From: Mimi Zohar <zohar@linux.ibm.com>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: linux-integrity@vger.kernel.org, roberto.sassu@huawei.com,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, audit@vger.kernel.org,
Paul Moore <paul@paul-moore.com>, Jeff Xu <jeffxu@chromium.org>,
Kees Cook <kees@kernel.org>
Subject: Re: [PATCH] ima: instantiate the bprm_creds_for_exec() hook
Date: Tue, 03 Dec 2024 11:03:08 -0500 [thread overview]
Message-ID: <f588fffdb27b28531e900e59cc17182617726b59.camel@linux.ibm.com> (raw)
In-Reply-To: <20241203.oZu0aemaiv5a@digikod.net>
On Tue, 2024-12-03 at 12:53 +0100, Mickaël Salaün wrote:
> On Mon, Dec 02, 2024 at 02:40:35PM -0500, Mimi Zohar wrote:
> > On Fri, 2024-11-29 at 12:06 +0100, Mickaël Salaün wrote:
> > > For reference, here is the base patch series:
> > > https://lore.kernel.org/all/20241112191858.162021-1-mic@digikod.net/
> > >
> > > CCing audit@
> > >
> > > On Wed, Nov 27, 2024 at 04:02:34PM -0500, Mimi Zohar wrote:
> > > > Like direct file execution (e.g. ./script.sh), indirect file execution
> > > > (e.g. sh script.sh) needs to be measured and appraised. Instantiate
> > > > the new security_bprm_creds_for_exec() hook to measure and verify the
> > > > indirect file's integrity. Unlike direct file execution, indirect file
> > > > execution integrity is optionally enforced by the interpreter.
> > > >
> > > > Update the audit messages to differentiate between kernel and userspace
> > > > enforced integrity.
> > >
> > > I'm not sure to see the full picture. What is the difference between
> > > execveat() calls and execveat() + AT_EXECVE_CHECK calls? Both are from
> > > user space, the only difference is that the first can lead to a full
> > > execution, but the intent is the same.
> >
> > We do want the full execution in order to measure/appraise/audit both the direct
> > file execution (e.g. ./script.sh) and the interpreter (e.g. #!/usr/bin/bash)
> > specified.
>
> Yes, but I was wondering about the difference in the log messages. In
> both cases the script is checked, but only without AT_EXECVE_CHECK its
> "dependencies" (e.g. script interpreter) are checked. I guess it could
> be useful to differenciate those but I wanted to make sure we were on
> the same page.
By "those" I assume you're referring to with/without AT_EXECVE_CHECK and not the
missing "dependencies".
In both cases the integrity of the script is being checked, but in one case the
integrity is being enforced by the kernel, while in the other case userspace may
enforce integrity. The audit message should different between these two cases.
Mimi
next prev parent reply other threads:[~2024-12-03 16:03 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-27 21:02 [PATCH] ima: instantiate the bprm_creds_for_exec() hook Mimi Zohar
2024-11-28 15:57 ` kernel test robot
2024-11-28 21:07 ` kernel test robot
2024-11-29 11:06 ` Mickaël Salaün
2024-12-02 19:40 ` Mimi Zohar
2024-12-03 11:53 ` Mickaël Salaün
2024-12-03 16:03 ` Mimi Zohar [this message]
2024-12-02 21:25 ` Stefan Berger
2024-12-03 11:58 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f588fffdb27b28531e900e59cc17182617726b59.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=audit@vger.kernel.org \
--cc=jeffxu@chromium.org \
--cc=kees@kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox