[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <a566be590766eac5811a1e44af5cfd731d503d7e.camel@linux.ibm.com>
Date: Wed, 27 Nov 2024 10:15:00 -0500
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Mickaël Salaün <mic@...ikod.net>
Cc: Al Viro <viro@...iv.linux.org.uk>, Christian Brauner
<brauner@...nel.org>,
Kees Cook <keescook@...omium.org>, Paul Moore
<paul@...l-moore.com>,
Serge Hallyn <serge@...lyn.com>,
Adhemerval Zanella
Netto <adhemerval.zanella@...aro.org>,
Alejandro Colomar <alx@...nel.org>, Aleksa Sarai <cyphar@...har.com>,
Andrew Morton
<akpm@...ux-foundation.org>,
Andy Lutomirski <luto@...nel.org>, Arnd
Bergmann <arnd@...db.de>,
Casey Schaufler <casey@...aufler-ca.com>,
Christian Heimes <christian@...hon.org>,
Dmitry Vyukov
<dvyukov@...gle.com>, Elliott Hughes <enh@...gle.com>,
Eric Biggers
<ebiggers@...nel.org>,
Eric Chiang <ericchiang@...gle.com>,
Fan Wu
<wufan@...ux.microsoft.com>,
Florian Weimer <fweimer@...hat.com>,
Geert
Uytterhoeven <geert@...ux-m68k.org>,
James Morris
<jamorris@...ux.microsoft.com>, Jan Kara <jack@...e.cz>,
Jann Horn
<jannh@...gle.com>, Jeff Xu <jeffxu@...gle.com>,
Jonathan Corbet
<corbet@....net>,
Jordan R Abrahams <ajordanr@...gle.com>,
Lakshmi
Ramasubramanian <nramas@...ux.microsoft.com>,
Linus Torvalds
<torvalds@...ux-foundation.org>,
Luca Boccassi <bluca@...ian.org>,
Luis
Chamberlain <mcgrof@...nel.org>,
"Madhavan T . Venkataraman"
<madvenka@...ux.microsoft.com>,
Matt Bobrowski <mattbobrowski@...gle.com>,
Matthew Garrett <mjg59@...f.ucam.org>,
Matthew Wilcox
<willy@...radead.org>,
Miklos Szeredi <mszeredi@...hat.com>,
Nicolas
Bouchinet <nicolas.bouchinet@....gouv.fr>,
Scott Shell
<scottsh@...rosoft.com>, Shuah Khan <shuah@...nel.org>,
Stephen Rothwell
<sfr@...b.auug.org.au>,
Steve Dower <steve.dower@...hon.org>, Steve Grubb
<sgrubb@...hat.com>,
"Theodore Ts'o" <tytso@....edu>,
Thibaut Sautereau
<thibaut.sautereau@....gouv.fr>,
Vincent Strubel
<vincent.strubel@....gouv.fr>,
Xiaoming Ni <nixiaoming@...wei.com>,
Yin
Fengwei <fengwei.yin@...el.com>,
kernel-hardening@...ts.openwall.com, linux-api@...r.kernel.org,
linux-fsdevel@...r.kernel.org, linux-integrity@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org
Subject: Re: [PATCH v21 6/6] samples/check-exec: Add an enlighten "inc"
interpreter and 28 tests
On Wed, 2024-11-27 at 13:10 +0100, Mickaël Salaün wrote:
> On Tue, Nov 26, 2024 at 12:41:45PM -0500, Mimi Zohar wrote:
> > On Fri, 2024-11-22 at 15:50 +0100, Mickaël Salaün wrote:
> > > On Thu, Nov 21, 2024 at 03:34:47PM -0500, Mimi Zohar wrote:
> > > > Hi Mickaël,
> > > >
> > > > On Tue, 2024-11-12 at 20:18 +0100, Mickaël Salaün wrote:
> > > > >
> > > > > +
> > > > > +/* Returns 1 on error, 0 otherwise. */
> > > > > +static int interpret_stream(FILE *script, char *const script_name,
> > > > > + char *const *const envp, const bool restrict_stream)
> > > > > +{
> > > > > + int err;
> > > > > + char *const script_argv[] = { script_name, NULL };
> > > > > + char buf[128] = {};
> > > > > + size_t buf_size = sizeof(buf);
> > > > > +
> > > > > + /*
> > > > > + * We pass a valid argv and envp to the kernel to emulate a native
> > > > > + * script execution. We must use the script file descriptor instead of
> > > > > + * the script path name to avoid race conditions.
> > > > > + */
> > > > > + err = execveat(fileno(script), "", script_argv, envp,
> > > > > + AT_EMPTY_PATH | AT_EXECVE_CHECK);
> > > >
> > > > At least with v20, the AT_CHECK always was being set, independent of whether
> > > > set-exec.c set it. I'll re-test with v21.
> > >
> > > AT_EXECVE_CEHCK should always be set, only the interpretation of the
> > > result should be relative to securebits. This is highlighted in the
> > > documentation.
> >
> > Sure, that sounds correct. With an IMA-appraisal policy, any unsigned script
> > with the is_check flag set now emits an "cause=IMA-signature-required" audit
> > message. However since IMA-appraisal isn't enforcing file signatures, this
> > sounds wrong.
> >
> > New audit messages like "IMA-signature-required-by-interpreter" and "IMA-
> > signature-not-required-by-interpreter" would need to be defined based on the
> > SECBIT_EXEC_RESTRICT_FILE.
>
> It makes sense. Could you please send a patch for these
> IMA-*-interpreter changes? I'll include it in the next series.
Sent as an RFC. The audit message is only updated for the missing signature
case. However, all of the audit messages in ima_appraise_measurement() should
be updated. The current method doesn't scale.
Mimi
> >
> >
> > > >
> > > > > + if (err && restrict_stream) {
> > > > > + perror("ERROR: Script execution check");
> > > > > + return 1;
> > > > > + }
> > > > > +
> > > > > + /* Reads script. */
> > > > > + buf_size = fread(buf, 1, buf_size - 1, script);
> > > > > + return interpret_buffer(buf, buf_size);
> > > > > +}
> > > > > +
> > > >
> > > >
> > >
> >
> >
>
Powered by blists - more mailing lists