lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAKtyLkG03zaOgC57-y4mNBXc+Nt0eZtKvyuhbs53SEUGwYUb5g@mail.gmail.com>
Date: Wed, 30 Apr 2025 16:29:44 -0700
From: Fan Wu <wufan@...nel.org>
To: Jasjiv Singh <jasjivsingh@...ux.microsoft.com>
Cc: wufan@...nel.org, paul@...l-moore.com, jmorris@...ei.org, serge@...lyn.com, 
	mic@...ikod.net, linux-security-module@...r.kernel.org, 
	linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH v1 1/1] ipe: add script enforcement with BPRM check

On Tue, Apr 29, 2025 at 2:23 PM Jasjiv Singh
<jasjivsingh@...ux.microsoft.com> wrote:
>
> From: jasjivsingh_microsoft <jasjivsingh@...ux.microsoft.com>
>
> Like direct file execution (e.g. ./script.sh), indirect file execution
> (e.g. sh script.sh) needs to be enforce by IPE based on the rules.
> Added a new security_bprm_creds_for_exec() hook to verify the indirect
> file's integrity.
>
> Signed-off-by: Jasjiv Singh <jasjivsingh@...ux.microsoft.com>
> ---
>  security/ipe/hooks.c | 23 +++++++++++++++++++++++
>  security/ipe/hooks.h |  2 ++
>  security/ipe/ipe.c   |  1 +
>  3 files changed, 26 insertions(+)
>
> diff --git a/security/ipe/hooks.c b/security/ipe/hooks.c
> index d0323b81cd8f..12713a0495cf 100644
> --- a/security/ipe/hooks.c
> +++ b/security/ipe/hooks.c
> @@ -35,6 +35,29 @@ int ipe_bprm_check_security(struct linux_binprm *bprm)
>         return ipe_evaluate_event(&ctx);
>  }
>
> +/**
> + * ipe_bprm_creds_for_exec() - ipe security hook function for bprm creds check.
> + * @bprm: Supplies a pointer to a linux_binprm structure to source the file
> + *       being evaluated.
> + *
> + * This LSM hook is called when a script is checked for execution through the
> + * execveat syscall with the AT_EXECVE_CHECK flag.

I remember the script is only one case, user space can add this flag
for other cases.

> + *
> + * Return:
> + * * %0                - Success
> + * * %-EACCES  - Did not pass IPE policy
> + */
> +int ipe_bprm_creds_for_exec(struct linux_binprm *bprm)
> +{
> +       struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT;
> +
> +       if (!bprm->is_check)
> +               return 0;
> +
> +       ipe_build_eval_ctx(&ctx, bprm->file, IPE_OP_EXEC, IPE_HOOK_BPRM_CHECK);

A new enum needs to be added to audit this new hook in the audit
event. Please create something like IPE_HOOK_BPRM_CREDS_FOR_EXEC.

-Fan

> +       return ipe_evaluate_event(&ctx);
> +}
> +
>  /**
>   * ipe_mmap_file() - ipe security hook function for mmap check.
>   * @f: File being mmap'd. Can be NULL in the case of anonymous memory.
> diff --git a/security/ipe/hooks.h b/security/ipe/hooks.h
> index 38d4a387d039..1c16a25d806e 100644
> --- a/security/ipe/hooks.h
> +++ b/security/ipe/hooks.h
> @@ -24,6 +24,8 @@ enum ipe_hook_type {
>
>  int ipe_bprm_check_security(struct linux_binprm *bprm);
>
> +int ipe_bprm_creds_for_exec(struct linux_binprm *bprm);
> +
>  int ipe_mmap_file(struct file *f, unsigned long reqprot, unsigned long prot,
>                   unsigned long flags);
>
> diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c
> index 4317134cb0da..845e3fd7a345 100644
> --- a/security/ipe/ipe.c
> +++ b/security/ipe/ipe.c
> @@ -47,6 +47,7 @@ struct ipe_inode *ipe_inode(const struct inode *inode)
>
>  static struct security_hook_list ipe_hooks[] __ro_after_init = {
>         LSM_HOOK_INIT(bprm_check_security, ipe_bprm_check_security),
> +       LSM_HOOK_INIT(bprm_creds_for_exec, ipe_bprm_creds_for_exec),
>         LSM_HOOK_INIT(mmap_file, ipe_mmap_file),
>         LSM_HOOK_INIT(file_mprotect, ipe_file_mprotect),
>         LSM_HOOK_INIT(kernel_read_file, ipe_kernel_read_file),
> --
> 2.34.1
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