From: Mimi Zohar <zohar@linux.ibm.com>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: Al Viro <viro@zeniv.linux.org.uk>,
Christian Brauner <brauner@kernel.org>,
Kees Cook <keescook@chromium.org>,
Paul Moore <paul@paul-moore.com>, Serge Hallyn <serge@hallyn.com>,
Adhemerval Zanella Netto <adhemerval.zanella@linaro.org>,
Alejandro Colomar <alx@kernel.org>,
Aleksa Sarai <cyphar@cyphar.com>,
Andrew Morton <akpm@linux-foundation.org>,
Andy Lutomirski <luto@kernel.org>, Arnd Bergmann <arnd@arndb.de>,
Casey Schaufler <casey@schaufler-ca.com>,
Christian Heimes <christian@python.org>,
Dmitry Vyukov <dvyukov@google.com>,
Elliott Hughes <enh@google.com>,
Eric Biggers <ebiggers@kernel.org>,
Eric Chiang <ericchiang@google.com>,
Fan Wu <wufan@linux.microsoft.com>,
Florian Weimer <fweimer@redhat.com>,
Geert Uytterhoeven <geert@linux-m68k.org>,
James Morris <jamorris@linux.microsoft.com>,
Jan Kara <jack@suse.cz>, Jann Horn <jannh@google.com>,
Jeff Xu <jeffxu@google.com>, Jonathan Corbet <corbet@lwn.net>,
Jordan R Abrahams <ajordanr@google.com>,
Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Luca Boccassi <bluca@debian.org>,
Luis Chamberlain <mcgrof@kernel.org>,
"Madhavan T . Venkataraman" <madvenka@linux.microsoft.com>,
Matt Bobrowski <mattbobrowski@google.com>,
Matthew Garrett <mjg59@srcf.ucam.org>,
Matthew Wilcox <willy@infradead.org>,
Miklos Szeredi <mszeredi@redhat.com>,
Nicolas Bouchinet <nicolas.bouchinet@ssi.gouv.fr>,
Scott Shell <scottsh@microsoft.com>,
Shuah Khan <shuah@kernel.org>,
Stephen Rothwell <sfr@canb.auug.org.au>,
Steve Dower <steve.dower@python.org>,
Steve Grubb <sgrubb@redhat.com>, "Theodore Ts'o" <tytso@mit.edu>,
Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr>,
Vincent Strubel <vincent.strubel@ssi.gouv.fr>,
Xiaoming Ni <nixiaoming@huawei.com>,
Yin Fengwei <fengwei.yin@intel.com>,
kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-integrity@vger.kernel.org,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH v21 6/6] samples/check-exec: Add an enlighten "inc" interpreter and 28 tests
Date: Tue, 26 Nov 2024 12:41:45 -0500 [thread overview]
Message-ID: <623f89b4de41ac14e0e48e106b846abc9e9d70cf.camel@linux.ibm.com> (raw)
In-Reply-To: <20241122.ahY1pooz1ing@digikod.net>
On Fri, 2024-11-22 at 15:50 +0100, Mickaël Salaün wrote:
> On Thu, Nov 21, 2024 at 03:34:47PM -0500, Mimi Zohar wrote:
> > Hi Mickaël,
> >
> > On Tue, 2024-11-12 at 20:18 +0100, Mickaël Salaün wrote:
> > >
> > > +
> > > +/* Returns 1 on error, 0 otherwise. */
> > > +static int interpret_stream(FILE *script, char *const script_name,
> > > + char *const *const envp, const bool restrict_stream)
> > > +{
> > > + int err;
> > > + char *const script_argv[] = { script_name, NULL };
> > > + char buf[128] = {};
> > > + size_t buf_size = sizeof(buf);
> > > +
> > > + /*
> > > + * We pass a valid argv and envp to the kernel to emulate a native
> > > + * script execution. We must use the script file descriptor instead of
> > > + * the script path name to avoid race conditions.
> > > + */
> > > + err = execveat(fileno(script), "", script_argv, envp,
> > > + AT_EMPTY_PATH | AT_EXECVE_CHECK);
> >
> > At least with v20, the AT_CHECK always was being set, independent of whether
> > set-exec.c set it. I'll re-test with v21.
>
> AT_EXECVE_CEHCK should always be set, only the interpretation of the
> result should be relative to securebits. This is highlighted in the
> documentation.
Sure, that sounds correct. With an IMA-appraisal policy, any unsigned script
with the is_check flag set now emits an "cause=IMA-signature-required" audit
message. However since IMA-appraisal isn't enforcing file signatures, this
sounds wrong.
