[PATCH v20 2/6] security: Add EXEC_RESTRICT_FILE and EXEC_DENY_INTERACTIVE securebits

sergeh at kernel.org sergeh at kernel.org
Tue Oct 15 03:15:11 UTC 2024


On Mon, Oct 14, 2024 at 09:40:34AM +0200, Mickaël Salaün wrote:
> On Sat, Oct 12, 2024 at 09:51:50PM -0500, Serge E. Hallyn wrote:
> > On Fri, Oct 11, 2024 at 08:44:18PM +0200, Mickaël Salaün wrote:
> > > The new SECBIT_EXEC_RESTRICT_FILE, SECBIT_EXEC_DENY_INTERACTIVE, and
> > > their *_LOCKED counterparts are designed to be set by processes setting
> > > up an execution environment, such as a user session, a container, or a
> > > security sandbox.  Unlike other securebits, these ones can be set by
> > > unprivileged processes.  Like seccomp filters or Landlock domains, the
> > > securebits are inherited across processes.
> > > 
> > > When SECBIT_EXEC_RESTRICT_FILE is set, programs interpreting code should
> > > control executable resources according to execveat(2) + AT_CHECK (see
> > > previous commit).
> > > 
> > > When SECBIT_EXEC_DENY_INTERACTIVE is set, a process should deny
> > > execution of user interactive commands (which excludes executable
> > > regular files).
> > > 
> > > Being able to configure each of these securebits enables system
> > > administrators or owner of image containers to gradually validate the
> > > related changes and to identify potential issues (e.g. with interpreter
> > > or audit logs).
> > > 
> > > It should be noted that unlike other security bits, the
> > > SECBIT_EXEC_RESTRICT_FILE and SECBIT_EXEC_DENY_INTERACTIVE bits are
> > > dedicated to user space willing to restrict itself.  Because of that,
> > > they only make sense in the context of a trusted environment (e.g.
> > > sandbox, container, user session, full system) where the process
> > > changing its behavior (according to these bits) and all its parent
> > > processes are trusted.  Otherwise, any parent process could just execute
> > > its own malicious code (interpreting a script or not), or even enforce a
> > > seccomp filter to mask these bits.
> > > 
> > > Such a secure environment can be achieved with an appropriate access
> > > control (e.g. mount's noexec option, file access rights, LSM policy) and
> > > an enlighten ld.so checking that libraries are allowed for execution
> > > e.g., to protect against illegitimate use of LD_PRELOAD.
> > > 
> > > Ptrace restrictions according to these securebits would not make sense
> > > because of the processes' trust assumption.
> > > 
> > > Scripts may need some changes to deal with untrusted data (e.g. stdin,
> > > environment variables), but that is outside the scope of the kernel.
> > > 
> > > See chromeOS's documentation about script execution control and the
> > > related threat model:
> > > https://www.chromium.org/chromium-os/developer-library/guides/security/noexec-shell-scripts/
> > > 
> > > Cc: Al Viro <viro at zeniv.linux.org.uk>
> > > Cc: Andy Lutomirski <luto at amacapital.net>
> > > Cc: Christian Brauner <brauner at kernel.org>
> > > Cc: Kees Cook <keescook at chromium.org>
> > > Cc: Paul Moore <paul at paul-moore.com>
> > > Cc: Serge Hallyn <serge at hallyn.com>
> > > Signed-off-by: Mickaël Salaün <mic at digikod.net>
> > > Link: https://lore.kernel.org/r/20241011184422.977903-3-mic@digikod.net
> > > ---
> > > 
> > > Changes since v19:
> > > * Replace SECBIT_SHOULD_EXEC_CHECK and SECBIT_SHOULD_EXEC_RESTRICT with
> > >   SECBIT_EXEC_RESTRICT_FILE and SECBIT_EXEC_DENY_INTERACTIVE:
> > >   https://lore.kernel.org/all/20240710.eiKohpa4Phai@digikod.net/
> > > * Remove the ptrace restrictions, suggested by Andy.
> > > * Improve documentation according to the discussion with Jeff.
> > > 
> > > New design since v18:
> > > https://lore.kernel.org/r/20220104155024.48023-3-mic@digikod.net
> > > ---
> > >  include/uapi/linux/securebits.h | 113 +++++++++++++++++++++++++++++++-
> > >  security/commoncap.c            |  29 ++++++--
> > >  2 files changed, 135 insertions(+), 7 deletions(-)
> > > 
> > > diff --git a/include/uapi/linux/securebits.h b/include/uapi/linux/securebits.h
> > > index d6d98877ff1a..351b6ecefc76 100644
> > > --- a/include/uapi/linux/securebits.h
> > > +++ b/include/uapi/linux/securebits.h
> > > @@ -52,10 +52,121 @@
> > >  #define SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED \
> > >  			(issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE_LOCKED))
> > >  
> > > +/*
> > > + * The SECBIT_EXEC_RESTRICT_FILE and SECBIT_EXEC_DENY_INTERACTIVE securebits
> > > + * are intended for script interpreters and dynamic linkers to enforce a
