| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALCETrVDJYK+vWOe+-NACAqQ9i4nhCz-7rMMdkRuxexgnpzZow@mail.gmail.com> Date: Wed, 27 Aug 2025 13:35:13 -0700 From: Andy Lutomirski <luto@...capital.net> To: Mickaël Salaün <mic@...ikod.net> Cc: Andy Lutomirski <luto@...nel.org>, "Theodore Ts'o" <tytso@....edu>, Christian Brauner <brauner@...nel.org>, Al Viro <viro@...iv.linux.org.uk>, Kees Cook <keescook@...omium.org>, Paul Moore <paul@...l-moore.com>, Serge Hallyn <serge@...lyn.com>, Arnd Bergmann <arnd@...db.de>, Christian Heimes <christian@...hon.org>, Dmitry Vyukov <dvyukov@...gle.com>, Elliott Hughes <enh@...gle.com>, Fan Wu <wufan@...ux.microsoft.com>, Florian Weimer <fweimer@...hat.com>, Jann Horn <jannh@...gle.com>, Jeff Xu <jeffxu@...gle.com>, Jonathan Corbet <corbet@....net>, Jordan R Abrahams <ajordanr@...gle.com>, Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>, Luca Boccassi <bluca@...ian.org>, Matt Bobrowski <mattbobrowski@...gle.com>, Miklos Szeredi <mszeredi@...hat.com>, Mimi Zohar <zohar@...ux.ibm.com>, Nicolas Bouchinet <nicolas.bouchinet@....cyber.gouv.fr>, Robert Waite <rowait@...rosoft.com>, Roberto Sassu <roberto.sassu@...wei.com>, Scott Shell <scottsh@...rosoft.com>, Steve Dower <steve.dower@...hon.org>, Steve Grubb <sgrubb@...hat.com>, kernel-hardening@...ts.openwall.com, linux-api@...r.kernel.org, linux-fsdevel@...r.kernel.org, linux-integrity@...r.kernel.org, linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org Subject: Re: [RFC PATCH v1 0/2] Add O_DENY_WRITE (complement AT_EXECVE_CHECK) On Wed, Aug 27, 2025 at 12:07 PM Mickaël Salaün <mic@...ikod.net> wrote: > > On Wed, Aug 27, 2025 at 10:35:28AM -0700, Andy Lutomirski wrote: > > On Tue, Aug 26, 2025 at 10:47 AM Mickaël Salaün <mic@...ikod.net> wrote: > > > > > > On Tue, Aug 26, 2025 at 08:30:41AM -0400, Theodore Ts'o wrote: > > > > Is there a single, unified design and requirements document that > > > > describes the threat model, and what you are trying to achieve with > > > > AT_EXECVE_CHECK and O_DENY_WRITE? I've been looking at the cover > > > > letters for AT_EXECVE_CHECK and O_DENY_WRITE, and the documentation > > > > that has landed for AT_EXECVE_CHECK and it really doesn't describe > > > > what *are* the checks that AT_EXECVE_CHECK is trying to achieve: > > > > > > > > "The AT_EXECVE_CHECK execveat(2) flag, and the > > > > SECBIT_EXEC_RESTRICT_FILE and SECBIT_EXEC_DENY_INTERACTIVE > > > > securebits are intended for script interpreters and dynamic linkers > > > > to enforce a consistent execution security policy handled by the > > > > kernel." > > > > > > From the documentation: > > > > > > Passing the AT_EXECVE_CHECK flag to execveat(2) only performs a check > > > on a regular file and returns 0 if execution of this file would be > > > allowed, ignoring the file format and then the related interpreter > > > dependencies (e.g. ELF libraries, script’s shebang). > > > > > > > > > > > Um, what security policy? > > > > > > Whether the file is allowed to be executed. This includes file > > > permission, mount point option, ACL, LSM policies... > > > > This needs *waaaaay* more detail for any sort of useful evaluation. > > Is an actual credible security policy rolling dice? Asking ChatGPT? > > Looking at security labels? Does it care who can write to the file, > > or who owns the file, or what the file's hash is, or what filesystem > > it's on, or where it came from? Does it dynamically inspect the > > contents? Is it controlled by an unprivileged process? > > AT_EXECVE_CHECK only does the same checks as done by other execveat(2) > calls, but without actually executing the file/fd. > okay... but see below. > > > > I can easily come up with security policies for which DENYWRITE is > > completely useless. I can come up with convoluted and > > not-really-credible policies where DENYWRITE is important, but I'm > > honestly not sure that those policies are actually useful. I'm > > honestly a bit concerned that AT_EXECVE_CHECK is fundamentally busted > > because it should have been parametrized by *what format is expected* > > -- it might be possible to bypass a policy by executing a perfectly > > fine Python script using bash, for example. > > There have been a lot of bikesheding for the AT_EXECVE_CHECK patch > series, and a lot of discussions too (you where part of them). We ended > up with this design, which is simple and follows the kernel semantic > (requested by Linus). I recall this. That doesn't mean I totally love AT_EXECVE_CHECK. And it especially doesn't mean that I believe that it usefully does something that justifies anything like DENYWRITE. > > > > > I genuinely have not come up with a security policy that I believe > > makes sense that needs AT_EXECVE_CHECK and DENYWRITE. I'm not saying > > that such a policy does not exist -- I'm saying that I have not > > thought of such a thing after a few minutes of thought and reading > > these threads. > > A simple use case is for systems that wants to enforce a > write-xor-execute policy e.g., thanks to mount point options. Sure, but I'm contemplating DENYWRITE, and this thread is about DENYWRITE. If the kernel is enforcing W^X, then there are really two almost unrelated things going on: 1. LSM policy that enforces W^X for memory mappings. This is to enforce that applications don't do nasty things like having executable stacks, and it's a mess because no one has really figured out how JITs are supposed to work in this world. It has almost nothing to do with execve except incidentally. 2. LSM policy that enforces that someone doesn't execve (or similar) something that *that user* can write. Or that non-root can write. Or that anyone at all can write, etc. I think, but I'm not sure, that you're talking about #2. So maybe there's a policy that says that one may only exec things that are on an fs with the 'exec' mount option. Or maybe there's a policy that says that one may only exec things that are on a readonly fs. In these specific cases, I believe in AT_EXECVE_CHECK. *But* I don't believe in DENYWRITE: in the 'exec' case, if an fs has the exec option set, that doesn't change if the file is subsequently modified. And if an fs is readonly, then the file is quite unlikely to be modified at all and will certainly not be modified via the mount through which it's being executed. And you don't need DENYWRITE. So I think my question still stands: is there a credible security policy *that actually benefits from DENYWRITE*? If so, can you give an example? > > > > Seriously, consider all the unending recent attacks on LLMs an > > inspiration. The implications of viewing an image, downscaling the > > image, possibly interpreting the image as something containing text, > > possibly following instructions in a given language contained in the > > image, etc are all wildly different. A mechanism for asking for > > general permission to "consume this image" is COMPLETELY MISSING THE > > POINT. (Never mind that the current crop of LLMs seem entirely > > incapable of constraining their own use of some piece of input, but > > that's a different issue and is besides the point here.) > > You're asking about what should we consider executable. This is a good > question, but AT_EXECVE_CHECK is there to answer another question: would > the kernel execute it or not? > That's a sort of odd way of putting it. The kernel won't execute it because the kernel doesn't know how to :) But I think I understand what you're saying.
Powered by blists - more mailing lists