mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2025-12-22 12:17:45 +01:00
a5874fde3c
Add a new AT_EXECVE_CHECK flag to execveat(2) to check if a file would
be allowed for execution. The main use case is for script interpreters
and dynamic linkers to check execution permission according to the
kernel's security policy. Another use case is to add context to access
logs e.g., which script (instead of interpreter) accessed a file. As
any executable code, scripts could also use this check [1].
This is different from faccessat(2) + X_OK which only checks a subset of
access rights (i.e. inode permission and mount options for regular
files), but not the full context (e.g. all LSM access checks). The main
use case for access(2) is for SUID processes to (partially) check access
on behalf of their caller. The main use case for execveat(2) +
AT_EXECVE_CHECK is to check if a script execution would be allowed,
according to all the different restrictions in place. Because the use
of AT_EXECVE_CHECK follows the exact kernel semantic as for a real
execution, user space gets the same error codes.
An interesting point of using execveat(2) instead of openat2(2) is that
it decouples the check from the enforcement. Indeed, the security check
can be logged (e.g. with audit) without blocking an execution
environment not yet ready to enforce a strict security policy.
LSMs can control or log execution requests with
security_bprm_creds_for_exec(). However, to enforce a consistent and
complete access control (e.g. on binary's dependencies) LSMs should
restrict file executability, or measure executed files, with
security_file_open() by checking file->f_flags & __FMODE_EXEC.
Because AT_EXECVE_CHECK is dedicated to user space interpreters, it
doesn't make sense for the kernel to parse the checked files, look for
interpreters known to the kernel (e.g. ELF, shebang), and return ENOEXEC
if the format is unknown. Because of that, security_bprm_check() is
never called when AT_EXECVE_CHECK is used.
It should be noted that script interpreters cannot directly use
execveat(2) (without this new AT_EXECVE_CHECK flag) because this could
lead to unexpected behaviors e.g., `python script.sh` could lead to Bash
being executed to interpret the script. Unlike the kernel, script
interpreters may just interpret the shebang as a simple comment, which
should not change for backward compatibility reasons.
Because scripts or libraries files might not currently have the
executable permission set, or because we might want specific users to be
allowed to run arbitrary scripts, the following patch provides a dynamic
configuration mechanism with the SECBIT_EXEC_RESTRICT_FILE and
SECBIT_EXEC_DENY_INTERACTIVE securebits.
This is a redesign of the CLIP OS 4's O_MAYEXEC:
f5cb330d6b/1901_open_mayexec.patch
This patch has been used for more than a decade with customized script
interpreters. Some examples can be found here:
https://github.com/clipos-archive/clipos4_portage-overlay/search?q=O_MAYEXEC
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Kees Cook <keescook@chromium.org>
Acked-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
Reviewed-by: Jeff Xu <jeffxu@chromium.org>
Tested-by: Jeff Xu <jeffxu@chromium.org>
Link: https://docs.python.org/3/library/io.html#io.open_code [1]
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Link: https://lore.kernel.org/r/20241212174223.389435-2-mic@digikod.net
Signed-off-by: Kees Cook <kees@kernel.org>
163 lines
5.8 KiB
C
163 lines
5.8 KiB
C
/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
|
|
#ifndef _UAPI_LINUX_FCNTL_H
|
|
#define _UAPI_LINUX_FCNTL_H
|
|
|
|
#include <asm/fcntl.h>
|
|
#include <linux/openat2.h>
|
|
|
|
#define F_SETLEASE (F_LINUX_SPECIFIC_BASE + 0)
|
|
#define F_GETLEASE (F_LINUX_SPECIFIC_BASE + 1)
|
|
|
|
/*
|
|
* Request nofications on a directory.
|
|
* See below for events that may be notified.