> > > + * consistent execution security policy handled by the kernel.
> > > + *
> > > + * Whether an interpreter should check these securebits or not depends on the
> > > + * security risk of running malicious scripts with respect to the execution
> > > + * environment, and whether the kernel can check if a script is trustworthy or
> > > + * not.  For instance, Python scripts running on a server can use arbitrary
> > > + * syscalls and access arbitrary files.  Such interpreters should then be
> > > + * enlighten to use these securebits and let users define their security
> > > + * policy.  However, a JavaScript engine running in a web browser should
> > > + * already be sandboxed and then should not be able to harm the user's
> > > + * environment.
> > > + *
> > > + * When SECBIT_EXEC_RESTRICT_FILE is set, a process should only interpret or
> > > + * execute a file if a call to execveat(2) with the related file descriptor and
> > > + * the AT_CHECK flag succeed.
> > > + *
> > > + * This secure bit may be set by user session managers, service managers,
> > > + * container runtimes, sandboxer tools...  Except for test environments, the
> > > + * related SECBIT_EXEC_RESTRICT_FILE_LOCKED bit should also be set.
> > > + *
> > > + * Programs should only enforce consistent restrictions according to the
> > > + * securebits but without relying on any other user-controlled configuration.
> > > + * Indeed, the use case for these securebits is to only trust executable code
> > > + * vetted by the system configuration (through the kernel), so we should be
> > > + * careful to not let untrusted users control this configuration.
> > > + *
> > > + * However, script interpreters may still use user configuration such as
> > > + * environment variables as long as it is not a way to disable the securebits
> > > + * checks.  For instance, the PATH and LD_PRELOAD variables can be set by a
> > > + * script's caller.  Changing these variables may lead to unintended code
> > > + * executions, but only from vetted executable programs, which is OK.  For this
> > > + * to make sense, the system should provide a consistent security policy to
> > > + * avoid arbitrary code execution e.g., by enforcing a write xor execute
> > > + * policy.
> > > + *
> > > + * SECBIT_EXEC_RESTRICT_FILE is complementary and should also be checked.
> > > + */
> > > +#define SECURE_EXEC_RESTRICT_FILE		8
> > > +#define SECURE_EXEC_RESTRICT_FILE_LOCKED	9  /* make bit-8 immutable */
> > > +
> > > +#define SECBIT_EXEC_RESTRICT_FILE (issecure_mask(SECURE_EXEC_RESTRICT_FILE))
> > > +#define SECBIT_EXEC_RESTRICT_FILE_LOCKED \
> > > +			(issecure_mask(SECURE_EXEC_RESTRICT_FILE_LOCKED))
> > > +
> > > +/*
> > > + * When SECBIT_EXEC_DENY_INTERACTIVE is set, a process should never interpret
> > > + * interactive user commands (e.g. scripts).  However, if such commands are
> > > + * passed through a file descriptor (e.g. stdin), its content should be
> > > + * interpreted if a call to execveat(2) with the related file descriptor and
> > > + * the AT_CHECK flag succeed.
> > > + *
> > > + * For instance, script interpreters called with a script snippet as argument
> > > + * should always deny such execution if SECBIT_EXEC_DENY_INTERACTIVE is set.
> > > + *
> > > + * This secure bit may be set by user session managers, service managers,
> > > + * container runtimes, sandboxer tools...  Except for test environments, the
> > > + * related SECBIT_EXEC_DENY_INTERACTIVE_LOCKED bit should also be set.
> > > + *
> > > + * See the SECBIT_EXEC_RESTRICT_FILE documentation.
> > > + *
> > > + * Here is the expected behavior for a script interpreter according to
> > > + * combination of any exec securebits:
> > > + *
> > > + * 1. SECURE_EXEC_RESTRICT_FILE=0 SECURE_EXEC_DENY_INTERACTIVE=0 (default)
> > > + *    Always interpret scripts, and allow arbitrary user commands.
> > > + *    => No threat, everyone and everything is trusted, but we can get ahead of
> > > + *       potential issues thanks to the call to execveat with AT_CHECK which
> > > + *       should always be performed but ignored by the script interpreter.
> > > + *       Indeed, this check is still important to enable systems administrators
> > > + *       to verify requests (e.g. with audit) and prepare for migration to a
> > > + *       secure mode.
> > > + *
> > > + * 2. SECURE_EXEC_RESTRICT_FILE=1 SECURE_EXEC_DENY_INTERACTIVE=0
> > > + *    Deny script interpretation if they are not executable, but allow
> > > + *    arbitrary user commands.
> > > + *    => The threat is (potential) malicious scripts run by trusted (and not
