| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 11 Jul 2017 18:58:13 +0200
From: Salvatore Mesoraca <s.mesoraca16@...il.com>
To: Mickaël Salaün <mic@...ikod.net>
Cc: kernel list <linux-kernel@...r.kernel.org>,
linux-security-module <linux-security-module@...r.kernel.org>,
Kernel Hardening <kernel-hardening@...ts.openwall.com>,
Brad Spengler <spender@...ecurity.net>,
PaX Team <pageexec@...email.hu>,
Casey Schaufler <casey@...aufler-ca.com>,
Kees Cook <keescook@...omium.org>,
James Morris <james.l.morris@...cle.com>,
"Serge E. Hallyn" <serge@...lyn.com>, Matt Brown <matt@...tt.com>,
Mimi Zohar <zohar@...ux.vnet.ibm.com>
Subject: Re: [kernel-hardening] [PATCH 00/11] S.A.R.A. a new stacked LSM
2017-07-11 1:40 GMT+02:00 Mickaël Salaün <mic@...ikod.net>:
>
> On 10/07/2017 09:59, Salvatore Mesoraca wrote:
>> 2017-07-09 21:35 GMT+02:00 Mickaël Salaün <mic@...ikod.net>:
>>> Hi,
>>>
>>> I think it make sense to merge the W^X features with the TPE/shebang LSM
>>> [1].
>>>
>>> Regards,
>>> Mickaël
>>>
>>> [1]
>>> https://lkml.kernel.org/r/d9aca46b-97c6-4faf-b559-484feb4aa640@digikod.net
>>
>> Hi,
>> Can you elaborate why it would be an advantage to have those features merged?
>> They seem quite unrelated.
>> Also, they work in rather different ways in respect to how they are configured.
>> I'm not sure what would be a reasonable way to merge them.
>> Thank you for your comment,
>>
>> Salvatore
>>
>
> The aim of the Trusted Path Execution is to constraint calls to execve
> (e.g. forbid an user to execute his own binaries, i.e. apply a W^X
> security policy). This should handle binaries and could handle scripts
> too [1]. However, there is always a way for a process to mmap/mprotect
> arbitrary data and make it executable, be it intentional or not. PaX and
> the W^X part of your LSM can handle this, or make exceptions by marking
> a file with dedicated xattr values. This kind of exception fit well with
> TPE to get a more hardened executable security policy (e.g. forbid an
> user to execute his own binaries or to mmap arbitrary executable code).
> Moreover, TPE could handle some part of its configuration from some
> xattr values (e.g. allow scripts/interpreters, a whitelist of
> environment variables, additional memory restrictions…) as you do with
> SARA thanks to your tools.
I understand your point. They complement each other in some sense.
On the other hand, I'm still worried about the suitability of merging,
under the same LSM, two features that are managed in two
completely different ways.
IMHO, if they have to be merged, they should be "integrated".
As I see it, there are only 3 possible solutions to this problem:
1 - SARA gives up its configuration mechanics and starts using xattrs
2 - TPE/shebang gives up xattrs and starts using SARA-style configurations
3 - SARA adds xattrs support to its quiver *and* TPE/shebang adds SARA-style
configuration support.
The solution number 1 is the one I'm less inclined to, as you can imagine.
I'm in favor of solutions 2 and 3, but of course we need to know Mimi Zohar and
Matt Brown opinion on this matter.
If we can find a consensus on the best way to merge them, I'm not against
the merge.
Anyway, these LSMs are stackable and they can be used together even if they
don't get merged. So I think that merging them is not a "must".
Salvatore
Powered by blists - more mailing lists