|
|
*/
|
|
#define F_NOTIFY (F_LINUX_SPECIFIC_BASE + 2)
|
|
|
|
#define F_DUPFD_QUERY (F_LINUX_SPECIFIC_BASE + 3)
|
|
|
|
/* Was the file just created? */
|
|
#define F_CREATED_QUERY (F_LINUX_SPECIFIC_BASE + 4)
|
|
|
|
/*
|
|
* Cancel a blocking posix lock; internal use only until we expose an
|
|
* asynchronous lock api to userspace:
|
|
*/
|
|
#define F_CANCELLK (F_LINUX_SPECIFIC_BASE + 5)
|
|
|
|
/* Create a file descriptor with FD_CLOEXEC set. */
|
|
#define F_DUPFD_CLOEXEC (F_LINUX_SPECIFIC_BASE + 6)
|
|
|
|
/*
|
|
* Set and get of pipe page size array
|
|
*/
|
|
#define F_SETPIPE_SZ (F_LINUX_SPECIFIC_BASE + 7)
|
|
#define F_GETPIPE_SZ (F_LINUX_SPECIFIC_BASE + 8)
|
|
|
|
/*
|
|
* Set/Get seals
|
|
*/
|
|
#define F_ADD_SEALS (F_LINUX_SPECIFIC_BASE + 9)
|
|
#define F_GET_SEALS (F_LINUX_SPECIFIC_BASE + 10)
|
|
|
|
/*
|
|
* Types of seals
|
|
*/
|
|
#define F_SEAL_SEAL 0x0001 /* prevent further seals from being set */
|
|
#define F_SEAL_SHRINK 0x0002 /* prevent file from shrinking */
|
|
#define F_SEAL_GROW 0x0004 /* prevent file from growing */
|
|
#define F_SEAL_WRITE 0x0008 /* prevent writes */
|
|
#define F_SEAL_FUTURE_WRITE 0x0010 /* prevent future writes while mapped */
|
|
#define F_SEAL_EXEC 0x0020 /* prevent chmod modifying exec bits */
|
|
/* (1U << 31) is reserved for signed error codes */
|
|
|
|
/*
|
|
* Set/Get write life time hints. {GET,SET}_RW_HINT operate on the
|
|
* underlying inode, while {GET,SET}_FILE_RW_HINT operate only on
|
|
* the specific file.
|
|
*/
|
|
#define F_GET_RW_HINT (F_LINUX_SPECIFIC_BASE + 11)
|
|
#define F_SET_RW_HINT (F_LINUX_SPECIFIC_BASE + 12)
|
|
#define F_GET_FILE_RW_HINT (F_LINUX_SPECIFIC_BASE + 13)
|
|
#define F_SET_FILE_RW_HINT (F_LINUX_SPECIFIC_BASE + 14)
|
|
|
|
/*
|
|
* Valid hint values for F_{GET,SET}_RW_HINT. 0 is "not set", or can be
|
|
* used to clear any hints previously set.
|
|
*/
|
|
#define RWH_WRITE_LIFE_NOT_SET 0
|
|
#define RWH_WRITE_LIFE_NONE 1
|
|
#define RWH_WRITE_LIFE_SHORT 2
|
|
#define RWH_WRITE_LIFE_MEDIUM 3
|
|
#define RWH_WRITE_LIFE_LONG 4
|
|
#define RWH_WRITE_LIFE_EXTREME 5
|
|
|
|
/*
|
|
* The originally introduced spelling is remained from the first
|
|
* versions of the patch set that introduced the feature, see commit
|
|
* v4.13-rc1~212^2~51.
|
|
*/
|
|
#define RWF_WRITE_LIFE_NOT_SET RWH_WRITE_LIFE_NOT_SET
|
|
|
|
/*
|
|
* Types of directory notifications that may be requested.
