linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Mickaël Salaün" <mic@digikod.net>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: "Al Viro" <viro@zeniv.linux.org.uk>,
	"Andrew Morton" <akpm@linux-foundation.org>,
	"Christian Heimes" <christian@python.org>,
	"Geert Uytterhoeven" <geert@linux-m68k.org>,
	"James Morris" <jmorris@namei.org>,
	"Kees Cook" <keescook@chromium.org>,
	"Luis Chamberlain" <mcgrof@kernel.org>,
	"Mimi Zohar" <zohar@linux.ibm.com>,
	"Muhammad Usama Anjum" <usama.anjum@collabora.com>,
	"Paul Moore" <paul@paul-moore.com>,
	"Philippe Trébuchet" <philippe.trebuchet@ssi.gouv.fr>,
	"Shuah Khan" <skhan@linuxfoundation.org>,
	"Steve Dower" <steve.dower@python.org>,
	"Thibaut Sautereau" <thibaut.sautereau@ssi.gouv.fr>,
	"Vincent Strubel" <vincent.strubel@ssi.gouv.fr>,
	linux-fsdevel@vger.kernel.org, linux-integrity@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	linux-security-module@vger.kernel.org
Subject: Re: [GIT PULL] Add trusted_for(2) (was O_MAYEXEC)
Date: Wed, 30 Mar 2022 18:06:15 +0200	[thread overview]
Message-ID: <f6cf4112-b7b9-7ad7-dbb0-27304176146f@digikod.net> (raw)
In-Reply-To: <20220321161557.495388-1-mic@digikod.net>

Hi,

What is the status of this pull request? Do you need something more?

Regards,
  Mickaël


On 21/03/2022 17:15, Mickaël Salaün wrote:
> Hi Linus,
> 
> This patch series adds a new syscall named trusted_for.  It enables user
> space to ask the kernel: is this file descriptor's content trusted to be
> used for this purpose?  The set of usage currently only contains
> execution, but other may follow (e.g. configuration, sensitive data).
> If the kernel identifies the file descriptor as trustworthy for this
> usage, user space should then take this information into account.  The
> "execution" usage means that the content of the file descriptor is
> trusted according to the system policy to be executed by user space,
> which means that it interprets the content or (try to) maps it as
> executable memory.
> 
> A simple system-wide security policy can be set by the system
> administrator through a sysctl configuration consistent with the mount
> points or the file access rights.  The documentation explains the
> prerequisites.
> 
> It is important to note that this can only enable to extend access
> control managed by the kernel.  Hence it enables current access control
> mechanism to be extended and become a superset of what they can
> currently control.  Indeed, the security policy could also be delegated
> to an LSM, either a MAC system or an integrity system.  For instance,
> this is required to close a major IMA measurement/appraisal interpreter
> integrity gap by bringing the ability to check the use of scripts.
> Other uses are expected as well.
> 
> For further details, please see the latest cover letter:
> https://lore.kernel.org/r/20220104155024.48023-1-mic@digikod.net
> 
> Commit dae71698b6c5 ("printk: Move back proc_dointvec_minmax_sysadmin()
> to sysctl.c") was recently added due to the sysctl refactoring.
> 
> Commit e674341a90b9 ("selftests/interpreter: fix separate directory
> build") will fix some test build cases as explained here:
> https://lore.kernel.org/r/20220119101531.2850400-1-usama.anjum@collabora.com
> Merging this commit without the new KHDR_INCLUDES is not an issue.
> The upcoming kselftest pull request is ready:
> https://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest.git/log/?h=next
> 
> This patch series has been open for review for more than three years and
> got a lot of feedbacks (and bikeshedding) which were all considered.
> Since I heard no objection, please consider to pull this code for
> v5.18-rc1 .  These five patches have been successfully tested in the
> latest linux-next releases for several weeks.
> 
> Regards,
>   Mickaël
> 
> --
> The following changes since commit dcb85f85fa6f142aae1fe86f399d4503d49f2b60:
> 
>    gcc-plugins/stackleak: Use noinstr in favor of notrace (2022-02-03 17:02:21 -0800)
> 
> are available in the Git repository at:
> 
>    git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git tags/trusted-for-v18
> 
> for you to fetch changes up to e674341a90b95c3458d684ae25e6891afc3e03ad:
> 
>    selftests/interpreter: fix separate directory build (2022-03-04 10:56:25 +0100)
> 
> ----------------------------------------------------------------
> Add the trusted_for system call (v18)
> 
> The final goal of this patch series is to enable the kernel to be a
> global policy manager by entrusting processes with access control at
> their level.  To reach this goal, two complementary parts are required:
> * user space needs to be able to know if it can trust some file
>    descriptor content for a specific usage;
> * and the kernel needs to make available some part of the policy
>    configured by the system administrator.
> 
> In a nutshell, this is a required building block to control script
> execution.
> 
> For further details see the latest cover letter:
> https://lore.kernel.org/r/20220104155024.48023-1-mic@digikod.net
> 
> ----------------------------------------------------------------
> Mickaël Salaün (4):
>        printk: Move back proc_dointvec_minmax_sysadmin() to sysctl.c
>        fs: Add trusted_for(2) syscall implementation and related sysctl
>        arch: Wire up trusted_for(2)
>        selftest/interpreter: Add tests for trusted_for(2) policies
> 
> Muhammad Usama Anjum (1):
>        selftests/interpreter: fix separate directory build
> 
>   Documentation/admin-guide/sysctl/fs.rst            |  50 +++
>   arch/alpha/kernel/syscalls/syscall.tbl             |   1 +
>   arch/arm/tools/syscall.tbl                         |   1 +
>   arch/arm64/include/asm/unistd.h                    |   2 +-
>   arch/arm64/include/asm/unistd32.h                  |   2 +
>   arch/ia64/kernel/syscalls/syscall.tbl              |   1 +
>   arch/m68k/kernel/syscalls/syscall.tbl              |   1 +
>   arch/microblaze/kernel/syscalls/syscall.tbl        |   1 +
>   arch/mips/kernel/syscalls/syscall_n32.tbl          |   1 +
>   arch/mips/kernel/syscalls/syscall_n64.tbl          |   1 +
>   arch/mips/kernel/syscalls/syscall_o32.tbl          |   1 +
>   arch/parisc/kernel/syscalls/syscall.tbl            |   1 +
>   arch/powerpc/kernel/syscalls/syscall.tbl           |   1 +
>   arch/s390/kernel/syscalls/syscall.tbl              |   1 +
>   arch/sh/kernel/syscalls/syscall.tbl                |   1 +
>   arch/sparc/kernel/syscalls/syscall.tbl             |   1 +
>   arch/x86/entry/syscalls/syscall_32.tbl             |   1 +
>   arch/x86/entry/syscalls/syscall_64.tbl             |   1 +
>   arch/xtensa/kernel/syscalls/syscall.tbl            |   1 +
>   fs/open.c                                          | 133 ++++++++
>   fs/proc/proc_sysctl.c                              |   2 +-
>   include/linux/syscalls.h                           |   1 +
>   include/linux/sysctl.h                             |   3 +
>   include/uapi/asm-generic/unistd.h                  |   5 +-
>   include/uapi/linux/trusted-for.h                   |  18 +
>   kernel/printk/sysctl.c                             |   9 -
>   kernel/sysctl.c                                    |   9 +
>   tools/testing/selftests/Makefile                   |   1 +
>   tools/testing/selftests/interpreter/.gitignore     |   2 +
>   tools/testing/selftests/interpreter/Makefile       |  21 ++
>   tools/testing/selftests/interpreter/config         |   1 +
>   .../selftests/interpreter/trust_policy_test.c      | 362 +++++++++++++++++++++
>   32 files changed, 625 insertions(+), 12 deletions(-)
>   create mode 100644 include/uapi/linux/trusted-for.h
>   create mode 100644 tools/testing/selftests/interpreter/.gitignore
>   create mode 100644 tools/testing/selftests/interpreter/Makefile
>   create mode 100644 tools/testing/selftests/interpreter/config
>   create mode 100644 tools/testing/selftests/interpreter/trust_policy_test.c

