From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Matt Brown <matt@nmatt.com>, Kees Cook <keescook@chromium.org>
Cc: James Morris <james.l.morris@oracle.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
LKML <linux-kernel@vger.kernel.org>,
linux-security-module <linux-security-module@vger.kernel.org>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>
Subject: Re: [kernel-hardening] Re: [PATCH v2 1/1] Add Trusted Path Execution as a stackable LSM
Date: Fri, 09 Jun 2017 09:44:38 -0400 [thread overview]
Message-ID: <1497015878.21594.201.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <e92c4476-8480-1f35-1777-b6fb1400c462@nmatt.com>
On Fri, 2017-06-09 at 09:18 -0400, Matt Brown wrote:
> On 6/9/17 9:16 AM, Mimi Zohar wrote:
> > On Fri, 2017-06-09 at 05:55 -0700, Kees Cook wrote:
> >> On Fri, Jun 9, 2017 at 3:18 AM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> >>> On Thu, 2017-06-08 at 23:50 -0400, Matt Brown wrote:
> >>>>>>
> >>>>>> * Issues:
> >>>>>> * Can be bypassed by interpreted languages such as python. You can run
> >>>>>> malicious code by doing: python -c 'evil code'
> >>>>>
> >>>>> What's the recommendation for people interested in using TPE but
> >>>>> having interpreters installed?
> >>>>>
> >>>>
> >>>> If you don't need a given interpreter installed, uninstall it. While
> >>>> this is common sense system hardening it especially would make a
> >>>> difference under the TPE threat model.
> >>>>
> >>>> I don't have a knock down answer for this. Interpreters are a hard
> >>>> problem for TPE.
> >>>
> >>> You might be interested in the minor LSM named "shebang", that I
> >>> posted as a proof of concept back in January, which restricts the
> >>> python interactive prompt/interpreter, but allows the scripts
> >>> themselves to be executed.
> >>
> >> https://patchwork.kernel.org/patch/9547405/
> >>
> >> Maybe these could be merged and the interpreter string could be made
> >> into a configurable list?
> >
> > I updated shebang, but didn't bother to post it, as nobody seemed to
> > be interested at the time. The updated version already has support
> > for the configurable list. Re-posting ...
> >
>
> That would be awesome. I think it's the perfect complement to TPE as it
> protects a key hole in its current threat model.
Hm, I hadn't looked at it in since January. It still needs to be
cleaned up and expanded a bit. The original version used a pathname
for identifying the interpreter. This version converts the list of
pathnames to a set of inodes, which is better, but now requires a
method for updating the inode number after a software update.
Please feel free to expand on it or re-use whatever you like.
Mimi
WARNING: multiple messages have this Message-ID (diff)
From: zohar@linux.vnet.ibm.com (Mimi Zohar)
To: linux-security-module@vger.kernel.org
Subject: [kernel-hardening] Re: [PATCH v2 1/1] Add Trusted Path Execution as a stackable LSM
Date: Fri, 09 Jun 2017 09:44:38 -0400 [thread overview]
Message-ID: <1497015878.21594.201.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <e92c4476-8480-1f35-1777-b6fb1400c462@nmatt.com>
On Fri, 2017-06-09 at 09:18 -0400, Matt Brown wrote:
> On 6/9/17 9:16 AM, Mimi Zohar wrote:
> > On Fri, 2017-06-09 at 05:55 -0700, Kees Cook wrote:
> >> On Fri, Jun 9, 2017 at 3:18 AM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> >>> On Thu, 2017-06-08 at 23:50 -0400, Matt Brown wrote:
> >>>>>>
> >>>>>> * Issues:
> >>>>>> * Can be bypassed by interpreted languages such as python. You can run
> >>>>>> malicious code by doing: python -c 'evil code'
> >>>>>
> >>>>> What's the recommendation for people interested in using TPE but
> >>>>> having interpreters installed?
> >>>>>
> >>>>
> >>>> If you don't need a given interpreter installed, uninstall it. While
> >>>> this is common sense system hardening it especially would make a
> >>>> difference under the TPE threat model.
> >>>>
> >>>> I don't have a knock down answer for this. Interpreters are a hard
> >>>> problem for TPE.
> >>>
> >>> You might be interested in the minor LSM named "shebang", that I
> >>> posted as a proof of concept back in January, which restricts the
> >>> python interactive prompt/interpreter, but allows the scripts
> >>> themselves to be executed.