New audit messages like "IMA-signature-required-by-interpreter" and "IMA-
signature-not-required-by-interpreter" would need to be defined based on the
SECBIT_EXEC_RESTRICT_FILE.
> >
> > > + if (err && restrict_stream) {
> > > + perror("ERROR: Script execution check");
> > > + return 1;
> > > + }
> > > +
> > > + /* Reads script. */
> > > + buf_size = fread(buf, 1, buf_size - 1, script);
> > > + return interpret_buffer(buf, buf_size);
> > > +}
> > > +
> >
> >
>
next prev parent reply other threads:[~2024-11-26 17:49 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-12 19:18 [PATCH v21 0/6] Script execution control (was O_MAYEXEC) Mickaël Salaün
2024-11-12 19:18 ` [PATCH v21 1/6] exec: Add a new AT_EXECVE_CHECK flag to execveat(2) Mickaël Salaün
2024-11-20 1:17 ` Jeff Xu
2024-11-20 9:42 ` Mickaël Salaün
2024-11-20 16:06 ` Jeff Xu
2024-11-21 13:39 ` Mickaël Salaün
2024-11-21 18:27 ` Jeff Xu
2024-11-22 14:50 ` Mickaël Salaün
2024-11-25 17:38 ` Jeff Xu
2024-11-27 12:07 ` Mickaël Salaün
2024-11-27 15:14 ` Jeff Xu
2024-12-05 3:33 ` Paul Moore
2024-11-12 19:18 ` [PATCH v21 2/6] security: Add EXEC_RESTRICT_FILE and EXEC_DENY_INTERACTIVE securebits Mickaël Salaün
2024-11-20 1:30 ` Jeff Xu
2024-11-20 9:42 ` Mickaël Salaün
2024-11-12 19:18 ` [PATCH v21 3/6] selftests/exec: Add 32 tests for AT_EXECVE_CHECK and exec securebits Mickaël Salaün
2024-11-12 19:18 ` [PATCH v21 4/6] selftests/landlock: Add tests for execveat + AT_EXECVE_CHECK Mickaël Salaün
2024-11-12 19:18 ` [PATCH v21 5/6] samples/check-exec: Add set-exec Mickaël Salaün
2024-11-12 19:18 ` [PATCH v21 6/6] samples/check-exec: Add an enlighten "inc" interpreter and 28 tests Mickaël Salaün
2024-11-21 20:34 ` Mimi Zohar
2024-11-22 14:50 ` Mickaël Salaün
2024-11-26 17:41 ` Mimi Zohar [this message]
2024-11-27 12:10 ` Mickaël Salaün
2024-11-27 15:15 ` Mimi Zohar
2024-11-21 4:58 ` [PATCH v21 0/6] Script execution control (was O_MAYEXEC) Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=623f89b4de41ac14e0e48e106b846abc9e9d70cf.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=adhemerval.zanella@linaro.org \
--cc=ajordanr@google.com \
--cc=akpm@linux-foundation.org \
--cc=alx@kernel.org \
--cc=arnd@arndb.de \
--cc=bluca@debian.org \
--cc=brauner@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=christian@python.org \
--cc=corbet@lwn.net \
--cc=cyphar@cyphar.com \
--cc=dvyukov@google.com \
--cc=ebiggers@kernel.org \
--cc=enh@google.com \
--cc=ericchiang@google.com \
--cc=fengwei.yin@intel.com \
--cc=fweimer@redhat.com \
--cc=geert@linux-m68k.org \
--cc=jack@suse.cz \
--cc=jamorris@linux.microsoft.com \
--cc=jannh@google.com \
--cc=jeffxu@google.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@kernel.org \
--cc=madvenka@linux.microsoft.com \
--cc=mattbobrowski@google.com \
--cc=mcgrof@kernel.org \
--cc=mic@digikod.net \
--cc=mjg59@srcf.ucam.org \
--cc=mszeredi@redhat.com \
--cc=nicolas.bouchinet@ssi.gouv.fr \
--cc=nixiaoming@huawei.com \
--cc=nramas@linux.microsoft.com \
--cc=paul@paul-moore.com \
--cc=scottsh@microsoft.com \
--cc=serge@hallyn.com \
--cc=sfr@canb.auug.org.au \
--cc=sgrubb@redhat.com \
--cc=shuah@kernel.org \
--cc=steve.dower@python.org \
--cc=thibaut.sautereau@ssi.gouv.fr \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=vincent.strubel@ssi.gouv.fr \
--cc=viro@zeniv.linux.org.uk \
--cc=willy@infradead.org \
--cc=wufan@linux.microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).