> > > + *       fooled) users.  That can protect against unintended script executions
> > > + *       (e.g. sh /tmp/*.sh).  This makes sense for (semi-restricted) user
> > > + *       sessions.
> > > + *
> > > + * 3. SECURE_EXEC_RESTRICT_FILE=0 SECURE_EXEC_DENY_INTERACTIVE=1
> > > + *    Always interpret scripts, but deny arbitrary user commands.
> > > + *    => This use case may be useful for secure services (i.e. without
> > > + *       interactive user session) where scripts' integrity is verified (e.g.
> > > + *       with IMA/EVM or dm-verity/IPE) but where access rights might not be
> > > + *       ready yet.  Indeed, arbitrary interactive commands would be much more
> > > + *       difficult to check.
> > > + *
> > > + * 4. SECURE_EXEC_RESTRICT_FILE=1 SECURE_EXEC_DENY_INTERACTIVE=1
> > > + *    Deny script interpretation if they are not executable, and also deny
> > > + *    any arbitrary user commands.
> > > + *    => The threat is malicious scripts run by untrusted users (but trusted
> > > + *       code).  This makes sense for system services that may only execute
> > > + *       trusted scripts.
> > > + */
> > > +#define SECURE_EXEC_DENY_INTERACTIVE		10
> > > +#define SECURE_EXEC_DENY_INTERACTIVE_LOCKED	11  /* make bit-10 immutable */
> > > +
> > > +#define SECBIT_EXEC_DENY_INTERACTIVE \
> > > +			(issecure_mask(SECURE_EXEC_DENY_INTERACTIVE))
> > > +#define SECBIT_EXEC_DENY_INTERACTIVE_LOCKED \
> > > +			(issecure_mask(SECURE_EXEC_DENY_INTERACTIVE_LOCKED))
> > > +
> > >  #define SECURE_ALL_BITS		(issecure_mask(SECURE_NOROOT) | \
> > >  				 issecure_mask(SECURE_NO_SETUID_FIXUP) | \
> > >  				 issecure_mask(SECURE_KEEP_CAPS) | \
> > > -				 issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE))
> > > +				 issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE) | \
> > > +				 issecure_mask(SECURE_EXEC_RESTRICT_FILE) | \
> > > +				 issecure_mask(SECURE_EXEC_DENY_INTERACTIVE))
> > >  #define SECURE_ALL_LOCKS	(SECURE_ALL_BITS << 1)
> > >  
> > > +#define SECURE_ALL_UNPRIVILEGED (issecure_mask(SECURE_EXEC_RESTRICT_FILE) | \
> > > +				 issecure_mask(SECURE_EXEC_DENY_INTERACTIVE))
> > > +
> > >  #endif /* _UAPI_LINUX_SECUREBITS_H */
> > > diff --git a/security/commoncap.c b/security/commoncap.c
> > > index cefad323a0b1..52ea01acb453 100644
> > > --- a/security/commoncap.c
> > > +++ b/security/commoncap.c
> > > @@ -1302,21 +1302,38 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
> > >  		     & (old->securebits ^ arg2))			/*[1]*/
> > >  		    || ((old->securebits & SECURE_ALL_LOCKS & ~arg2))	/*[2]*/
> > >  		    || (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS))	/*[3]*/
> > > -		    || (cap_capable(current_cred(),
> > > -				    current_cred()->user_ns,
> > > -				    CAP_SETPCAP,
> > > -				    CAP_OPT_NONE) != 0)			/*[4]*/
> > >  			/*
> > >  			 * [1] no changing of bits that are locked
> > >  			 * [2] no unlocking of locks
> > >  			 * [3] no setting of unsupported bits
> > > -			 * [4] doing anything requires privilege (go read about
> > > -			 *     the "sendmail capabilities bug")
> > >  			 */
> > >  		    )
> > >  			/* cannot change a locked bit */
> > >  			return -EPERM;
> > >  
> > > +		/*
> > > +		 * Doing anything requires privilege (go read about the
> > > +		 * "sendmail capabilities bug"), except for unprivileged bits.
> > > +		 * Indeed, the SECURE_ALL_UNPRIVILEGED bits are not
> > > +		 * restrictions enforced by the kernel but by user space on
> > > +		 * itself.
> > > +		 */
> > > +		if (cap_capable(current_cred(), current_cred()->user_ns,
> > > +				CAP_SETPCAP, CAP_OPT_NONE) != 0) {
> > > +			const unsigned long unpriv_and_locks =
> > > +				SECURE_ALL_UNPRIVILEGED |
> > > +				SECURE_ALL_UNPRIVILEGED << 1;
> > > +			const unsigned long changed = old->securebits ^ arg2;
> > > +
> > > +			/* For legacy reason, denies non-change. */
> > > +			if (!changed)
> > > +				return -EPERM;
> > 
> > This is odd to me.  You say for legacy reasons, but, currently, calling
> > PR_SET_SECUREBITS with no changes returns 0.  So you may be breaking
> > a lot of programs here, unless I'm mistaken.
> 
> When we call PR_SET_SECUREBITS with 0 (and if it was 0 too), it
> currently goes through the capability check and return -EPERM if the
> caller doesn't have CAP_SETCAP.  This is tested with
> TEST_F(secbits, legacy) in tools/testing/selftests/exec/check-exec.c
> (patch 3/6).

Drat, my manual test case had a typo.  Right you are - it fails now.

thanks,
-serge



More information about the Linux-security-module-archive mailing list