ5nHZzlhPJV; Wed, 30 Mar 2022 18:06:30 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digikod.net; s=20191114; t=1648656392; bh=8z/gwYk4igoSvFw5d9ygcqzUz71oGnSSI3aVBjvHzrg=; h=Date:To:Cc:References:From:Subject:In-Reply-To:From; b=S2lhB0PW4iY3T7nJCWRrrxY/EEwhD0huzWX5e8KJOHm5GGVGGjY8iCRzduT1unZj8 JG4xoo/fZxx5CFQIGQ1hNdrIQ5/d5AarQVv/fbgm8Ro3omT1l6w9nJK/6OGKmHeHa+ Jgh2LeETNI80KsVqtBvJCrnTLRD7VC2cxrAc8gbs= Message-ID: Date: Wed, 30 Mar 2022 18:06:15 +0200 MIME-Version: 1.0 User-Agent: Content-Language: en-US To: Linus Torvalds Cc: Al Viro , Andrew Morton , Christian Heimes , Geert Uytterhoeven , James Morris , Kees Cook , Luis Chamberlain , Mimi Zohar , Muhammad Usama Anjum , Paul Moore , =?UTF-8?Q?Philippe_Tr=c3=a9buchet?= , Shuah Khan , Steve Dower , Thibaut Sautereau , Vincent Strubel , linux-fsdevel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org References: <20220321161557.495388-1-mic@digikod.net> From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= Subject: Re: [GIT PULL] Add trusted_for(2) (was O_MAYEXEC) In-Reply-To: <20220321161557.495388-1-mic@digikod.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, What is the status of this pull request? Do you need something more? Regards, Mickaël On 21/03/2022 17:15, Mickaël Salaün wrote: > Hi Linus, > > This patch series adds a new syscall named trusted_for. It enables user > space to ask the kernel: is this file descriptor's content trusted to be > used for this purpose? The set of usage currently only contains > execution, but other may follow (e.g. configuration, sensitive data). > If the kernel identifies the file descriptor as trustworthy for this > usage, user space should then take this information into account. The > "execution" usage means that the content of the file descriptor is > trusted according to the system policy to be executed by user space, > which means that it interprets the content or (try to) maps it as > executable memory. > > A simple system-wide security policy can be set by the system > administrator through a sysctl configuration consistent with the mount > points or the file access rights. The documentation explains the > prerequisites. > > It is important to note that this can only enable to extend access > control managed by the kernel. Hence it enables current access control > mechanism to be extended and become a superset of what they can > currently control. Indeed, the security policy could also be delegated > to an LSM, either a MAC system or an integrity system. For instance, > this is required to close a major IMA measurement/appraisal interpreter > integrity gap by bringing the ability to check the use of scripts. > Other uses are expected as well. > > For further details, please see the latest cover letter: > https://lore.kernel.org/r/20220104155024.48023-1-mic@digikod.net > > Commit dae71698b6c5 ("printk: Move back proc_dointvec_minmax_sysadmin() > to sysctl.c") was recently added due to the sysctl refactoring. > > Commit e674341a90b9 ("selftests/interpreter: fix separate directory > build") will fix some test build cases as explained here: > https://lore.kernel.org/r/20220119101531.2850400-1-usama.anjum@collabora.com > Merging this commit without the new KHDR_INCLUDES is not an issue. > The upcoming kselftest pull request is ready: > https://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest.git/log/?h=next > > This patch series has been open for review for more than three years and > got a lot of feedbacks (and bikeshedding) which were all considered. > Since I heard no objection, please consider to pull this code for > v5.18-rc1 . These five patches have been successfully tested in the > latest linux-next releases for several weeks. > > Regards, > Mickaël > > -- > The following changes since commit dcb85f85fa6f142aae1fe86f399d4503d49f2b60: > > gcc-plugins/stackleak: Use noinstr in favor of notrace (2022-02-03 17:02:21 -0800) > > are available in the Git repository at: > > git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git tags/trusted-for-v18 > > for you to fetch changes up to e674341a90b95c3458d684ae25e6891afc3e03ad: > > selftests/interpreter: fix separate directory build (2022-03-04 10:56:25 +0100) > > ---------------------------------------------------------------- > Add the trusted_for system call (v18) > > The final goal of this patch series is to enable the kernel to be a > global policy manager by entrusting processes with access control at > their level. To reach this goal, two complementary parts are required: > * user space needs to be able to know if it can trust some file > descriptor content for a specific usage; > * and the kernel needs to make available some part of the policy > configured by the system administrator. > > In a nutshell, this is a required building block to control script > execution. > > For further details see the latest cover letter: > https://lore.kernel.org/r/20220104155024.48023-1-mic@digikod.net > > ---------------------------------------------------------------- > Mickaël Salaün (4): > printk: Move back proc_dointvec_minmax_sysadmin() to sysctl.c > fs: Add trusted_for(2) syscall implementation and related sysctl > arch: Wire up trusted_for(2) > selftest/interpreter: Add tests for trusted_for(2) policies > > Muhammad Usama Anjum (1): > selftests/interpreter: fix separate directory build > > Documentation/admin-guide/sysctl/fs.rst | 50 +++ > arch/alpha/kernel/syscalls/syscall.tbl | 1 + > arch/arm/tools/syscall.tbl | 1 + > arch/arm64/include/asm/unistd.h | 2 +- > arch/arm64/include/asm/unistd32.h | 2 + > arch/ia64/kernel/syscalls/syscall.tbl | 1 + > arch/m68k/kernel/syscalls/syscall.tbl | 1 + > arch/microblaze/kernel/syscalls/syscall.tbl | 1 + > arch/mips/kernel/syscalls/syscall_n32.tbl | 1 + > arch/mips/kernel/syscalls/syscall_n64.tbl | 1 + > arch/mips/kernel/syscalls/syscall_o32.tbl | 1 + > arch/parisc/kernel/syscalls/syscall.tbl | 1 + > arch/powerpc/kernel/syscalls/syscall.tbl | 1 + > arch/s390/kernel/syscalls/syscall.tbl | 1 + > arch/sh/kernel/syscalls/syscall.tbl | 1 + > arch/sparc/kernel/syscalls/syscall.tbl | 1 + > arch/x86/entry/syscalls/syscall_32.tbl | 1 + > arch/x86/entry/syscalls/syscall_64.tbl | 1 + > arch/xtensa/kernel/syscalls/syscall.tbl | 1 + > fs/open.c | 133 ++++++++ > fs/proc/proc_sysctl.c | 2 +- > include/linux/syscalls.h | 1 + > include/linux/sysctl.h | 3 + > include/uapi/asm-generic/unistd.h | 5 +- > include/uapi/linux/trusted-for.h | 18 + > kernel/printk/sysctl.c | 9 - > kernel/sysctl.c | 9 + > tools/testing/selftests/Makefile | 1 + > tools/testing/selftests/interpreter/.gitignore | 2 + > tools/testing/selftests/interpreter/Makefile | 21 ++ > tools/testing/selftests/interpreter/config | 1 + > .../selftests/interpreter/trust_policy_test.c | 362 +++++++++++++++++++++ > 32 files changed, 625 insertions(+), 12 deletions(-) > create mode 100644 include/uapi/linux/trusted-for.h > create mode 100644 tools/testing/selftests/interpreter/.gitignore > create mode 100644 tools/testing/selftests/interpreter/Makefile > create mode 100644 tools/testing/selftests/interpreter/config > create mode 100644 tools/testing/selftests/interpreter/trust_policy_test.c