Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 7 May 2020 01:41:17 +1000
From: Aleksa Sarai <cyphar@...har.com>
To: "Lev R. Oshvang ." <levonshe@...il.com>
Cc: Mickaël Salaün <mic@...ikod.net>,
	linux-kernel@...r.kernel.org, Alexei Starovoitov <ast@...nel.org>,
	Al Viro <viro@...iv.linux.org.uk>,
	Andy Lutomirski <luto@...nel.org>,
	Christian Heimes <christian@...hon.org>,
	Daniel Borkmann <daniel@...earbox.net>,
	Deven Bowers <deven.desai@...ux.microsoft.com>,
	Eric Chiang <ericchiang@...gle.com>,
	Florian Weimer <fweimer@...hat.com>,
	James Morris <jmorris@...ei.org>, Jan Kara <jack@...e.cz>,
	Jann Horn <jannh@...gle.com>, Jonathan Corbet <corbet@....net>,
	Kees Cook <keescook@...omium.org>,
	Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>,
	Matthew Garrett <mjg59@...gle.com>,
	Matthew Wilcox <willy@...radead.org>,
	Michael Kerrisk <mtk.manpages@...il.com>,
	Mickaël Salaün <mickael.salaun@....gouv.fr>,
	Mimi Zohar <zohar@...ux.ibm.com>,
	Philippe Trébuchet <philippe.trebuchet@....gouv.fr>,
	Scott Shell <scottsh@...rosoft.com>,
	Sean Christopherson <sean.j.christopherson@...el.com>,
	Shuah Khan <shuah@...nel.org>, Steve Dower <steve.dower@...hon.org>,
	Steve Grubb <sgrubb@...hat.com>,
	Thibaut Sautereau <thibaut.sautereau@....gouv.fr>,
	Vincent Strubel <vincent.strubel@....gouv.fr>,
	kernel-hardening@...ts.openwall.com, linux-api@...r.kernel.org,
	linux-integrity@...r.kernel.org,
	LSM List <linux-security-module@...r.kernel.org>,
	linux-fsdevel@...r.kernel.org
Subject: Re: [PATCH v5 0/6] Add support for O_MAYEXEC

On 2020-05-06, Lev R. Oshvang . <levonshe@...il.com> wrote:
> On Tue, May 5, 2020 at 6:36 PM Mickaël Salaün <mic@...ikod.net> wrote:
> >
> >
> > On 05/05/2020 17:31, Mickaël Salaün wrote:
> > > Hi,
> > >
> > > This fifth patch series add new kernel configurations (OMAYEXEC_STATIC,
> > > OMAYEXEC_ENFORCE_MOUNT, and OMAYEXEC_ENFORCE_FILE) to enable to
> > > configure the security policy at kernel build time.  As requested by
> > > Mimi Zohar, I completed the series with one of her patches for IMA.
> > >
> > > The goal of this patch series is to enable to control script execution
> > > with interpreters help.  A new O_MAYEXEC flag, usable through
> > > openat2(2), is added to enable userspace script interpreter to delegate
> > > to the kernel (and thus the system security policy) the permission to
> > > interpret/execute scripts or other files containing what can be seen as
> > > commands.
> > >
> > > A simple system-wide security policy can be enforced by the system
> > > administrator through a sysctl configuration consistent with the mount
> > > points or the file access rights.  The documentation patch explains the
> > > prerequisites.
> > >
> > > Furthermore, the security policy can also be delegated to an LSM, either
> > > a MAC system or an integrity system.  For instance, the new kernel
> > > MAY_OPENEXEC flag closes a major IMA measurement/appraisal interpreter
> > > integrity gap by bringing the ability to check the use of scripts [1].
> > > Other uses are expected, such as for openat2(2) [2], SGX integration
> > > [3], bpffs [4] or IPE [5].
> > >
> > > Userspace needs to adapt to take advantage of this new feature.  For
> > > example, the PEP 578 [6] (Runtime Audit Hooks) enables Python 3.8 to be
> > > extended with policy enforcement points related to code interpretation,
> > > which can be used to align with the PowerShell audit features.
> > > Additional Python security improvements (e.g. a limited interpreter
> > > withou -c, stdin piping of code) are on their way.
> > >
> > > The initial idea come from CLIP OS 4 and the original implementation has
> > > been used for more than 12 years:
> > > https://github.com/clipos-archive/clipos4_doc
> > >
> > > An introduction to O_MAYEXEC was given at the Linux Security Summit
> > > Europe 2018 - Linux Kernel Security Contributions by ANSSI:
> > > https://www.youtube.com/watch?v=chNjCRtPKQY&t=17m15s
> > > The "write xor execute" principle was explained at Kernel Recipes 2018 -
> > > CLIP OS: a defense-in-depth OS:
> > > https://www.youtube.com/watch?v=PjRE0uBtkHU&t=11m14s
> > >
> > > This patch series can be applied on top of v5.7-rc4.  This can be tested
> > > with CONFIG_SYSCTL.  I would really appreciate constructive comments on
> > > this patch series.
> > >
> > > Previous version:
> > > https://lore.kernel.org/lkml/20200428175129.634352-1-mic@digikod.net/
> >
> > The previous version (v4) is
> > https://lore.kernel.org/lkml/20200430132320.699508-1-mic@digikod.net/
> 
> 
> Hi Michael
> 
> I have couple of question
> 1. Why you did not add O_MAYEXEC to open()?
> Some time ago (around v4.14) open() did not return EINVAL when
> VALID_OPEN_FLAGS check failed.
> Now it does, so I do not see a problem that interpreter will use
> simple open(),  ( Although that path might be manipulated, but file
> contents will be verified by IMA)

You don't get -EINVAL from open() in the case of unknown flags, that's
something only openat2() does in the open*() family. Hence why it's only
introduced for openat2().

> 2. When you apply a new flag to mount, it means that IMA will check
> all files under this mount and it does not matter whether the file in
> question is a script or not.
> IMHO it is too hard overhead for performance reasons.
> 
> Regards,
> LEv


-- 
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
<https://www.cyphar.com/>

Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.