On Mon, Oct 14, 2024 at 09:40:34AM +0200, Mickaël Salaün wrote: > On Sat, Oct 12, 2024 at 09:51:50PM -0500, Serge E. Hallyn wrote: > > On Fri, Oct 11, 2024 at 08:44:18PM +0200, Mickaël Salaün wrote: > > > The new SECBIT_EXEC_RESTRICT_FILE, SECBIT_EXEC_DENY_INTERACTIVE, and > > > their *_LOCKED counterparts are designed to be set by processes setting > > > up an execution environment, such as a user session, a container, or a > > > security sandbox. Unlike other securebits, these ones can be set by > > > unprivileged processes. Like seccomp filters or Landlock domains, the > > > securebits are inherited across processes. > > > > > > When SECBIT_EXEC_RESTRICT_FILE is set, programs interpreting code should > > > control executable resources according to execveat(2) + AT_CHECK (see > > > previous commit). > > > > > > When SECBIT_EXEC_DENY_INTERACTIVE is set, a process should deny > > > execution of user interactive commands (which excludes executable > > > regular files). > > > > > > Being able to configure each of these securebits enables system > > > administrators or owner of image containers to gradually validate the > > > related changes and to identify potential issues (e.g. with interpreter > > > or audit logs). > > > > > > It should be noted that unlike other security bits, the > > > SECBIT_EXEC_RESTRICT_FILE and SECBIT_EXEC_DENY_INTERACTIVE bits are > > > dedicated to user space willing to restrict itself. Because of that, > > > they only make sense in the context of a trusted environment (e.g. > > > sandbox, container, user session, full system) where the process > > > changing its behavior (according to these bits) and all its parent > > > processes are trusted. Otherwise, any parent process could just execute > > > its own malicious code (interpreting a script or not), or even enforce a > > > seccomp filter to mask these bits. > > > > > > Such a secure environment can be achieved with an appropriate access > > > control (e.g. mount's noexec option, file access rights, LSM policy) and > > > an enlighten ld.so checking that libraries are allowed for execution > > > e.g., to protect against illegitimate use of LD_PRELOAD. > > > > > > Ptrace restrictions according to these securebits would not make sense > > > because of the processes' trust assumption. > > > > > > Scripts may need some changes to deal with untrusted data (e.g. stdin, > > > environment variables), but that is outside the scope of the kernel. > > > > > > See chromeOS's documentation about script execution control and the > > > related threat model: > > > https://www.chromium.org/chromium-os/developer-library/guides/security/noexec-shell-scripts/ > > > > > > Cc: Al Viro <viro@xxxxxxxxxxxxxxxxxx> > > > Cc: Andy Lutomirski <luto@xxxxxxxxxxxxxx> > > > Cc: Christian Brauner <brauner@xxxxxxxxxx> > > > Cc: Kees Cook <keescook@xxxxxxxxxxxx> > > > Cc: Paul Moore <paul@xxxxxxxxxxxxxx> > > > Cc: Serge Hallyn <serge@xxxxxxxxxx> > > > Signed-off-by: Mickaël Salaün <mic@xxxxxxxxxxx> > > > Link: https://lore.kernel.org/r/20241011184422.977903-3-mic@xxxxxxxxxxx > > > --- > > > > > > Changes since v19: > > > * Replace SECBIT_SHOULD_EXEC_CHECK and SECBIT_SHOULD_EXEC_RESTRICT with > > > SECBIT_EXEC_RESTRICT_FILE and SECBIT_EXEC_DENY_INTERACTIVE: > > > https://lore.kernel.org/all/20240710.eiKohpa4Phai@xxxxxxxxxxx/ > > > * Remove the ptrace restrictions, suggested by Andy. > > > * Improve documentation according to the discussion with Jeff. > > > > > > New design since v18: > > > https://lore.kernel.org/r/20220104155024.48023-3-mic@xxxxxxxxxxx > > > --- > > > include/uapi/linux/securebits.h | 113 +++++++++++++++++++++++++++++++- > > > security/commoncap.c | 29 ++++++-- > > > 2 files changed, 135 insertions(+), 7 deletions(-) > > > > > > diff --git a/include/uapi/linux/securebits.h b/include/uapi/linux/securebits.h > > > index d6d98877ff1a..351b6ecefc76 100644 > > > --- a/include/uapi/linux/securebits.h > > > +++ b/include/uapi/linux/securebits.h > > > @@ -52,10 +52,121 @@ > > > #define SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED \ > > > (issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE_LOCKED)) > > > > > > +/* > > > + * The SECBIT_EXEC_RESTRICT_FILE and SECBIT_EXEC_DENY_INTERACTIVE securebits > > > + * are intended for script interpreters and dynamic linkers to enforce a > > > + * consistent execution