[PATCH v1] shebang: restrict python interactive prompt/interpreter

Tetsuo Handa penguin-kernel at I-love.SAKURA.ne.jp
Fri Jun 9 23:04:32 UTC 2017

Matt Brown wrote:
> what does everyone thing about a envp_blacklist option that is a list of
> environmental variables that will be stripped from exec calls. This can
> be done in the LSM hook bprm_check_security.

Stripping argv[0] can be done by remove_arg_zero(). But stripping specific
environmental variables is a bit complicated than what you would think. You
can see tomoyo_environ() for how to whitelist environmental variable names.

> Is there any reason on a hardened system why you would need the
> PYTHONINSPECT environmental variable?

TOMOYO and CaitSith try to check such factors (e.g. argv/envp as well as
pathname manipulations).
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

More information about the Linux-security-module-archive mailing list