exec: Add a new AT_EXECVE_CHECK flag to execveat(2)
Add a new AT_EXECVE_CHECK flag to execveat(2) to check if a file would
be allowed for execution. The main use case is for script interpreters
and dynamic linkers to check execution permission according to the
kernel's security policy. Another use case is to add context to access
logs e.g., which script (instead of interpreter) accessed a file. As
any executable code, scripts could also use this check [1].
This is different from faccessat(2) + X_OK which only checks a subset of
access rights (i.e. inode permission and mount options for regular
files), but not the full context (e.g. all LSM access checks). The main
use case for access(2) is for SUID processes to (partially) check access
on behalf of their caller. The main use case for execveat(2) +
AT_EXECVE_CHECK is to check if a script execution would be allowed,
according to all the different restrictions in place. Because the use
of AT_EXECVE_CHECK follows the exact kernel semantic as for a real
execution, user space gets the same error codes.
An interesting point of using execveat(2) instead of openat2(2) is that
it decouples the check from the enforcement. Indeed, the security check
can be logged (e.g. with audit) without blocking an execution
environment not yet ready to enforce a strict security policy.
LSMs can control or log execution requests with
security_bprm_creds_for_exec(). However, to enforce a consistent and
complete access control (e.g. on binary's dependencies) LSMs should
restrict file executability, or measure executed files, with
security_file_open() by checking file->f_flags & __FMODE_EXEC.
Because AT_EXECVE_CHECK is dedicated to user space interpreters, it
doesn't make sense for the kernel to parse the checked files, look for
interpreters known to the kernel (e.g. ELF, shebang), and return ENOEXEC
if the format is unknown. Because of that, security_bprm_check() is
never called when AT_EXECVE_CHECK is used.
It should be noted that script interpreters cannot directly use
execveat(2) (without this new AT_EXECVE_CHECK flag) because this could
lead to unexpected behaviors e.g., `python script.sh` could lead to Bash
being executed to interpret the script. Unlike the kernel, script
interpreters may just interpret the shebang as a simple comment, which
should not change for backward compatibility reasons.
Because scripts or libraries files might not currently have the
executable permission set, or because we might want specific users to be
allowed to run arbitrary scripts, the following patch provides a dynamic
configuration mechanism with the SECBIT_EXEC_RESTRICT_FILE and
SECBIT_EXEC_DENY_INTERACTIVE securebits.
This is a redesign of the CLIP OS 4's O_MAYEXEC:
https://github.com/clipos-archive/src_platform_clip-patches/blob/f5cb330d6b684752e403b4e41b39f7004d88e561/1901_open_mayexec.patch
This patch has been used for more than a decade with customized script
interpreters. Some examples can be found here:
https://github.com/clipos-archive/clipos4_portage-overlay/search?q=O_MAYEXEC
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Kees Cook <keescook@chromium.org>
Acked-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
Reviewed-by: Jeff Xu <jeffxu@chromium.org>
Tested-by: Jeff Xu <jeffxu@chromium.org>
Link: https://docs.python.org/3/library/io.html#io.open_code [1]
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Link: https://lore.kernel.org/r/20241212174223.389435-2-mic@digikod.net
Signed-off-by: Kees Cook <kees@kernel.org>
2024-12-12 18:42:16 +01:00
|
|
|
.. SPDX-License-Identifier: GPL-2.0
|
|
|
|
|
.. Copyright © 2024 Microsoft Corporation
|
|
|
|
|
|
|
|
|
|
===================
|
|
|
|
|
Executability check
|
|
|
|
|
===================
|
|
|
|
|
|
security: Add EXEC_RESTRICT_FILE and EXEC_DENY_INTERACTIVE securebits
The new SECBIT_EXEC_RESTRICT_FILE, SECBIT_EXEC_DENY_INTERACTIVE, and
their *_LOCKED counterparts are designed to be set by processes setting
up an execution environment, such as a user session, a container, or a
security sandbox. Unlike other securebits, these ones can be set by
unprivileged processes. Like seccomp filters or Landlock domains, the
securebits are inherited across processes.
When SECBIT_EXEC_RESTRICT_FILE is set, programs interpreting code should
control executable resources according to execveat(2) + AT_EXECVE_CHECK
(see previous commit).
When SECBIT_EXEC_DENY_INTERACTIVE is set, a process should deny
execution of user interactive commands (which excludes executable
regular files).
Being able to configure each of these securebits enables system
administrators or owner of image containers to gradually validate the
related changes and to identify potential issues (e.g. with interpreter
or audit logs).
