From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 31D27C433EF for ; Wed, 30 Mar 2022 16:06:45 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1348575AbiC3QI2 (ORCPT ); Wed, 30 Mar 2022 12:08:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33448 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1348697AbiC3QIW (ORCPT ); Wed, 30 Mar 2022 12:08:22 -0400 Received: from smtp-bc0a.mail.infomaniak.ch (smtp-bc0a.mail.infomaniak.ch [45.157.188.10]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D156F23D760 for ; Wed, 30 Mar 2022 09:06:34 -0700 (PDT) Received: from smtp-2-0001.mail.infomaniak.ch (unknown [10.5.36.108]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4KTBBc40cpzMprt9; Wed, 30 Mar 2022 18:06:32 +0200 (CEST) Received: from ns3096276.ip-94-23-54.eu (unknown [23.97.221.149]) by smtp-2-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4KTBBZ5nHZzlhPJV; Wed, 30 Mar 2022 18:06:30 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digikod.net; s=20191114; t=1648656392; bh=8z/gwYk4igoSvFw5d9ygcqzUz71oGnSSI3aVBjvHzrg=; h=Date:To:Cc:References:From:Subject:In-Reply-To:From; b=S2lhB0PW4iY3T7nJCWRrrxY/EEwhD0huzWX5e8KJOHm5GGVGGjY8iCRzduT1unZj8 JG4xoo/fZxx5CFQIGQ1hNdrIQ5/d5AarQVv/fbgm8Ro3omT1l6w9nJK/6OGKmHeHa+ Jgh2LeETNI80KsVqtBvJCrnTLRD7VC2cxrAc8gbs= Message-ID: Date: Wed, 30 Mar 2022 18:06:15 +0200 MIME-Version: 1.0 User-Agent: Content-Language: en-US To: Linus Torvalds Cc: Al Viro , Andrew Morton , Christian Heimes , Geert Uytterhoeven , James Morris , Kees Cook , Luis Chamberlain , Mimi Zohar , Muhammad Usama Anjum , Paul Moore , =?UTF-8?Q?Philippe_Tr=c3=a9buchet?= , Shuah Khan , Steve Dower , Thibaut Sautereau , Vincent Strubel , linux-fsdevel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org References: <20220321161557.495388-1-mic@digikod.net> From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= Subject: Re: [GIT PULL] Add trusted_for(2) (was O_MAYEXEC) In-Reply-To: <20220321161557.495388-1-mic@digikod.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: Hi, What is the status of this pull request? Do you need something more? Regards, Mickaël On 21/03/2022 17:15, Mickaël Salaün wrote: > Hi Linus, > > This patch series adds a new syscall named trusted_for. It enables user > space to ask the kernel: is this file descriptor's content trusted to be > used for this purpose? The set of usage currently only contains > execution, but other may follow (e.g. configuration, sensitive data). > If the kernel identifies the file descriptor as trustworthy for this > usage, user space should then take this information into account. The > "execution" usage means that the content of the file descriptor is > trusted according to the system policy to be executed by user space, > which means that it interprets the content or (try to) maps it as > executable memory. > > A simple system-wide security policy can be set by the system > administrator through a sysctl configuration consistent with the mount > points or the file access rights. The documentation explains the > prerequisites. > > It is important to note that this can only enable to extend access > control managed by the kernel. Hence it enables current access control > mechanism to be extended and become a superset of what they can > currently control. Indeed, the security policy could also be delegated > to an LSM, either a MAC system or an integrity system. For instance, > this is required to close a major IMA measurement/appraisal interpreter > integrity gap by bringing the ability to check the use of scripts. > Other uses are expected as well. > > For further details, please see the latest cover letter: > https://lore.kernel.org/r/20220104155024.48023-1-mic@digikod.net > > Commit dae71698b6c5 ("printk: Move back proc_dointvec_minmax_sysadmin() > to sysctl.c") was recently added due to the sysctl refactoring. > > Commit e674341a90b9 ("selftests/interpreter: fix separate directory > build") will fix some test build cases as explained here: > https://lore.kernel.org/r/20220119101531.2850400-1-usama.anjum@collabora.com > Merging this commit without the new KHDR_INCLUDES is not an issue. > The upcoming kselftest pull request is ready: > https://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest.git/log/?h=next > > This patch series has been open for review for more than three years and > got a lot of feedbacks (and bikeshedding) which were all considered. > Since I heard no objection, please consider to pull this code for > v5.18-rc1 . These five patches have been successfully tested in the > latest linux-next releases for several weeks. > > Regards, > Mickaël > > -- > The following changes since commit dcb85f85fa6f142aae1fe86f399d4503d49f2b60: > > gcc-plugins/stackleak: Use noinstr in favor of notrace (2022-02-03 17:02:21 -0800) > > are available in the Git repository at: > > git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git tags/trusted-for-v18 > > for you to fetch changes up to e674341a90b95c3458d684ae25e6891afc3e03ad: > > selftests/interpreter: fix separate directory build (2022-03-04 10:56:25 +0100) > > ---------------------------------------------------------------- > Add the trusted_for system call (v18) > > The final goal of this patch series is to enable the kernel to be a > global policy manager by entrusting processes with access control at > their level. To reach this goal, two complementary parts are required: > * user space needs to be able to know if it can trust some file > descriptor content for a specific usage; > * and the kernel needs to make available some part of the policy > configured by the system administrator. > > In a nutshell, this is a required building block to control script > execution. > > For further details see the latest cover letter: > https://lore.kernel.org/r/20220104155024.48023-1-mic@digikod.net > > ---------------------------------------------------------------- > Mickaël Salaün (4): > printk: Move back proc_dointvec_minmax_sysadmin() to sysctl.c > fs: Add trusted_for(2) syscall implementation and related sysctl > arch: Wire up trusted_for(2) > selftest/interpreter: Add tests for trusted_for(2) policies > > Muhammad Usama Anjum (1): > selftests/interpreter: fix separate directory build > > Documentation/admin-guide/sysctl/fs.rst | 50 +++ > arch/alpha/kernel/syscalls/syscall.tbl | 1 + > arch/arm/tools/syscall.tbl | 1 + > arch/arm64/include/asm/unistd.h | 2 +- > arch/arm64/include/asm/unistd32.h | 2 + > arch/ia64/kernel/syscalls/syscall.tbl | 1 + > arch/m68k/kernel/syscalls/syscall.tbl | 1 + > arch/microblaze/kernel/syscalls/syscall.tbl | 1 + > arch/mips/kernel/syscalls/syscall_n32.tbl | 1 + > arch/mips/kernel/syscalls/syscall_n64.tbl | 1 + > arch/mips/kernel/syscalls/syscall_o32.tbl | 1 + > arch/parisc/kernel/syscalls/syscall.tbl | 1 + > arch/powerpc/kernel/syscalls/syscall.tbl | 1 + > arch/s390/kernel/syscalls/syscall.tbl | 1 + > arch/sh/kernel/syscalls/syscall.tbl | 1 + > arch/sparc/kernel/syscalls/syscall.tbl | 1 + > arch/x86/entry/syscalls/syscall_32.tbl | 1 + > arch/x86/entry/syscalls/syscall_64.tbl | 1 + > arch/xtensa/kernel/syscalls/syscall.tbl | 1 + > fs/open.c | 133 ++++++++ > fs/proc/proc_sysctl.c | 2 +- > include/linux/syscalls.h | 1 + > include/linux/sysctl.h | 3 + > include/uapi/asm-generic/unistd.h | 5 +- > include/uapi/linux/trusted-for.h | 18 + > kernel/printk/sysctl.c | 9 - > kernel/sysctl.c | 9 + > tools/testing/selftests/Makefile | 1 + > tools/testing/selftests/interpreter/.gitignore | 2 + > tools/testing/selftests/interpreter/Makefile | 21 ++ > tools/testing/selftests/interpreter/config | 1 + > .../selftests/interpreter/trust_policy_test.c | 362 +++++++++++++++++++++ > 32 files changed, 625 insertions(+), 12 deletions(-) > create mode 100644 include/uapi/linux/trusted-for.h > create mode 100644 tools/testing/selftests/interpreter/.gitignore > create mode 100644 tools/testing/selftests/interpreter/Makefile > create mode 100644 tools/testing/selftests/interpreter/config > create mode 100644 tools/testing/selftests/interpreter/trust_policy_test.c