[PATCH v2 0/5] Add support for O_MAYEXEC
James Morris
jmorris at namei.org
Mon Sep 9 00:16:23 UTC 2019
On Fri, 6 Sep 2019, Mickaël Salaün wrote:
> Furthermore, the security policy can also be delegated to an LSM, either
> a MAC system or an integrity system. For instance, the new kernel
> MAY_OPENEXEC flag closes a major IMA measurement/appraisal interpreter
> integrity gap by bringing the ability to check the use of scripts [2].
To clarify, scripts are already covered by IMA if they're executed
directly, and the gap is when invoking a script as a parameter to the
interpreter (and for any sourced files). In that case only the interpreter
is measured/appraised, unless there's a rule also covering the script
file(s).
See:
https://en.opensuse.org/SDB:Ima_evm#script-behaviour
In theory you could probably also close the gap by modifying the
interpreters to check for the execute bit on any file opened for
interpretation (as earlier suggested by Steve Grubb), and then you could
have IMA measure/appraise all files with +x. I suspect this could get
messy in terms of unwanted files being included, and the MAY_OPENEXEC flag
has cleaner semantics.
--
James Morris
<jmorris at namei.org>
More information about the Linux-security-module-archive
mailing list