It should be noted that unlike other security bits, the
SECBIT_EXEC_RESTRICT_FILE and SECBIT_EXEC_DENY_INTERACTIVE bits are
dedicated to user space willing to restrict itself. Because of that,
they only make sense in the context of a trusted environment (e.g.
sandbox, container, user session, full system) where the process
changing its behavior (according to these bits) and all its parent
processes are trusted. Otherwise, any parent process could just execute
its own malicious code (interpreting a script or not), or even enforce a
seccomp filter to mask these bits.
Such a secure environment can be achieved with an appropriate access
control (e.g. mount's noexec option, file access rights, LSM policy) and
an enlighten ld.so checking that libraries are allowed for execution
e.g., to protect against illegitimate use of LD_PRELOAD.
Ptrace restrictions according to these securebits would not make sense
because of the processes' trust assumption.
Scripts may need some changes to deal with untrusted data (e.g. stdin,
environment variables), but that is outside the scope of the kernel.
See chromeOS's documentation about script execution control and the
related threat model:
https://www.chromium.org/chromium-os/developer-library/guides/security/noexec-shell-scripts/
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Paul Moore <paul@paul-moore.com>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
Reviewed-by: Jeff Xu <jeffxu@chromium.org>
Tested-by: Jeff Xu <jeffxu@chromium.org>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Link: https://lore.kernel.org/r/20241212174223.389435-3-mic@digikod.net
Signed-off-by: Kees Cook <kees@kernel.org>
2024-12-12 18:42:17 +01:00
|
|
|
The ``AT_EXECVE_CHECK`` :manpage:`execveat(2)` flag, and the
|
|
|
|
|
``SECBIT_EXEC_RESTRICT_FILE`` and ``SECBIT_EXEC_DENY_INTERACTIVE`` securebits
|
|
|
|
|
are intended for script interpreters and dynamic linkers to enforce a
|
|
|
|
|
consistent execution security policy handled by the kernel. See the
|
|
|
|
|
`samples/check-exec/inc.c`_ example.
|
|
|
|
|
|
|
|
|
|
Whether an interpreter should check these securebits or not depends on the
|
|
|
|
|
security risk of running malicious scripts with respect to the execution
|
|
|
|
|
environment, and whether the kernel can check if a script is trustworthy or
|
|
|
|
|
not. For instance, Python scripts running on a server can use arbitrary
|
|
|
|
|
syscalls and access arbitrary files. Such interpreters should then be
|
|
|
|
|
enlighten to use these securebits and let users define their security policy.
|
|
|
|
|
However, a JavaScript engine running in a web browser should already be
|
|
|
|
|
sandboxed and then should not be able to harm the user's environment.
|
|
|
|
|
|
|
|
|
|
Script interpreters or dynamic linkers built for tailored execution environments
|
|
|
|
|
(e.g. hardened Linux distributions or hermetic container images) could use
|
|
|
|
|
``AT_EXECVE_CHECK`` without checking the related securebits if backward
|
|
|
|
|
compatibility is handled by something else (e.g. atomic update ensuring that
|
|
|
|
|
all legitimate libraries are allowed to be executed). It is then recommended
|
|
|
|
|
for script interpreters and dynamic linkers to check the securebits at run time
|
|
|
|
|
by default, but also to provide the ability for custom builds to behave like if
|
|
|
|
|
``SECBIT_EXEC_RESTRICT_FILE`` or ``SECBIT_EXEC_DENY_INTERACTIVE`` were always
|
|
|
|
|
set to 1 (i.e. always enforce restrictions).
|
|
|
|
|
|
exec: Add a new AT_EXECVE_CHECK flag to execveat(2)
Add a new AT_EXECVE_CHECK flag to execveat(2) to check if a file would
be allowed for execution. The main use case is for script interpreters
and dynamic linkers to check execution permission according to the
kernel's security policy. Another use case is to add context to access
logs e.g., which script (instead of interpreter) accessed a file. As
any executable code, scripts could also use this check [1].
This is different from faccessat(2) + X_OK which only checks a subset of
access rights (i.e. inode permission and mount options for regular
files), but not the full context (e.g. all LSM access checks). The main
use case for access(2) is for SUID processes to (partially) check access
on behalf of their caller. The main use case for execveat(2) +
AT_EXECVE_CHECK is to check if a script execution would be allowed,
according to all the different restrictions in place. Because the use
of AT_EXECVE_CHECK follows the exact kernel semantic as for a real
execution, user space gets the same error codes.
An interesting point of using execveat(2) instead of openat2(2) is that
it decouples the check from the enforcement. Indeed, the security check
can be logged (e.g. with audit) without blocking an execution
environment not yet ready to enforce a strict security policy.