> >>
> >> https://patchwork.kernel.org/patch/9547405/
> >>
> >> Maybe these could be merged and the interpreter string could be made
> >> into a configurable list?
> >
> > I updated shebang, but didn't bother to post it, as nobody seemed to
> > be interested at the time. The updated version already has support
> > for the configurable list. Re-posting ...
> >
>
> That would be awesome. I think it's the perfect complement to TPE as it
> protects a key hole in its current threat model.
Hm, I hadn't looked at it in since January. ?It still needs to be
cleaned up and expanded a bit. ?The original version used a pathname
for identifying the interpreter. ?This version converts the list of
pathnames to a set of inodes, which is better, but now requires a
method for updating the inode number after a software update.
Please feel free to expand on it or re-use whatever you like.
Mimi
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-06-09 13:44 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-08 3:43 [kernel-hardening] [PATCH v2 0/1] Add Trusted Path Execution as a stackable LSM Matt Brown
2017-06-08 3:43 ` Matt Brown
2017-06-08 3:43 ` Matt Brown
2017-06-08 3:43 ` [kernel-hardening] [PATCH v2 1/1] " Matt Brown
2017-06-08 3:43 ` Matt Brown
2017-06-08 3:43 ` Matt Brown
2017-06-08 13:05 ` [kernel-hardening] " Solar Designer
2017-06-08 13:16 ` Matt Brown
2017-06-09 2:38 ` [kernel-hardening] " Kees Cook
2017-06-09 2:38 ` Kees Cook
2017-06-09 2:38 ` Kees Cook
2017-06-09 3:50 ` [kernel-hardening] " Matt Brown
2017-06-09 3:50 ` Matt Brown
2017-06-09 3:50 ` Matt Brown
2017-06-09 10:18 ` [kernel-hardening] " Mimi Zohar
2017-06-09 10:18 ` Mimi Zohar
2017-06-09 10:18 ` Mimi Zohar
2017-06-09 12:55 ` [kernel-hardening] " Kees Cook
2017-06-09 12:55 ` Kees Cook
2017-06-09 12:55 ` Kees Cook
2017-06-09 13:15 ` [kernel-hardening] " Matt Brown
2017-06-09 13:15 ` Matt Brown
2017-06-09 13:15 ` Matt Brown
2017-06-09 13:16 ` [kernel-hardening] " Mimi Zohar
2017-06-09 13:16 ` Mimi Zohar
2017-06-09 13:16 ` Mimi Zohar
2017-06-09 13:18 ` [kernel-hardening] " Matt Brown
2017-06-09 13:18 ` Matt Brown
2017-06-09 13:44 ` Mimi Zohar [this message]
2017-06-09 13:44 ` Mimi Zohar
2017-06-13 21:27 ` Solar Designer
2017-06-13 23:53 ` Mickaël Salaün
2017-06-14 12:36 ` Solar Designer
2017-06-14 13:15 ` Jann Horn
2017-06-14 14:28 ` Solar Designer
2017-06-14 14:33 ` Jann Horn
2017-06-14 14:34 ` Jann Horn
2017-06-14 16:24 ` Matt Brown
2017-06-16 2:25 ` kbuild test robot
2017-06-16 2:25 ` kbuild test robot
2017-06-16 2:25 ` kbuild test robot
2017-06-16 2:25 ` [kernel-hardening] [RFC PATCH] print_tpe_error() can be static kbuild test robot
2017-06-16 2:25 ` kbuild test robot
2017-06-16 2:25 ` kbuild test robot
2017-06-08 18:37 ` [kernel-hardening] Re: [PATCH v2 0/1] Add Trusted Path Execution as a stackable LSM Alan Cox
2017-06-08 18:37 ` Alan Cox
2017-06-08 18:37 ` Alan Cox
2017-06-08 19:01 ` [kernel-hardening] " Matt Brown
2017-06-08 19:01 ` Matt Brown
2017-06-08 19:01 ` Matt Brown
2017-06-08 19:23 ` [kernel-hardening] " Alan Cox
2017-06-08 19:23 ` Alan Cox
2017-06-08 19:23 ` Alan Cox
2017-06-11 11:30 ` [kernel-hardening] " Mickaël Salaün
2017-06-11 11:30 ` Mickaël Salaün
2017-06-12 0:04 ` [kernel-hardening] " Matt Brown
2017-06-12 0:04 ` Matt Brown
2017-06-12 0:04 ` Matt Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1497015878.21594.201.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=james.l.morris@oracle.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matt@nmatt.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.