security policy handled by the kernel. > > > + * > > > + * Whether an interpreter should check these securebits or not depends on the > > > + * security risk of running malicious scripts with respect to the execution > > > + * environment, and whether the kernel can check if a script is trustworthy or > > > + * not. For instance, Python scripts running on a server can use arbitrary > > > + * syscalls and access arbitrary files. Such interpreters should then be > > > + * enlighten to use these securebits and let users define their security > > > + * policy. However, a JavaScript engine running in a web browser should > > > + * already be sandboxed and then should not be able to harm the user's > > > + * environment. > > > + * > > > + * When SECBIT_EXEC_RESTRICT_FILE is set, a process should only interpret or > > > + * execute a file if a call to execveat(2) with the related file descriptor and > > > + * the AT_CHECK flag succeed. > > > + * > > > + * This secure bit may be set by user session managers, service managers, > > > + * container runtimes, sandboxer tools... Except for test environments, the > > > + * related SECBIT_EXEC_RESTRICT_FILE_LOCKED bit should also be set. > > > + * > > > + * Programs should only enforce consistent restrictions according to the > > > + * securebits but without relying on any other user-controlled configuration. > > > + * Indeed, the use case for these securebits is to only trust executable code > > > + * vetted by the system configuration (through the kernel), so we should be > > > + * careful to not let untrusted users control this configuration. > > > + * > > > + * However, script interpreters may still use user configuration such as > > > + * environment variables as long as it is not a way to disable the securebits > > > + * checks. For instance, the PATH and LD_PRELOAD variables can be set by a > > > + * script's caller. Changing these variables may lead to unintended code > > > + * executions, but only from vetted executable programs, which is OK. For this > > > + * to make sense, the system should provide a consistent security policy to > > > + * avoid arbitrary code execution e.g., by enforcing a write xor execute > > > + * policy. > > > + * > > > + * SECBIT_EXEC_RESTRICT_FILE is complementary and should also be checked. > > > + */ > > > +#define SECURE_EXEC_RESTRICT_FILE 8 > > > +#define SECURE_EXEC_RESTRICT_FILE_LOCKED 9 /* make bit-8 immutable */ > > > + > > > +#define SECBIT_EXEC_RESTRICT_FILE (issecure_mask(SECURE_EXEC_RESTRICT_FILE)) > > > +#define SECBIT_EXEC_RESTRICT_FILE_LOCKED \ > > > + (issecure_mask(SECURE_EXEC_RESTRICT_FILE_LOCKED)) > > > + > > > +/* > > > + * When SECBIT_EXEC_DENY_INTERACTIVE is set, a process should never interpret > > > + * interactive user commands (e.g. scripts). However, if such commands are > > > + * passed through a file descriptor (e.g. stdin), its content should be > > > + * interpreted if a call to execveat(2) with the related file descriptor and > > > + * the AT_CHECK flag succeed. > > > + * > > > + * For instance, script interpreters called with a script snippet as argument > > > + * should always deny such execution if SECBIT_EXEC_DENY_INTERACTIVE is set. > > > + * > > > + * This secure bit may be set by user session managers, service managers, > > > + * container runtimes, sandboxer tools... Except for test environments, the > > > + * related SECBIT_EXEC_DENY_INTERACTIVE_LOCKED bit should also be set. > > > + * > > > + * See the SECBIT_EXEC_RESTRICT_FILE documentation. > > > + * > > > + * Here is the expected behavior for a script interpreter according to > > > + * combination of any exec securebits: > > > + * > > > + * 1. SECURE_EXEC_RESTRICT_FILE=0 SECURE_EXEC_DENY_INTERACTIVE=0 (default) > > > + * Always interpret scripts, and allow arbitrary user commands. > > > + * => No threat, everyone and everything is trusted, but we can get ahead of > > > + * potential issues thanks to the call to execveat with AT_CHECK which > > > + * should always be performed but ignored by the script interpreter. > > > + * Indeed, this check is still important to enable systems administrators > > > + * to verify requests (e.g. with audit) and prepare for migration to a > > > + * secure mode. > > > + * > > > + * 2. SECURE_EXEC_RESTRICT_FILE=1 SECURE_EXEC_DENY_INTERACTIVE=0 > > > + * Deny script interpretation if they