Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1544647356.4028.105.camel@linux.ibm.com>
Date: Wed, 12 Dec 2018 15:42:36 -0500
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Jan Kara <jack@...e.cz>,
        Mickaël Salaün
	 <mic@...ikod.net>
Cc: linux-kernel@...r.kernel.org, Al Viro <viro@...iv.linux.org.uk>,
        James
 Morris <jmorris@...ei.org>, Jonathan Corbet <corbet@....net>,
        Kees Cook
 <keescook@...omium.org>, Matthew Garrett <mjg59@...gle.com>,
        Michael
 Kerrisk <mtk.manpages@...il.com>,
        Mickaël Salaün
 <mickael.salaun@....gouv.fr>,
        Philippe Trébuchet
 <philippe.trebuchet@....gouv.fr>,
        Shuah Khan <shuah@...nel.org>,
        Thibaut
 Sautereau <thibaut.sautereau@....gouv.fr>,
        Vincent Strubel
 <vincent.strubel@....gouv.fr>,
        Yves-Alexis Perez
 <yves-alexis.perez@....gouv.fr>,
        kernel-hardening@...ts.openwall.com, linux-api@...r.kernel.org,
        linux-security-module@...r.kernel.org, linux-fsdevel@...r.kernel.org,
        sgrubb@...hat.com, Matthew Bobrowski
 <mbobrowski@...browski.org>
Subject: Re: [RFC PATCH v1 1/5] fs: Add support for an O_MAYEXEC flag on
 sys_open()

On Wed, 2018-12-12 at 15:43 +0100, Jan Kara wrote:


> > diff --git a/fs/open.c b/fs/open.c
> > index 0285ce7dbd51..75479b79a58f 100644
> > --- a/fs/open.c
> > +++ b/fs/open.c
> > @@ -974,6 +974,10 @@ static inline int build_open_flags(int flags, umode_t mode, struct open_flags *o
> >  	if (flags & O_APPEND)
> >  		acc_mode |= MAY_APPEND;
> >  
> > +	/* Check execution permissions on open. */
> > +	if (flags & O_MAYEXEC)
> > +		acc_mode |= MAY_OPENEXEC;
> > +
> >  	op->acc_mode = acc_mode;
> >  
> >  	op->intent = flags & O_PATH ? 0 : LOOKUP_OPEN;
> 
> I don't feel experienced enough in security to tell whether we want this
> functionality or not. But if we do this, shouldn't we also set FMODE_EXEC
> on the resulting struct file? That way also security_file_open() can be
> used to arbitrate such executable opens and in particular
> fanotify permission event FAN_OPEN_EXEC will get properly generated which I
> guess is desirable (support for it is sitting in my tree waiting for the
> merge window) - adding some audit people involved in FAN_OPEN_EXEC to
> CC. Just an idea...

Assuming the interpreters are properly modified (and signed),
MAY_OPENEXEC closes a major IMA measurement/appraisal gap.  The kernel
has no insight into the files that the interpreter is opening.  Having
the interpreter annotate the file open, allows IMA to differentiate
scripts opening data files from code.

IMA policy rules could then be written requiring code to be signed.

Example IMA policy rules:
measure func=FILE_CHECK mask=MAY_OPENEXEC
appraise func=FILE_CHECK mask=MAY_OPENEXEC appraise_type=imasig

Mimi

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.