From: "Mickaël Salaün" <mic@digikod.net>
To: Kees Cook <kees@kernel.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>,
Christian Brauner <brauner@kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Paul Moore <paul@paul-moore.com>, Theodore Ts'o <tytso@mit.edu>,
Alejandro Colomar <alx@kernel.org>,
Aleksa Sarai <cyphar@cyphar.com>,
Andrew Morton <akpm@linux-foundation.org>,
Andy Lutomirski <luto@kernel.org>, Arnd Bergmann <arnd@arndb.de>,
Casey Schaufler <casey@schaufler-ca.com>,
Christian Heimes <christian@python.org>,
Dmitry Vyukov <dvyukov@google.com>,
Eric Biggers <ebiggers@kernel.org>,
Eric Chiang <ericchiang@google.com>,
Fan Wu <wufan@linux.microsoft.com>,
Florian Weimer <fweimer@redhat.com>,
Geert Uytterhoeven <geert@linux-m68k.org>,
James Morris <jamorris@linux.microsoft.com>,
Jan Kara <jack@suse.cz>, Jann Horn <jannh@google.com>,
Jeff Xu <jeffxu@google.com>, Jonathan Corbet <corbet@lwn.net>,
Jordan R Abrahams <ajordanr@google.com>,
Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
Luca Boccassi <bluca@debian.org>,
Luis Chamberlain <mcgrof@kernel.org>,
"Madhavan T . Venkataraman" <madvenka@linux.microsoft.com>,
Matt Bobrowski <mattbobrowski@google.com>,
Matthew Garrett <mjg59@srcf.ucam.org>,
Matthew Wilcox <willy@infradead.org>,
Miklos Szeredi <mszeredi@redhat.com>,
Mimi Zohar <zohar@linux.ibm.com>,
Nicolas Bouchinet <nicolas.bouchinet@ssi.gouv.fr>,
Scott Shell <scottsh@microsoft.com>,
Shuah Khan <shuah@kernel.org>,
Stephen Rothwell <sfr@canb.auug.org.au>,
Steve Dower <steve.dower@python.org>,
Steve Grubb <sgrubb@redhat.com>,
Thibaut Sautereau <thibaut.sautereau@ssi.gouv.fr>,
Vincent Strubel <vincent.strubel@ssi.gouv.fr>,
Xiaoming Ni <nixiaoming@huawei.com>,
Yin Fengwei <fengwei.yin@intel.com>,
kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-integrity@vger.kernel.org,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [RFC PATCH v19 2/5] security: Add new SHOULD_EXEC_CHECK and SHOULD_EXEC_RESTRICT securebits
Date: Fri, 5 Jul 2024 19:54:16 +0200 [thread overview]
Message-ID: <20240705.IeTheequ7Ooj@digikod.net> (raw)
In-Reply-To: <202407041711.B7CD16B2@keescook>
On Thu, Jul 04, 2024 at 05:18:04PM -0700, Kees Cook wrote:
> On Thu, Jul 04, 2024 at 09:01:34PM +0200, Mickaël Salaün wrote:
> > Such a secure environment can be achieved with an appropriate access
> > control policy (e.g. mount's noexec option, file access rights, LSM
> > configuration) and an enlighten ld.so checking that libraries are
> > allowed for execution e.g., to protect against illegitimate use of
> > LD_PRELOAD.
> >
> > Scripts may need some changes to deal with untrusted data (e.g. stdin,
> > environment variables), but that is outside the scope of the kernel.
>
> If the threat model includes an attacker sitting at a shell prompt, we
> need to be very careful about how process perform enforcement. E.g. even
> on a locked down system, if an attacker has access to LD_PRELOAD or a
LD_PRELOAD should be OK once ld.so will be patched to check the
libraries. We can still imagine a debug library used to bypass security
checks, but in this case the issue would be that this library is
executable in the first place.
> seccomp wrapper (which you both mention here), it would be possible to
> run commands where the resulting process is tricked into thinking it
> doesn't have the bits set.
As explained in the UAPI comments, all parent processes need to be
trusted. This meeans that their code is trusted, their seccomp filters
are trusted, and that they are patched, if needed, to check file
executability.
>
> But this would be exactly true for calling execveat(): LD_PRELOAD or
> seccomp policy could have it just return 0.
If an attacker is allowed/able to load an arbitrary seccomp filter on a
process, we cannot trust this process.
>
> While I like AT_CHECK, I do wonder if it's better to do the checks via
> open(), as was originally designed with O_MAYEXEC. Because then
> enforcement is gated by the kernel -- the process does not get a file
> descriptor _at all_, no matter what LD_PRELOAD or seccomp tricks it into
> doing.