|
|
*/
|
|
#define DN_ACCESS 0x00000001 /* File accessed */
|
|
#define DN_MODIFY 0x00000002 /* File modified */
|
|
#define DN_CREATE 0x00000004 /* File created */
|
|
#define DN_DELETE 0x00000008 /* File removed */
|
|
#define DN_RENAME 0x00000010 /* File renamed */
|
|
#define DN_ATTRIB 0x00000020 /* File changed attibutes */
|
|
#define DN_MULTISHOT 0x80000000 /* Don't remove notifier */
|
|
|
|
#define AT_FDCWD -100 /* Special value for dirfd used to
|
|
indicate openat should use the
|
|
current working directory. */
|
|
|
|
|
|
/* Generic flags for the *at(2) family of syscalls. */
|
|
|
|
/* Reserved for per-syscall flags 0xff. */
|
|
#define AT_SYMLINK_NOFOLLOW 0x100 /* Do not follow symbolic
|
|
links. */
|
|
/* Reserved for per-syscall flags 0x200 */
|
|
#define AT_SYMLINK_FOLLOW 0x400 /* Follow symbolic links. */
|
|
#define AT_NO_AUTOMOUNT 0x800 /* Suppress terminal automount
|
|
traversal. */
|
|
#define AT_EMPTY_PATH 0x1000 /* Allow empty relative
|
|
pathname to operate on dirfd
|
|
directly. */
|
|
/*
|
|
* These flags are currently statx(2)-specific, but they could be made generic
|
|
* in the future and so they should not be used for other per-syscall flags.
|
|
*/
|
|
#define AT_STATX_SYNC_TYPE 0x6000 /* Type of synchronisation required from statx() */
|
|
#define AT_STATX_SYNC_AS_STAT 0x0000 /* - Do whatever stat() does */
|
|
#define AT_STATX_FORCE_SYNC 0x2000 /* - Force the attributes to be sync'd with the server */
|
|
#define AT_STATX_DONT_SYNC 0x4000 /* - Don't sync attributes with the server */
|
|
|
|
#define AT_RECURSIVE 0x8000 /* Apply to the entire subtree */
|
|
|
|
/*
|
|
* Per-syscall flags for the *at(2) family of syscalls.
|
|
*
|
|
* These are flags that are so syscall-specific that a user passing these flags
|
|
* to the wrong syscall is so "clearly wrong" that we can safely call such
|
|
* usage "undefined behaviour".
|
|
*
|
|
* For example, the constants AT_REMOVEDIR and AT_EACCESS have the same value.
|
|
* AT_EACCESS is meaningful only to faccessat, while AT_REMOVEDIR is meaningful
|
|
* only to unlinkat. The two functions do completely different things and
|
|
* therefore, the flags can be allowed to overlap. For example, passing
|
|
* AT_REMOVEDIR to faccessat would be undefined behavior and thus treating it
|
|
* equivalent to AT_EACCESS is valid undefined behavior.
|
|
*
|
|
* Note for implementers: When picking a new per-syscall AT_* flag, try to
|
|
* reuse already existing flags first. This leaves us with as many unused bits
|
|
* as possible, so we can use them for generic bits in the future if necessary.
|
|
*/
|
|
|
|
/* Flags for renameat2(2) (must match legacy RENAME_* flags). */
|
|
#define AT_RENAME_NOREPLACE 0x0001
|
|
#define AT_RENAME_EXCHANGE 0x0002
|
|
#define AT_RENAME_WHITEOUT 0x0004
|
|
|
|
/* Flag for faccessat(2). */
|
|
#define AT_EACCESS 0x200 /* Test access permitted for
|
|
effective IDs, not real IDs. */
|
|
/* Flag for unlinkat(2). */
|
|
#define AT_REMOVEDIR 0x200 /* Remove directory instead of
|
|
unlinking file. */
|
|
/* Flags for name_to_handle_at(2). */
|
|
#define AT_HANDLE_FID 0x200 /* File handle is needed to compare
|
|
object identity and may not be
|
|
usable with open_by_handle_at(2). */
|
|
#define AT_HANDLE_MNT_ID_UNIQUE 0x001 /* Return the u64 unique mount ID. */
|
|
#define AT_HANDLE_CONNECTABLE 0x002 /* Request a connectable file handle */
|
|
|
|
/* Flags for execveat2(2). */
|
|
#define AT_EXECVE_CHECK 0x10000 /* Only perform a check if execution
|
|
would be allowed. */
|
|
|
|
#endif /* _UAPI_LINUX_FCNTL_H */
|