From patchwork Tue May 5 15:31:55 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 11529465 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id F3DDE1392 for ; Tue, 5 May 2020 15:32:59 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E44AC2078C for ; Tue, 5 May 2020 15:32:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730244AbgEEPc6 (ORCPT ); Tue, 5 May 2020 11:32:58 -0400 Received: from smtp-190e.mail.infomaniak.ch ([185.125.25.14]:41879 "EHLO smtp-190e.mail.infomaniak.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730251AbgEEPc6 (ORCPT ); Tue, 5 May 2020 11:32:58 -0400 Received: from smtp-2-0000.mail.infomaniak.ch (unknown [10.5.36.107]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 49GkHY2npdzlhp0K; Tue, 5 May 2020 17:32:25 +0200 (CEST) Received: from localhost (unknown [94.23.54.103]) by smtp-2-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 49GkHX62J1zlqCkb; Tue, 5 May 2020 17:32:24 +0200 (CEST) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: linux-kernel@vger.kernel.org Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Aleksa Sarai , Alexei Starovoitov , Al Viro , Andy Lutomirski , Christian Heimes , Daniel Borkmann , Deven Bowers , Eric Chiang , Florian Weimer , James Morris , Jan Kara , Jann Horn , Jonathan Corbet , Kees Cook , Lakshmi Ramasubramanian , Matthew Garrett , Matthew Wilcox , Michael Kerrisk , =?utf-8?q?Micka=C3=ABl_Sala=C3=BC?= =?utf-8?q?n?= , Mimi Zohar , =?utf-8?q?Philippe_Tr=C3=A9buchet?= , Scott Shell , Sean Christopherson , Shuah Khan , Steve Dower , Steve Grubb , Thibaut Sautereau , Vincent Strubel , kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org Subject: [PATCH v5 5/6] doc: Add documentation for the fs.open_mayexec_enforce sysctl Date: Tue, 5 May 2020 17:31:55 +0200 Message-Id: <20200505153156.925111-6-mic@digikod.net> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200505153156.925111-1-mic@digikod.net> References: <20200505153156.925111-1-mic@digikod.net> MIME-Version: 1.0 X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8 X-Antivirus-Code: 0x100000 Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org This sysctl enables to propagate executable permission to userspace thanks to the O_MAYEXEC flag. Signed-off-by: Mickaël Salaün Reviewed-by: Thibaut Sautereau Cc: Aleksa Sarai Cc: Al Viro Cc: Jonathan Corbet Cc: Kees Cook --- Changes since v3: * Switch back to O_MAYEXEC and highlight that it is only taken into account by openat2(2). Changes since v2: * Update documentation with the new RESOLVE_MAYEXEC. * Improve explanations, including concerns about LD_PRELOAD. Changes since v1: * Move from LSM/Yama to sysctl/fs . --- Documentation/admin-guide/sysctl/fs.rst | 44 +++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/Documentation/admin-guide/sysctl/fs.rst b/Documentation/admin-guide/sysctl/fs.rst index 2a45119e3331..d55615c36772 100644 --- a/Documentation/admin-guide/sysctl/fs.rst +++ b/Documentation/admin-guide/sysctl/fs.rst @@ -37,6 +37,7 @@ Currently, these files are in /proc/sys/fs: - inode-nr - inode-state - nr_open +- open_mayexec_enforce - overflowuid - overflowgid - pipe-user-pages-hard @@ -165,6 +166,49 @@ system needs to prune the inode list instead of allocating more. +open_mayexec_enforce +-------------------- + +While being ignored by :manpage:`open(2)` and :manpage:`openat(2)`, the +``O_MAYEXEC`` flag can be passed to :manpage:`openat2(2)` to only open regular +files that are expected to be executable. If the file is not identified as +executable, then the syscall returns -EACCES. This may allow a script +interpreter to check executable permission before reading commands from a file, +or a dynamic linker to only load executable shared objects. One interesting +use case is to enforce a "write xor execute" policy through interpreters. + +The ability to restrict code execution must be thought as a system-wide policy, +which first starts by restricting mount points with the ``noexec`` option. +This option is also automatically applied to special filesystems such as /proc +. This prevents files on such mount points to be directly executed by the +kernel or mapped as executable memory (e.g. libraries). With script +interpreters using the ``O_MAYEXEC`` flag, the executable permission can then +be checked before reading commands from files. This makes it possible to +enforce the ``noexec`` at the interpreter level, and thus propagates this +security policy to scripts. To be fully effective, these interpreters also +need to handle the other ways to execute code: command line parameters (e.g., +option ``-e`` for Perl), module loading (e.g., option ``-m`` for Python), +stdin, file sourcing, environment variables, configuration files, etc. +According to the threat model, it may be acceptable to allow some script +interpreters (e.g. Bash) to interpret commands from stdin, may it be a TTY or a +pipe, because it may not be enough to (directly) perform syscalls. + +There are two complementary security policies: enforce the ``noexec`` mount +option, and enforce executable file permission. These policies are handled by +the ``fs.open_mayexec_enforce`` sysctl (writable only with ``CAP_MAC_ADMIN``) +as a bitmask: + +1 - Mount restriction: checks that the mount options for the underlying VFS + mount do not prevent execution. + +2 - File permission restriction: checks that the to-be-opened file is marked as + executable for the current process (e.g., POSIX permissions). + +Code samples can be found in tools/testing/selftests/openat2/omayexec_test.c +and at +https://github.com/clipos-archive/clipos4_portage-overlay/search?q=O_MAYEXEC . + + overflowgid & overflowuid -------------------------