On Tue, Jul 09, 2024 at 02:57:43PM -0700, Jeff Xu wrote: > On Tue, Jul 9, 2024 at 1:42 PM Mickaël Salaün <mic@xxxxxxxxxxx> wrote: > > > > On Mon, Jul 08, 2024 at 03:07:24PM -0700, Jeff Xu wrote: > > > On Mon, Jul 8, 2024 at 2:25 PM Steve Dower <steve.dower@xxxxxxxxxx> wrote: > > > > > > > > On 08/07/2024 22:15, Jeff Xu wrote: > > > > > IIUC: > > > > > CHECK=0, RESTRICT=0: do nothing, current behavior > > > > > CHECK=1, RESTRICT=0: permissive mode - ignore AT_CHECK results. > > > > > CHECK=0, RESTRICT=1: call AT_CHECK, deny if AT_CHECK failed, no exception. > > > > > CHECK=1, RESTRICT=1: call AT_CHECK, deny if AT_CHECK failed, except > > > > > those in the "checked-and-allowed" list. > > > > > > > > I had much the same question for Mickaël while working on this. > > > > > > > > Essentially, "CHECK=0, RESTRICT=1" means to restrict without checking. > > > > In the context of a script or macro interpreter, this just means it will > > > > never interpret any scripts. Non-binary code execution is fully disabled > > > > in any part of the process that respects these bits. > > > > > > > I see, so Mickaël does mean this will block all scripts. > > > > That is the initial idea. > > > > > I guess, in the context of dynamic linker, this means: no more .so > > > loading, even "dlopen" is called by an app ? But this will make the > > > execve() fail. > > > > Hmm, I'm not sure this "CHECK=0, RESTRICT=1" configuration would make > > sense for a dynamic linker except maybe if we want to only allow static > > binaries? > > > > The CHECK and RESTRICT securebits are designed to make it possible a > > "permissive mode" and an enforcement mode with the related locked > > securebits. This is why this "CHECK=0, RESTRICT=1" combination looks a > > bit weird. We can replace these securebits with others but I didn't > > find a better (and simple) option. I don't think this is an issue > > because with any security policy we can create unusable combinations. > > The three other combinations makes a lot of sense though. > > > If we need only handle 3 combinations, I would think something like > below is easier to understand, and don't have wield state like > CHECK=0, RESTRICT=1 The "CHECK=0, RESTRICT=1" is useful for script interpreter instances that should not interpret any command from users e.g., but only execute script files. > > XX_RESTRICT: when true: Perform the AT_CHECK, and deny the executable > after AT_CHECK fails. > XX_RESTRICT_PERMISSIVE: take effect when XX_RESTRICT is true. True > means Ignoring the AT_CHECK result. We get a similar weird state with XX_RESTRICT_PERMISSIVE=1 and XX_RESTRICT=0 As a side note, for compatibility reasons, by default all securebits must be 0, and this must translate to no restriction. > > Or > > XX_CHECK: when true: Perform the AT_CHECK. > XX_CHECK_ENFORCE takes effect only when XX_CHECK is true. True means > restrict the executable when AT_CHECK failed; false means ignore the > AT_CHECK failure. We get a similar weird state with XX_CHECK_ENFORCE=1 and XX_CHECK=0 > > Of course, we can replace XX_CHECK_ENFORCE with XX_RESTRICT. > Personally I think having _CHECK_ in the name implies the XX_CHECK > needs to be true as a prerequisite for this flag , but that is my > opinion only. As long as the semantics are clear as part of the > comments of definition in code, it is fine. Here is another proposal: We can change a bit the semantic by making it the norm to always check file executability with AT_CHECK, and using the securebits to restrict file interpretation and/or command injection (e.g. user supplied shell commands). Non-executable checked files can be reported/logged at the kernel level, with audit, configured by sysadmins. New securebits (feel free to propose better names): - SECBIT_EXEC_RESTRICT_FILE: requires AT_CHECK to pass. - SECBIT_EXEC_DENY_INTERACTIVE: deny any command injection via command line arguments, environment variables, or configuration files. This should be ignored by dynamic linkers. We could also have an allow-list of shells for which this bit is not set, managed by an LSM's policy, if the native securebits scoping approach is not enough. Different modes for script interpreters: 1. RESTRICT_FILE=0 DENY_INTERACTIVE=0 (default) Always interpret scripts, and allow arbitrary user commands. => No threat, everyone and everything is trusted, but we can get ahead of potential issues with logs to prepare for a migration to a restrictive mode. 2. RESTRICT_FILE=1 DENY_INTERACTIVE=0 Deny script interpretation if they are not executable, and allow arbitrary user commands. => Threat: (potential) malicious scripts run by trusted (and not fooled) users. That could protect against unintended script executions (e.g. sh /tmp/*.sh). ==> Makes sense for (semi-restricted) user sessions. 3. RESTRICT_FILE=1 DENY_INTERACTIVE=1 Deny script interpretation if they are not executable, and also deny any arbitrary user commands. => Threat: malicious scripts run by untrusted users. ==> Makes sense for system services executing scripts. 4. RESTRICT_FILE=0 DENY_INTERACTIVE=1 Always interpret scripts, but deny arbitrary user commands. => Goal: monitor/measure/assess script content (e.g. with IMA/EVM) in a system where the access rights are not (yet) ready. Arbitrary user commands would be much more difficult to monitor. ==> First step of restricting system services that should not directly pass arbitrary commands to shells. > > Thanks > -Jeff > > > > > > > > > "CHECK=1, RESTRICT=1" means to restrict unless AT_CHECK passes. This > > > > case is the allow list (or whatever mechanism is being used to determine > > > > the result of an AT_CHECK check). The actual mechanism isn't the > > > > business of the script interpreter at all, it just has to refuse to > > > > execute anything that doesn't pass the check. So a generic interpreter > > > > can implement a generic mechanism and leave the specifics to whoever > > > > configures the machine. > > > > > > > In the context of dynamic linker. this means: > > > if .so passed the AT_CHECK, ldopen() can still load it. > > > If .so fails the AT_CHECK, ldopen() will fail too. > > > > Correct > > > > > > > > Thanks > > > -Jeff > > > > > > > The other two case are more obvious. "CHECK=0, RESTRICT=0" is the > > > > zero-overhead case, while "CHECK=1, RESTRICT=0" might log, warn, or > > > > otherwise audit the result of the check, but it won't restrict execution. > > > > > > > > Cheers, > > > > Steve