| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 5 May 2020 10:40:31 -0700
From: Randy Dunlap <rdunlap@...radead.org>
To: Mickaël Salaün <mic@...ikod.net>,
linux-kernel@...r.kernel.org
Cc: Aleksa Sarai <cyphar@...har.com>,
Alexei Starovoitov <ast@...nel.org>,
Al Viro <viro@...iv.linux.org.uk>,
Andy Lutomirski <luto@...nel.org>,
Christian Heimes <christian@...hon.org>,
Daniel Borkmann <daniel@...earbox.net>,
Deven Bowers <deven.desai@...ux.microsoft.com>,
Eric Chiang <ericchiang@...gle.com>,
Florian Weimer <fweimer@...hat.com>,
James Morris <jmorris@...ei.org>, Jan Kara <jack@...e.cz>,
Jann Horn <jannh@...gle.com>, Jonathan Corbet <corbet@....net>,
Kees Cook <keescook@...omium.org>,
Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>,
Matthew Garrett <mjg59@...gle.com>,
Matthew Wilcox <willy@...radead.org>,
Michael Kerrisk <mtk.manpages@...il.com>,
Mickaël Salaün <mickael.salaun@....gouv.fr>,
Mimi Zohar <zohar@...ux.ibm.com>,
Philippe Trébuchet
<philippe.trebuchet@....gouv.fr>,
Scott Shell <scottsh@...rosoft.com>,
Sean Christopherson <sean.j.christopherson@...el.com>,
Shuah Khan <shuah@...nel.org>,
Steve Dower <steve.dower@...hon.org>,
Steve Grubb <sgrubb@...hat.com>,
Thibaut Sautereau <thibaut.sautereau@....gouv.fr>,
Vincent Strubel <vincent.strubel@....gouv.fr>,
kernel-hardening@...ts.openwall.com, linux-api@...r.kernel.org,
linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org,
linux-fsdevel@...r.kernel.org
Subject: Re: [PATCH v5 3/6] fs: Enable to enforce noexec mounts or file exec
through O_MAYEXEC
On 5/5/20 9:55 AM, Mickaël Salaün wrote:
>
>
> On 05/05/2020 17:44, Randy Dunlap wrote:
>> On 5/5/20 8:31 AM, Mickaël Salaün wrote:
>>> diff --git a/security/Kconfig b/security/Kconfig
>>> index cd3cc7da3a55..d8fac9240d14 100644
>>> --- a/security/Kconfig
>>> +++ b/security/Kconfig
>>> @@ -230,6 +230,32 @@ config STATIC_USERMODEHELPER_PATH
>>> If you wish for all usermode helper programs to be disabled,
>>> specify an empty string here (i.e. "").
>>>
>>> +menuconfig OMAYEXEC_STATIC
>>> + tristate "Configure O_MAYEXEC behavior at build time"
>>> + ---help---
>>> + Enable to enforce O_MAYEXEC at build time, and disable the dedicated
>>> + fs.open_mayexec_enforce sysctl.
>>
>> That help message is a bit confusing IMO. Does setting/enabling OMAYEXEC_STATIC
>> both enforce O_MAYEXEC at build time and also disable the dedicated sysctl?
>
> Yes. What about this?
> "Define the O_MAYEXEC policy at build time only. As a side effect, this
> also disables the fs.open_mayexec_enforce sysctl."
>
Yes, much better. Thanks.
>>
>> Or are these meant to be alternatives, one for what Enabling this kconfig symbol
>> does and the other for what Disabling this symbol does? If so, it doesn't
>> say that.
>>
>>> +
>>> + See Documentation/admin-guide/sysctl/fs.rst for more details.
>>> +
>>> +if OMAYEXEC_STATIC
>>> +
>>> +config OMAYEXEC_ENFORCE_MOUNT
>>> + bool "Mount restriction"
>>> + default y
>>> + ---help---
>>> + Forbid opening files with the O_MAYEXEC option if their underlying VFS is
>>> + mounted with the noexec option or if their superblock forbids execution
>>> + of its content (e.g., /proc).
>>> +
>>> +config OMAYEXEC_ENFORCE_FILE
>>> + bool "File permission restriction"
>>> + ---help---
>>> + Forbid opening files with the O_MAYEXEC option if they are not marked as
>>> + executable for the current process (e.g., POSIX permissions).
>>> +
>>> +endif # OMAYEXEC_STATIC
>>> +
>>> source "security/selinux/Kconfig"
>>> source "security/smack/Kconfig"
>>> source "security/tomoyo/Kconfig"
>>
>>
--
~Randy
Powered by blists - more mailing lists