[GIT PULL] Add trusted_for(2) (was O_MAYEXEC)
From: Mickaël Salaün
Date: Mon Mar 21 2022 - 12:15:14 EST
Hi Linus,
This patch series adds a new syscall named trusted_for. It enables user
space to ask the kernel: is this file descriptor's content trusted to be
used for this purpose? The set of usage currently only contains
execution, but other may follow (e.g. configuration, sensitive data).
If the kernel identifies the file descriptor as trustworthy for this
usage, user space should then take this information into account. The
"execution" usage means that the content of the file descriptor is
trusted according to the system policy to be executed by user space,
which means that it interprets the content or (try to) maps it as
executable memory.
A simple system-wide security policy can be set by the system
administrator through a sysctl configuration consistent with the mount
points or the file access rights. The documentation explains the
prerequisites.
It is important to note that this can only enable to extend access
control managed by the kernel. Hence it enables current access control
mechanism to be extended and become a superset of what they can
currently control. Indeed, the security policy could also be delegated
to an LSM, either a MAC system or an integrity system. For instance,
this is required to close a major IMA measurement/appraisal interpreter
integrity gap by bringing the ability to check the use of scripts.
Other uses are expected as well.
For further details, please see the latest cover letter:
https://lore.kernel.org/r/20220104155024.48023-1-mic@xxxxxxxxxxx
Commit dae71698b6c5 ("printk: Move back proc_dointvec_minmax_sysadmin()
to sysctl.c") was recently added due to the sysctl refactoring.
Commit e674341a90b9 ("selftests/interpreter: fix separate directory
build") will fix some test build cases as explained here:
https://lore.kernel.org/r/20220119101531.2850400-1-usama.anjum@xxxxxxxxxxxxx
Merging this commit without the new KHDR_INCLUDES is not an issue.
The upcoming kselftest pull request is ready:
https://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest.git/log/?h=next
This patch series has been open for review for more than three years and
got a lot of feedbacks (and bikeshedding) which were all considered.
Since I heard no objection, please consider to pull this code for
v5.18-rc1 . These five patches have been successfully tested in the
latest linux-next releases for several weeks.
Regards,
Mickaël
--
The following changes since commit dcb85f85fa6f142aae1fe86f399d4503d49f2b60:
gcc-plugins/stackleak: Use noinstr in favor of notrace (2022-02-03 17:02:21 -0800)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git tags/trusted-for-v18
for you to fetch changes up to e674341a90b95c3458d684ae25e6891afc3e03ad:
selftests/interpreter: fix separate directory build (2022-03-04 10:56:25 +0100)
----------------------------------------------------------------
Add the trusted_for system call (v18)
The final goal of this patch series is to enable the kernel to be a
global policy manager by entrusting processes with access control at
their level. To reach this goal, two complementary parts are required:
* user space needs to be able to know if it can trust some file
descriptor content for a specific usage;
* and the kernel needs to make available some part of the policy
configured by the system administrator.
In a nutshell, this is a required building block to control script
execution.
For further details see the latest cover letter:
https://lore.kernel.org/r/20220104155024.48023-1-mic@xxxxxxxxxxx
----------------------------------------------------------------
Mickaël Salaün (4):
printk: Move back proc_dointvec_minmax_sysadmin() to sysctl.c
fs: Add trusted_for(2) syscall implementation and related sysctl
arch: Wire up trusted_for(2)
selftest/interpreter: Add tests for trusted_for(2) policies
Muhammad Usama Anjum (1):
selftests/interpreter: fix separate directory build
Documentation/admin-guide/sysctl/fs.rst | 50 +++
arch/alpha/kernel/syscalls/syscall.tbl | 1 +
arch/arm/tools/syscall.tbl | 1 +
arch/arm64/include/asm/unistd.h | 2 +-
arch/arm64/include/asm/unistd32.h | 2 +
arch/ia64/kernel/syscalls/syscall.tbl | 1 +
arch/m68k/kernel/syscalls/syscall.tbl | 1 +
arch/microblaze/kernel/syscalls/syscall.tbl | 1 +
arch/mips/kernel/syscalls/syscall_n32.tbl | 1 +
arch/mips/kernel/syscalls/syscall_n64.tbl | 1 +
arch/mips/kernel/syscalls/syscall_o32.tbl | 1 +
arch/parisc/kernel/syscalls/syscall.tbl | 1 +
arch/powerpc/kernel/syscalls/syscall.tbl | 1 +
arch/s390/kernel/syscalls/syscall.tbl | 1 +
arch/sh/kernel/syscalls/syscall.tbl | 1 +
arch/sparc/kernel/syscalls/syscall.tbl | 1 +
arch/x86/entry/syscalls/syscall_32.tbl | 1 +
arch/x86/entry/syscalls/syscall_64.tbl | 1 +
arch/xtensa/kernel/syscalls/syscall.tbl | 1 +
fs/open.c | 133 ++++++++
fs/proc/proc_sysctl.c | 2 +-
include/linux/syscalls.h | 1 +
include/linux/sysctl.h | 3 +
include/uapi/asm-generic/unistd.h | 5 +-
include/uapi/linux/trusted-for.h | 18 +
kernel/printk/sysctl.c | 9 -
kernel/sysctl.c | 9 +
tools/testing/selftests/Makefile | 1 +
tools/testing/selftests/interpreter/.gitignore | 2 +
tools/testing/selftests/interpreter/Makefile | 21 ++
tools/testing/selftests/interpreter/config | 1 +
.../selftests/interpreter/trust_policy_test.c | 362 +++++++++++++++++++++
32 files changed, 625 insertions(+), 12 deletions(-)
create mode 100644 include/uapi/linux/trusted-for.h
create mode 100644 tools/testing/selftests/interpreter/.gitignore
create mode 100644 tools/testing/selftests/interpreter/Makefile
create mode 100644 tools/testing/selftests/interpreter/config
create mode 100644 tools/testing/selftests/interpreter/trust_policy_test.c