Re: [RFC PATCH v19 0/5] Script execution control (was O_MAYEXEC)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Roberto Sassu <roberto.sassu@xxxxxxxxxxxxxxx>, Mickaël Salaün <mic@xxxxxxxxxxx>, Mimi Zohar <zohar@xxxxxxxxxxxxx>
Subject: Re: [RFC PATCH v19 0/5] Script execution control (was O_MAYEXEC)
From: James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 16 Jul 2024 12:12:49 -0400
Cc: Al Viro <viro@xxxxxxxxxxxxxxxxxx>, Christian Brauner <brauner@xxxxxxxxxx>, Kees Cook <keescook@xxxxxxxxxxxx>, Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>, Paul Moore <paul@xxxxxxxxxxxxxx>, "Theodore Ts'o" <tytso@xxxxxxx>, Alejandro Colomar <alx@xxxxxxxxxx>, Aleksa Sarai <cyphar@xxxxxxxxxx>, Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>, Andy Lutomirski <luto@xxxxxxxxxx>, Arnd Bergmann <arnd@xxxxxxxx>, Casey Schaufler <casey@xxxxxxxxxxxxxxxx>, Christian Heimes <christian@xxxxxxxxxx>, Dmitry Vyukov <dvyukov@xxxxxxxxxx>, Eric Biggers <ebiggers@xxxxxxxxxx>, Eric Chiang <ericchiang@xxxxxxxxxx>, Fan Wu <wufan@xxxxxxxxxxxxxxxxxxx>, Florian Weimer <fweimer@xxxxxxxxxx>, Geert Uytterhoeven <geert@xxxxxxxxxxxxxx>, James Morris <jamorris@xxxxxxxxxxxxxxxxxxx>, Jan Kara <jack@xxxxxxx>, Jann Horn <jannh@xxxxxxxxxx>, Jeff Xu <jeffxu@xxxxxxxxxx>, Jonathan Corbet <corbet@xxxxxxx>, Jordan R Abrahams <ajordanr@xxxxxxxxxx>, Lakshmi Ramasubramanian <nramas@xxxxxxxxxxxxxxxxxxx>, Luca Boccassi <bluca@xxxxxxxxxx>, Luis Chamberlain <mcgrof@xxxxxxxxxx>, "Madhavan T . Venkataraman" <madvenka@xxxxxxxxxxxxxxxxxxx>, Matt Bobrowski <mattbobrowski@xxxxxxxxxx>, Matthew Garrett <mjg59@xxxxxxxxxxxxx>, Matthew Wilcox <willy@xxxxxxxxxxxxx>, Miklos Szeredi <mszeredi@xxxxxxxxxx>, Nicolas Bouchinet <nicolas.bouchinet@xxxxxxxxxxx>, Scott Shell <scottsh@xxxxxxxxxxxxx>, Shuah Khan <shuah@xxxxxxxxxx>, Stephen Rothwell <sfr@xxxxxxxxxxxxxxxx>, Steve Dower <steve.dower@xxxxxxxxxx>, Steve Grubb <sgrubb@xxxxxxxxxx>, Thibaut Sautereau <thibaut.sautereau@xxxxxxxxxxx>, Vincent Strubel <vincent.strubel@xxxxxxxxxxx>, Xiaoming Ni <nixiaoming@xxxxxxxxxx>, Yin Fengwei <fengwei.yin@xxxxxxxxx>, kernel-hardening@xxxxxxxxxxxxxxxxxx, linux-api@xxxxxxxxxxxxxxx, linux-fsdevel@xxxxxxxxxxxxxxx, linux-integrity@xxxxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx, linux-security-module@xxxxxxxxxxxxxxx
In-reply-to: <9e3df65c2bf060b5833558e9f8d82dcd2fe9325a.camel@huaweicloud.com>
User-agent: Evolution 3.42.4

On Tue, 2024-07-16 at 17:57 +0200, Roberto Sassu wrote:
> But the Clip OS 4 patch does not cover the redirection case:
> 
> # ./bash < /root/test.sh
> Hello World
> 
> Do you have a more recent patch for that?

How far down the rabbit hole do you want to go?  You can't forbid a
shell from executing commands from stdin because logging in then won't
work.  It may be possible to allow from a tty backed file and not from
a file backed one, but you still have the problem of the attacker
manually typing in the script.

The saving grace for this for shells is that they pretty much do
nothing on their own (unlike python) so you can still measure all the
executables they call out to, which provides reasonable safety.

James

Follow-Ups:
- Re: [RFC PATCH v19 0/5] Script execution control (was O_MAYEXEC)
  - From: Mickaël Salaün

References:
- [RFC PATCH v19 0/5] Script execution control (was O_MAYEXEC)
  - From: Mickaël Salaün
- Re: [RFC PATCH v19 0/5] Script execution control (was O_MAYEXEC)
  - From: Mimi Zohar
- Re: [RFC PATCH v19 0/5] Script execution control (was O_MAYEXEC)
  - From: Mickaël Salaün
- Re: [RFC PATCH v19 0/5] Script execution control (was O_MAYEXEC)
  - From: Roberto Sassu

Prev by Date: Re: [RFC PATCH v19 0/5] Script execution control (was O_MAYEXEC)
Next by Date: Re: [RFC PATCH v19 0/5] Script execution control (was O_MAYEXEC)
Previous by thread: Re: [RFC PATCH v19 0/5] Script execution control (was O_MAYEXEC)
Next by thread: Re: [RFC PATCH v19 0/5] Script execution control (was O_MAYEXEC)
Index(es):
- Date
- Thread

[Index of Archives] [Linux Ext4 Filesystem] [Union Filesystem] [Filesystem Testing] [Ceph Users] [Ecryptfs] [NTFS 3] [AutoFS] [Kernel Newbies] [Share Photos] [Security] [Netfilter] [Bugtraq] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux Cachefs] [Reiser Filesystem] [Linux RAID] [NTFS 3] [Samba] [Device Mapper] [CEPH Development]