LSMs can control or log execution requests with
security_bprm_creds_for_exec(). However, to enforce a consistent and
complete access control (e.g. on binary's dependencies) LSMs should
restrict file executability, or measure executed files, with
security_file_open() by checking file->f_flags & __FMODE_EXEC.
Because AT_EXECVE_CHECK is dedicated to user space interpreters, it
doesn't make sense for the kernel to parse the checked files, look for
interpreters known to the kernel (e.g. ELF, shebang), and return ENOEXEC
if the format is unknown. Because of that, security_bprm_check() is
never called when AT_EXECVE_CHECK is used.
It should be noted that script interpreters cannot directly use
execveat(2) (without this new AT_EXECVE_CHECK flag) because this could
lead to unexpected behaviors e.g., `python script.sh` could lead to Bash
being executed to interpret the script. Unlike the kernel, script
interpreters may just interpret the shebang as a simple comment, which
should not change for backward compatibility reasons.
Because scripts or libraries files might not currently have the
executable permission set, or because we might want specific users to be
allowed to run arbitrary scripts, the following patch provides a dynamic
configuration mechanism with the SECBIT_EXEC_RESTRICT_FILE and
SECBIT_EXEC_DENY_INTERACTIVE securebits.
This is a redesign of the CLIP OS 4's O_MAYEXEC:
https://github.com/clipos-archive/src_platform_clip-patches/blob/f5cb330d6b684752e403b4e41b39f7004d88e561/1901_open_mayexec.patch
This patch has been used for more than a decade with customized script
interpreters. Some examples can be found here:
https://github.com/clipos-archive/clipos4_portage-overlay/search?q=O_MAYEXEC
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Kees Cook <keescook@chromium.org>
Acked-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
Reviewed-by: Jeff Xu <jeffxu@chromium.org>
Tested-by: Jeff Xu <jeffxu@chromium.org>
Link: https://docs.python.org/3/library/io.html#io.open_code [1]
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Link: https://lore.kernel.org/r/20241212174223.389435-2-mic@digikod.net
Signed-off-by: Kees Cook <kees@kernel.org>
2024-12-12 18:42:16 +01:00
|
|
|
AT_EXECVE_CHECK
|
|
|
|
|
===============
|
|
|
|
|
|
|
|
|
|
Passing the ``AT_EXECVE_CHECK`` flag to :manpage:`execveat(2)` only performs a
|
|
|
|
|
check on a regular file and returns 0 if execution of this file would be
|
|
|
|
|
allowed, ignoring the file format and then the related interpreter dependencies
|
|
|
|
|
(e.g. ELF libraries, script's shebang).
|
|
|
|
|
|
|
|
|
|
Programs should always perform this check to apply kernel-level checks against
|
|
|
|
|
files that are not directly executed by the kernel but passed to a user space
|
|
|
|
|
interpreter instead. All files that contain executable code, from the point of
|
|
|
|
|
view of the interpreter, should be checked. However the result of this check
|
|
|
|
|
should only be enforced according to ``SECBIT_EXEC_RESTRICT_FILE`` or
|
|
|
|
|
``SECBIT_EXEC_DENY_INTERACTIVE.``.
|
|
|
|
|
|
|
|
|
|
The main purpose of this flag is to improve the security and consistency of an
|
|
|
|
|
execution environment to ensure that direct file execution (e.g.
|
|
|
|
|
``./script.sh``) and indirect file execution (e.g. ``sh script.sh``) lead to
|
|
|
|
|
the same result. For instance, this can be used to check if a file is
|
|
|
|
|
trustworthy according to the caller's environment.
|
|
|
|
|
|
|
|
|
|
In a secure environment, libraries and any executable dependencies should also
|
|
|
|
|
be checked. For instance, dynamic linking should make sure that all libraries
|
|
|
|
|
are allowed for execution to avoid trivial bypass (e.g. using ``LD_PRELOAD``).
|
|
|
|
|
For such secure execution environment to make sense, only trusted code should
|
|
|
|
|
be executable, which also requires integrity guarantees.
|
|
|
|
|
|
|
|
|
|
To avoid race conditions leading to time-of-check to time-of-use issues,
|
|
|
|
|
``AT_EXECVE_CHECK`` should be used with ``AT_EMPTY_PATH`` to check against a
|
|
|
|
|
file descriptor instead of a path.
|
security: Add EXEC_RESTRICT_FILE and EXEC_DENY_INTERACTIVE securebits
The new SECBIT_EXEC_RESTRICT_FILE, SECBIT_EXEC_DENY_INTERACTIVE, and
their *_LOCKED counterparts are designed to be set by processes setting
up an execution environment, such as a user session, a container, or a
security sandbox. Unlike other securebits, these ones can be set by
unprivileged processes. Like seccomp filters or Landlock domains, the
securebits are inherited across processes.
