[PATCH v1] shebang: restrict python interactive prompt/interpreter

Tetsuo Handa penguin-kernel at I-love.SAKURA.ne.jp
Sat Jun 10 01:49:36 UTC 2017


Matt Brown wrote:
> > What about execution via ld-linux ?
> > 
> >    $ /lib64/ld-linux-x86-64.so.2 /usr/bin/python2
> > 
> 
> Just tested this and you are correct, this allows you to bypass the
> protection.
> 
> I was able to fix this bypass by including /lib64/ld-linux-x86-64.so.2
> in the list of interpreters.

I'm not using BTRFS/OCFS2, but what about reflink()? They are copy-on-write while
separate inodes are used. Does that mean inode number differs but attributes
associated with that inode is same (i.e. inode number based blacklisting fails)?
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



More information about the Linux-security-module-archive mailing list