From: zohar@linux.vnet.ibm.com (Mimi Zohar)
To: linux-security-module@vger.kernel.org
Subject: [PATCH v1] shebang: restrict python interactive prompt/interpreter
Date: Mon, 12 Jun 2017 10:27:24 -0400 [thread overview]
Message-ID: <1497277644.21594.319.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <1497234757.21594.280.camel@linux.vnet.ibm.com>
On Sun, 2017-06-11 at 22:32 -0400, Mimi Zohar wrote:
> On Sun, 2017-06-11 at 13:44 +0200, Micka?l Sala?n wrote:
> > Using filesystem xattr seems like a good idea for this kind of
> > exceptions and instead of a hardcoded interpreter path. Something like
> > "security.tpe.interpreter=1|2" (bitmask for interpreter-only and/or CLI)
> > and "security.tpe.environment=HOME,LOGNAME" would be quite flexible to
> > configure a security policy for some binaries. This could also be
> > protected by IMA/EVM, if needed.
>
> Checking for the existence of an xattr without caching is relatively
> slow. ?I'm not sure that we would want to go this route.
?
For identifying interpreters, xattrs would be too slow (without
caching results), but once identified, using xattrs as you suggested,
for specifying how interpreters can be invoked and limiting
environment variables, is a good idea. ?Perhaps the two xattrs could
be combined?
Mimi
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-06-12 14:27 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-09 13:22 [PATCH v1] shebang: restrict python interactive prompt/interpreter Mimi Zohar
2017-06-09 14:02 ` Tetsuo Handa
2017-06-09 14:50 ` Matt Brown
2017-06-09 15:41 ` Tetsuo Handa
2017-06-09 16:37 ` Matt Brown
2017-06-09 16:43 ` Jason Zaman
2017-06-09 17:23 ` Matt Brown
2017-06-09 23:04 ` Tetsuo Handa
2017-06-10 1:56 ` Kees Cook
2017-06-10 5:27 ` Tetsuo Handa
2017-06-12 0:34 ` Matt Brown
[not found] ` <d9aca46b-97c6-4faf-b559-484feb4aa640@digikod.net>
2017-06-12 2:32 ` Mimi Zohar
2017-06-12 14:27 ` Mimi Zohar [this message]
2017-06-14 14:10 ` Alan Cox
2017-06-14 20:37 ` [kernel-hardening] " Boris Lukashev
[not found] ` <8a2300ef-1462-0e1f-2d6a-81e6020bc71f@digikod.net>
2017-06-13 21:44 ` Casey Schaufler
2017-06-10 1:49 ` Tetsuo Handa
2017-06-09 15:06 ` Mimi Zohar
2017-06-09 15:23 ` Tetsuo Handa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1497277644.21594.319.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).