  parent reply	other threads:[~2022-03-30 16:06 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-03-21 16:15 [GIT PULL] Add trusted_for(2) (was O_MAYEXEC) Mickaël Salaün
2022-03-21 17:38 ` Luis Chamberlain
2022-03-21 18:05   ` Mickaël Salaün
2022-03-21 23:32     ` Luis Chamberlain
2022-03-30 16:06 ` Mickaël Salaün [this message]
2022-04-04 18:40 ` Kees Cook
2022-04-04 18:47   ` Linus Torvalds
2022-04-04 20:30     ` Mickaël Salaün
2022-04-04 21:28       ` Linus Torvalds
2022-04-04 21:40         ` Linus Torvalds
2022-04-04 22:25         ` Kees Cook
2022-04-04 23:26           ` Linus Torvalds
2022-04-05 16:09             ` Mickaël Salaün
2022-04-05 16:17               ` Linus Torvalds
2023-02-08 19:32               ` Kees Cook
2023-02-09 15:43                 ` Mickaël Salaün
2022-04-05 22:21             ` Theodore Ts'o
2022-04-05 15:55           ` Mickaël Salaün
2022-04-05 15:38         ` Mickaël Salaün
2022-04-05 14:54       ` Theodore Ts'o
2022-04-05 16:14         ` Mickaël Salaün

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f6cf4112-b7b9-7ad7-dbb0-27304176146f@digikod.net \
    --to=mic@digikod.net \
    --cc=akpm@linux-foundation.org \
    --cc=christian@python.org \
    --cc=geert@linux-m68k.org \
    --cc=jmorris@namei.org \
    --cc=keescook@chromium.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mcgrof@kernel.org \
    --cc=paul@paul-moore.com \
    --cc=philippe.trebuchet@ssi.gouv.fr \
    --cc=skhan@linuxfoundation.org \
    --cc=steve.dower@python.org \
    --cc=thibaut.sautereau@ssi.gouv.fr \
    --cc=torvalds@linux-foundation.org \
    --cc=usama.anjum@collabora.com \
    --cc=vincent.strubel@ssi.gouv.fr \
    --cc=viro@zeniv.linux.org.uk \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).