are not executable, but allow > > > + * arbitrary user commands. > > > + * => The threat is (potential) malicious scripts run by trusted (and not > > > + * fooled) users. That can protect against unintended script executions > > > + * (e.g. sh /tmp/*.sh). This makes sense for (semi-restricted) user > > > + * sessions. > > > + * > > > + * 3. SECURE_EXEC_RESTRICT_FILE=0 SECURE_EXEC_DENY_INTERACTIVE=1 > > > + * Always interpret scripts, but deny arbitrary user commands. > > > + * => This use case may be useful for secure services (i.e. without > > > + * interactive user session) where scripts' integrity is verified (e.g. > > > + * with IMA/EVM or dm-verity/IPE) but where access rights might not be > > > + * ready yet. Indeed, arbitrary interactive commands would be much more > > > + * difficult to check. > > > + * > > > + * 4. SECURE_EXEC_RESTRICT_FILE=1 SECURE_EXEC_DENY_INTERACTIVE=1 > > > + * Deny script interpretation if they are not executable, and also deny > > > + * any arbitrary user commands. > > > + * => The threat is malicious scripts run by untrusted users (but trusted > > > + * code). This makes sense for system services that may only execute > > > + * trusted scripts. > > > + */ > > > +#define SECURE_EXEC_DENY_INTERACTIVE 10 > > > +#define SECURE_EXEC_DENY_INTERACTIVE_LOCKED 11 /* make bit-10 immutable */ > > > + > > > +#define SECBIT_EXEC_DENY_INTERACTIVE \ > > > + (issecure_mask(SECURE_EXEC_DENY_INTERACTIVE)) > > > +#define SECBIT_EXEC_DENY_INTERACTIVE_LOCKED \ > > > + (issecure_mask(SECURE_EXEC_DENY_INTERACTIVE_LOCKED)) > > > + > > > #define SECURE_ALL_BITS (issecure_mask(SECURE_NOROOT) | \ > > > issecure_mask(SECURE_NO_SETUID_FIXUP) | \ > > > issecure_mask(SECURE_KEEP_CAPS) | \ > > > - issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE)) > > > + issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE) | \ > > > + issecure_mask(SECURE_EXEC_RESTRICT_FILE) | \ > > > + issecure_mask(SECURE_EXEC_DENY_INTERACTIVE)) > > > #define SECURE_ALL_LOCKS (SECURE_ALL_BITS << 1) > > > > > > +#define SECURE_ALL_UNPRIVILEGED (issecure_mask(SECURE_EXEC_RESTRICT_FILE) | \ > > > + issecure_mask(SECURE_EXEC_DENY_INTERACTIVE)) > > > + > > > #endif /* _UAPI_LINUX_SECUREBITS_H */ > > > diff --git a/security/commoncap.c b/security/commoncap.c > > > index cefad323a0b1..52ea01acb453 100644 > > > --- a/security/commoncap.c > > > +++ b/security/commoncap.c > > > @@ -1302,21 +1302,38 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, > > > & (old->securebits ^ arg2)) /*[1]*/ > > > || ((old->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/ > > > || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/ > > > - || (cap_capable(current_cred(), > > > - current_cred()->user_ns, > > > - CAP_SETPCAP, > > > - CAP_OPT_NONE) != 0) /*[4]*/ > > > /* > > > * [1] no changing of bits that are locked > > > * [2] no unlocking of locks > > > * [3] no setting of unsupported bits > > > - * [4] doing anything requires privilege (go read about > > > - * the "sendmail capabilities bug") > > > */ > > > ) > > > /* cannot change a locked bit */ > > > return -EPERM; > > > > > > + /* > > > + * Doing anything requires privilege (go read about the > > > + * "sendmail capabilities bug"), except for unprivileged bits. > > > + * Indeed, the SECURE_ALL_UNPRIVILEGED bits are not > > > + * restrictions enforced by the kernel but by user space on > > > + * itself. > > > + */ > > > + if (cap_capable(current_cred(), current_cred()->user_ns, > > > + CAP_SETPCAP, CAP_OPT_NONE) != 0) { > > > + const unsigned long unpriv_and_locks = > > > + SECURE_ALL_UNPRIVILEGED | > > > + SECURE_ALL_UNPRIVILEGED << 1; > > > + const unsigned long changed = old->securebits ^ arg2; > > > + > > > + /* For legacy reason, denies non-change. */ > > > + if (!changed) > > > + return -EPERM; > > > > This is odd to me. You say for legacy reasons, but, currently, calling > > PR_SET_SECUREBITS with no changes returns 0. So you may be breaking > > a lot of programs here, unless I'm mistaken. > > When we call PR_SET_SECUREBITS with 0 (and if it was 0 too), it > currently goes through the capability check and return -EPERM if the > caller doesn't have CAP_SETCAP. This is tested with > TEST_F(secbits, legacy) in tools/testing/selftests/exec/check-exec.c > (patch 3/6). Drat, my manual test case had a typo. Right you are - it fails now. thanks, -serge