Being able to check a path name or a file descriptor (with the same
syscall) is more flexible and cover more use cases. The execveat(2)
interface, including current and future flags, is dedicated to file
execution. I then think that using execveat(2) for this kind of check
makes more sense, and will easily evolve with this syscall.
>
> And this thinking also applies to faccessat() too: if a process can be
> tricked into thinking the access check passed, it'll happily interpret
> whatever. :( But not being able to open the fd _at all_ when O_MAYEXEC
> is being checked seems substantially safer to me...
If attackers can filter execveat(2), they can also filter open(2) and
any other syscalls. In all cases, that would mean an issue in the
security policy.
next prev parent reply other threads:[~2024-07-05 17:54 UTC|newest]
Thread overview: 102+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-04 19:01 [RFC PATCH v19 0/5] Script execution control (was O_MAYEXEC) Mickaël Salaün
2024-07-04 19:01 ` [RFC PATCH v19 1/5] exec: Add a new AT_CHECK flag to execveat(2) Mickaël Salaün
2024-07-05 0:04 ` Kees Cook
2024-07-05 17:53 ` Mickaël Salaün
2024-07-08 19:38 ` Kees Cook
2024-07-05 18:03 ` Florian Weimer
2024-07-06 14:55 ` Mickaël Salaün
2024-07-06 15:32 ` Florian Weimer
2024-07-08 8:56 ` Mickaël Salaün
2024-07-08 16:37 ` [PATCH] binfmt_elf: Fail execution of shared objects with ELIBEXEC (was: Re: [RFC PATCH v19 1/5] exec: Add a new AT_CHECK flag to execveat(2)) Florian Weimer
2024-07-08 17:34 ` [PATCH] binfmt_elf: Fail execution of shared objects with ELIBEXEC Eric W. Biederman
2024-07-08 17:59 ` Florian Weimer
2024-07-10 10:05 ` [PATCH] binfmt_elf: Fail execution of shared objects with ELIBEXEC (was: Re: [RFC PATCH v19 1/5] exec: Add a new AT_CHECK flag to execveat(2)) Mickaël Salaün
2024-07-08 16:08 ` [RFC PATCH v19 1/5] exec: Add a new AT_CHECK flag to execveat(2) Jeff Xu
2024-07-08 16:25 ` Florian Weimer
2024-07-08 16:40 ` Jeff Xu
2024-07-08 17:05 ` Mickaël Salaün
2024-07-08 17:33 ` Florian Weimer
2024-07-08 17:52 ` Jeff Xu
2024-07-09 9:18 ` Mickaël Salaün
2024-07-09 10:05 ` Florian Weimer
2024-07-09 20:42 ` Mickaël Salaün
2024-07-09 18:57 ` Jeff Xu
2024-07-09 20:41 ` Mickaël Salaün
2024-07-06 8:52 ` Andy Lutomirski
2024-07-07 9:01 ` Mickaël Salaün
2024-07-17 6:33 ` Jeff Xu
2024-07-17 8:26 ` Steve Dower
2024-07-17 10:00 ` Mickaël Salaün
2024-07-18 1:02 ` Andy Lutomirski
2024-07-18 12:22 ` Mickaël Salaün
2024-07-20 1:59 ` Andy Lutomirski
2024-07-20 11:43 ` Jarkko Sakkinen
2024-07-23 13:16 ` Mickaël Salaün
2024-07-23 13:16 ` Mickaël Salaün
2024-07-18 1:51 ` Jeff Xu
2024-07-18 12:23 ` Mickaël Salaün
2024-07-18 22:54 ` Jeff Xu
2024-07-17 10:01 ` Mickaël Salaün
2024-07-18 2:08 ` Jeff Xu
2024-07-18 12:24 ` Mickaël Salaün
2024-07-18 13:03 ` James Bottomley
2024-07-18 15:35 ` Mickaël Salaün
2024-07-19 1:29 ` Jeff Xu
2024-07-19 8:44 ` Mickaël Salaün
2024-07-19 14:16 ` Jeff Xu
2024-07-19 15:04 ` Mickaël Salaün
2024-07-19 15:27 ` Jeff Xu
2024-07-23 13:15 ` Mickaël Salaün
2024-08-05 18:35 ` Jeff Xu
2024-08-09 8:45 ` Mickaël Salaün
2024-08-09 16:15 ` Jeff Xu
2024-07-19 15:12 ` Jeff Xu
2024-07-19 15:31 ` Mickaël Salaün
2024-07-19 17:36 ` Jeff Xu
2024-07-23 13:15 ` Mickaël Salaün
2024-07-18 14:46 ` enh
2024-07-18 15:35 ` Mickaël Salaün
