From: gnomes@lxorguk.ukuu.org.uk (Alan Cox)
To: linux-security-module@vger.kernel.org
Subject: [PATCH v1] shebang: restrict python interactive prompt/interpreter
Date: Wed, 14 Jun 2017 15:10:08 +0100 [thread overview]
Message-ID: <20170614151008.42bc57a2@alans-desktop> (raw)
In-Reply-To: <1497277644.21594.319.camel@linux.vnet.ibm.com>
On Mon, 12 Jun 2017 10:27:24 -0400
Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> On Sun, 2017-06-11 at 22:32 -0400, Mimi Zohar wrote:
> > On Sun, 2017-06-11 at 13:44 +0200, Micka?l Sala?n wrote:
>
> > > Using filesystem xattr seems like a good idea for this kind of
> > > exceptions and instead of a hardcoded interpreter path. Something like
> > > "security.tpe.interpreter=1|2" (bitmask for interpreter-only and/or CLI)
> > > and "security.tpe.environment=HOME,LOGNAME" would be quite flexible to
> > > configure a security policy for some binaries. This could also be
> > > protected by IMA/EVM, if needed.
> >
> > Checking for the existence of an xattr without caching is relatively
> > slow. ?I'm not sure that we would want to go this route.
> ?
> For identifying interpreters, xattrs would be too slow (without
> caching results), but once identified, using xattrs as you suggested,
> for specifying how interpreters can be invoked and limiting
> environment variables, is a good idea. ?Perhaps the two xattrs could
> be combined?
It's not just #! you need to cover. If I can run ld.so for my arch format
then ld.so will helpfully let me load any ELF binary I like and run it.
Alan
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-06-14 14:10 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-09 13:22 [PATCH v1] shebang: restrict python interactive prompt/interpreter Mimi Zohar
2017-06-09 14:02 ` Tetsuo Handa
2017-06-09 14:50 ` Matt Brown
2017-06-09 15:41 ` Tetsuo Handa
2017-06-09 16:37 ` Matt Brown
2017-06-09 16:43 ` Jason Zaman
2017-06-09 17:23 ` Matt Brown
2017-06-09 23:04 ` Tetsuo Handa
2017-06-10 1:56 ` Kees Cook
2017-06-10 5:27 ` Tetsuo Handa
2017-06-12 0:34 ` Matt Brown
[not found] ` <d9aca46b-97c6-4faf-b559-484feb4aa640@digikod.net>
2017-06-12 2:32 ` Mimi Zohar
2017-06-12 14:27 ` Mimi Zohar
2017-06-14 14:10 ` Alan Cox [this message]
2017-06-14 20:37 ` [kernel-hardening] " Boris Lukashev
[not found] ` <8a2300ef-1462-0e1f-2d6a-81e6020bc71f@digikod.net>
2017-06-13 21:44 ` Casey Schaufler
2017-06-10 1:49 ` Tetsuo Handa
2017-06-09 15:06 ` Mimi Zohar
2017-06-09 15:23 ` Tetsuo Handa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170614151008.42bc57a2@alans-desktop \
--to=gnomes@lxorguk.ukuu.org.uk \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).