From mboxrd@z Thu Jan 1 00:00:00 1970 From: zohar@linux.vnet.ibm.com (Mimi Zohar) Date: Mon, 12 Jun 2017 10:27:24 -0400 Subject: [PATCH v1] shebang: restrict python interactive prompt/interpreter In-Reply-To: <1497234757.21594.280.camel@linux.vnet.ibm.com> References: <201706100041.GFH78616.OFtOHFJSLQOMVF@I-love.SAKURA.ne.jp> <754b78d1-f7f9-58bd-bf74-fea9e105649a@nmatt.com> <20170609164315.GA1141@meriadoc.perfinion.com> <201706101427.EEG90168.OtFFHSFMOVOJQL@I-love.SAKURA.ne.jp> <1497234757.21594.280.camel@linux.vnet.ibm.com> Message-ID: <1497277644.21594.319.camel@linux.vnet.ibm.com> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org On Sun, 2017-06-11 at 22:32 -0400, Mimi Zohar wrote: > On Sun, 2017-06-11 at 13:44 +0200, Micka?l Sala?n wrote: > > Using filesystem xattr seems like a good idea for this kind of > > exceptions and instead of a hardcoded interpreter path. Something like > > "security.tpe.interpreter=1|2" (bitmask for interpreter-only and/or CLI) > > and "security.tpe.environment=HOME,LOGNAME" would be quite flexible to > > configure a security policy for some binaries. This could also be > > protected by IMA/EVM, if needed. > > Checking for the existence of an xattr without caching is relatively > slow. ?I'm not sure that we would want to go this route. ? For identifying interpreters, xattrs would be too slow (without caching results), but once identified, using xattrs as you suggested, for specifying how interpreters can be invoked and limiting environment variables, is a good idea. ?Perhaps the two xattrs could be combined? Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html