2024-07-04 19:01 ` [RFC PATCH v19 2/5] security: Add new SHOULD_EXEC_CHECK and SHOULD_EXEC_RESTRICT securebits Mickaël Salaün
2024-07-05 0:18 ` Kees Cook
2024-07-05 17:54 ` Mickaël Salaün [this message]
2024-07-05 21:44 ` Kees Cook
2024-07-05 22:22 ` Jarkko Sakkinen
2024-07-06 14:56 ` Mickaël Salaün
2024-07-06 17:28 ` Jarkko Sakkinen
2024-07-06 14:56 ` Mickaël Salaün
2024-07-18 14:16 ` Roberto Sassu
2024-07-18 16:20 ` Mickaël Salaün
2024-07-08 16:17 ` Jeff Xu
2024-07-08 17:53 ` Jeff Xu
2024-07-08 18:48 ` Mickaël Salaün
2024-07-08 21:15 ` Jeff Xu
2024-07-08 21:25 ` Steve Dower
2024-07-08 22:07 ` Jeff Xu
2024-07-09 20:42 ` Mickaël Salaün
2024-07-09 21:57 ` Jeff Xu
2024-07-10 9:58 ` Mickaël Salaün
2024-07-10 16:26 ` Kees Cook
2024-07-11 8:57 ` Mickaël Salaün
2024-07-16 15:02 ` Jeff Xu
2024-07-16 15:10 ` Steve Dower
2024-07-16 15:15 ` Mickaël Salaün
2024-07-16 15:18 ` Jeff Xu
2024-07-10 16:32 ` Steve Dower
2024-07-20 2:06 ` Andy Lutomirski
2024-07-23 13:15 ` Mickaël Salaün
2024-07-04 19:01 ` [RFC PATCH v19 3/5] selftests/exec: Add tests for AT_CHECK and related securebits Mickaël Salaün
2024-07-04 19:01 ` [RFC PATCH v19 4/5] selftests/landlock: Add tests for execveat + AT_CHECK Mickaël Salaün
2024-07-04 19:01 ` [RFC PATCH v19 5/5] samples/should-exec: Add set-should-exec Mickaël Salaün
2024-07-08 19:40 ` Mimi Zohar
2024-07-09 20:42 ` Mickaël Salaün
2024-07-08 20:35 ` [RFC PATCH v19 0/5] Script execution control (was O_MAYEXEC) Mimi Zohar
2024-07-09 20:43 ` Mickaël Salaün
2024-07-16 15:57 ` Roberto Sassu
2024-07-16 16:12 ` James Bottomley
2024-07-16 17:31 ` Mickaël Salaün
2024-07-18 16:21 ` Mickaël Salaün
[not found] ` <E608EDB8-72E8-4791-AC9B-8FF9AC753FBE@sempervictus.com>
2024-07-16 17:47 ` Mickaël Salaün
2024-07-17 17:59 ` Boris Lukashev
2024-07-18 13:00 ` Mickaël Salaün
2024-07-15 20:16 ` Jonathan Corbet
2024-07-16 7:13 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240705.IeTheequ7Ooj@digikod.net \
--to=mic@digikod.net \
--cc=ajordanr@google.com \
--cc=akpm@linux-foundation.org \
--cc=alx@kernel.org \
--cc=arnd@arndb.de \
--cc=bluca@debian.org \
--cc=brauner@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=christian@python.org \
--cc=corbet@lwn.net \
--cc=cyphar@cyphar.com \
--cc=dvyukov@google.com \
--cc=ebiggers@kernel.org \
--cc=ericchiang@google.com \
--cc=fengwei.yin@intel.com \
--cc=fweimer@redhat.com \
--cc=geert@linux-m68k.org \
--cc=jack@suse.cz \
--cc=jamorris@linux.microsoft.com \
--cc=jannh@google.com \
--cc=jeffxu@google.com \
--cc=kees@kernel.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@kernel.org \
--cc=madvenka@linux.microsoft.com \
--cc=mattbobrowski@google.com \
--cc=mcgrof@kernel.org \
--cc=mjg59@srcf.ucam.org \
--cc=mszeredi@redhat.com \
--cc=nicolas.bouchinet@ssi.gouv.fr \
--cc=nixiaoming@huawei.com \
--cc=nramas@linux.microsoft.com \
--cc=paul@paul-moore.com \
--cc=scottsh@microsoft.com \
--cc=sfr@canb.auug.org.au \
--cc=sgrubb@redhat.com \
--cc=shuah@kernel.org \
--cc=steve.dower@python.org \
--cc=thibaut.sautereau@ssi.gouv.fr \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=vincent.strubel@ssi.gouv.fr \
--cc=viro@zeniv.linux.org.uk \
--cc=willy@infradead.org \
--cc=wufan@linux.microsoft.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).