From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.1 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 60F56C433EB for ; Fri, 24 Jul 2020 19:03:25 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3FC80206D8 for ; Fri, 24 Jul 2020 19:03:25 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="HWLOLY2m" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726759AbgGXTDY (ORCPT ); Fri, 24 Jul 2020 15:03:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33700 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726652AbgGXTDX (ORCPT ); Fri, 24 Jul 2020 15:03:23 -0400 Received: from mail-pl1-x641.google.com (mail-pl1-x641.google.com [IPv6:2607:f8b0:4864:20::641]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4D9ABC0619D3 for ; Fri, 24 Jul 2020 12:03:23 -0700 (PDT) Received: by mail-pl1-x641.google.com with SMTP id p1so5019553pls.4 for ; Fri, 24 Jul 2020 12:03:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to; bh=f0lKwdFa2tE754eWyXOOIFz3gWD2EzuwPTrCttQ++tE=; b=HWLOLY2m7CMUOQYAp0GqUyHeBr+slwYCrPxK4fmOYzQKeY1Sqn9NsstNWgyO0gYfZz TUCLaYuoK1a5vP1C228zV0xEZgcjSBAnqzIr+6yAndPlXzf8D3bRRlqtGTaJ8eamUTu0 m/nF3ewNlRWYDQ/wxxQHLPQatyOp/cmIjNB+w= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:content-transfer-encoding :in-reply-to; bh=f0lKwdFa2tE754eWyXOOIFz3gWD2EzuwPTrCttQ++tE=; b=n7nVUN8ePFGRkoaUZwPkeOiPh5LX3dNB2bvL+XEyGIvV4enE1dJf9O6MDzb6LqWsm8 kWA+OV8hi49fS3a8ky89F1oteipGEVx1c7R6Rw4L4N+XFs4GtZHP2xQLr9WYr4zsHC0J Q0weuJ73s5fmO04RoJPIlUTFg4cTLBJGWlDxGRZmzYCIGwTUCEUUBs82N1fDa1SHZQNy apMDmDvKDCP5neAKCO/A3fNdp1AQlDg0kzKEDrJhXY5LLLfEQJCs1XnXvVXnlFFclevB +yCdsyIHB7QIdmkIfAWszswIy6R92xS3+E9yffhnyUWRP7XHjmkFWVBD2VjTMbTtIwUW RiHA== X-Gm-Message-State: AOAM5328YpVzgFrezQgJ4UJ9N1QSMESZvbYgLU9XYeft7kdfhIxTaI+m URkBvf96j8O3RacaTbHexuBD8A== X-Google-Smtp-Source: ABdhPJyQSqTNd3BVzP4VWxiWnp6p6oQzAmDBIOJnaoSdP+OBPVoNfaPuvwcTsPgk9o7oKdilefLQ/Q== X-Received: by 2002:a17:902:c252:: with SMTP id 18mr9772518plg.39.1595617402829; Fri, 24 Jul 2020 12:03:22 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id z11sm7283037pfj.104.2020.07.24.12.03.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 24 Jul 2020 12:03:22 -0700 (PDT) Date: Fri, 24 Jul 2020 12:03:21 -0700 From: Kees Cook To: =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= Cc: linux-kernel@vger.kernel.org, Aleksa Sarai , Alexei Starovoitov , Al Viro , Andrew Morton , Andy Lutomirski , Christian Brauner , Christian Heimes , Daniel Borkmann , Deven Bowers , Dmitry Vyukov , Eric Biggers , Eric Chiang , Florian Weimer , James Morris , Jan Kara , Jann Horn , Jonathan Corbet , Lakshmi Ramasubramanian , Matthew Garrett , Matthew Wilcox , Michael Kerrisk , Mimi Zohar , Philippe =?iso-8859-1?Q?Tr=E9buchet?= , Scott Shell , Sean Christopherson , Shuah Khan , Steve Dower , Steve Grubb , Tetsuo Handa , Thibaut Sautereau , Vincent Strubel , kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, Thibaut Sautereau , Randy Dunlap Subject: Re: [PATCH v7 5/7] fs,doc: Enable to enforce noexec mounts or file exec through O_MAYEXEC Message-ID: <202007241203.0C596BB36@keescook> References: <20200723171227.446711-1-mic@digikod.net> <20200723171227.446711-6-mic@digikod.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20200723171227.446711-6-mic@digikod.net> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jul 23, 2020 at 07:12:25PM +0200, Mickaël Salaün wrote: > Allow for the enforcement of the O_MAYEXEC openat2(2) flag. Thanks to > the noexec option from the underlying VFS mount, or to the file execute > permission, userspace can enforce these execution policies. This may > allow script interpreters to check execution permission before reading > commands from a file, or dynamic linkers to allow shared object loading. > > Add a new sysctl fs.open_mayexec_enforce to enable system administrators > to enforce two complementary security policies according to the > installed system: enforce the noexec mount option, and enforce > executable file permission. Indeed, because of compatibility with > installed systems, only system administrators are able to check that > this new enforcement is in line with the system mount points and file > permissions. A following patch adds documentation. > > Being able to restrict execution also enables to protect the kernel by > restricting arbitrary syscalls that an attacker could perform with a > crafted binary or certain script languages. It also improves multilevel > isolation by reducing the ability of an attacker to use side channels > with specific code. These restrictions can natively be enforced for ELF > binaries (with the noexec mount option) but require this kernel > extension to properly handle scripts (e.g., Python, Perl). To get a > consistent execution policy, additional memory restrictions should also > be enforced (e.g. thanks to SELinux). > > Because the O_MAYEXEC flag is a meant to enforce a system-wide security > policy (but not application-centric policies), it does not make sense > for userland to check the sysctl value. Indeed, this new flag only > enables to extend the system ability to enforce a policy thanks to (some > trusted) userland collaboration. Moreover, additional security policies > could be managed by LSMs. This is a best-effort approach from the > application developer point of view: > https://lore.kernel.org/lkml/1477d3d7-4b36-afad-7077-a38f42322238@digikod.net/ > > Signed-off-by: Mickaël Salaün Acked-by: Kees Cook -- Kees Cook