When SECBIT_EXEC_RESTRICT_FILE is set, programs interpreting code should
control executable resources according to execveat(2) + AT_EXECVE_CHECK
(see previous commit).
When SECBIT_EXEC_DENY_INTERACTIVE is set, a process should deny
execution of user interactive commands (which excludes executable
regular files).
Being able to configure each of these securebits enables system
administrators or owner of image containers to gradually validate the
related changes and to identify potential issues (e.g. with interpreter
or audit logs).
It should be noted that unlike other security bits, the
SECBIT_EXEC_RESTRICT_FILE and SECBIT_EXEC_DENY_INTERACTIVE bits are
dedicated to user space willing to restrict itself. Because of that,
they only make sense in the context of a trusted environment (e.g.
sandbox, container, user session, full system) where the process
changing its behavior (according to these bits) and all its parent
processes are trusted. Otherwise, any parent process could just execute
its own malicious code (interpreting a script or not), or even enforce a
seccomp filter to mask these bits.
Such a secure environment can be achieved with an appropriate access
control (e.g. mount's noexec option, file access rights, LSM policy) and
an enlighten ld.so checking that libraries are allowed for execution
e.g., to protect against illegitimate use of LD_PRELOAD.
Ptrace restrictions according to these securebits would not make sense
because of the processes' trust assumption.
Scripts may need some changes to deal with untrusted data (e.g. stdin,
environment variables), but that is outside the scope of the kernel.
See chromeOS's documentation about script execution control and the
related threat model:
https://www.chromium.org/chromium-os/developer-library/guides/security/noexec-shell-scripts/
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Paul Moore <paul@paul-moore.com>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
Reviewed-by: Jeff Xu <jeffxu@chromium.org>
Tested-by: Jeff Xu <jeffxu@chromium.org>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Link: https://lore.kernel.org/r/20241212174223.389435-3-mic@digikod.net
Signed-off-by: Kees Cook <kees@kernel.org>
2024-12-12 18:42:17 +01:00
|
|
|
|
|
|
|
|
SECBIT_EXEC_RESTRICT_FILE and SECBIT_EXEC_DENY_INTERACTIVE
|
|
|
|
|
==========================================================
|
|
|
|
|
|
|
|
|
|
When ``SECBIT_EXEC_RESTRICT_FILE`` is set, a process should only interpret or
|
|
|
|
|
execute a file if a call to :manpage:`execveat(2)` with the related file
|
|
|
|
|
descriptor and the ``AT_EXECVE_CHECK`` flag succeed.
|
|
|
|
|
|
|
|
|
|
This secure bit may be set by user session managers, service managers,
|
|
|
|
|
container runtimes, sandboxer tools... Except for test environments, the
|
|
|
|
|
related ``SECBIT_EXEC_RESTRICT_FILE_LOCKED`` bit should also be set.
|
|
|
|
|
|
|
|
|
|
Programs should only enforce consistent restrictions according to the
|
|
|
|
|
securebits but without relying on any other user-controlled configuration.
|
|
|
|
|
Indeed, the use case for these securebits is to only trust executable code
|
|
|
|
|
vetted by the system configuration (through the kernel), so we should be
|
|
|
|
|
careful to not let untrusted users control this configuration.
|
|
|
|
|
|
|
|
|
|
However, script interpreters may still use user configuration such as
|
|
|
|
|
environment variables as long as it is not a way to disable the securebits
|
|
|
|
|
checks. For instance, the ``PATH`` and ``LD_PRELOAD`` variables can be set by
|
|
|
|
|
a script's caller. Changing these variables may lead to unintended code
|
|
|
|
|
executions, but only from vetted executable programs, which is OK. For this to
|
|
|
|
|
make sense, the system should provide a consistent security policy to avoid
|
|
|
|
|
arbitrary code execution e.g., by enforcing a write xor execute policy.
|
|
|
|
|
|
|
|
|
|
When ``SECBIT_EXEC_DENY_INTERACTIVE`` is set, a process should never interpret
|
|
|
|
|
interactive user commands (e.g. scripts). However, if such commands are passed
|
|
|
|
|
through a file descriptor (e.g. stdin), its content should be interpreted if a
|
|
|
|
|
call to :manpage:`execveat(2)` with the related file descriptor and the
|
|
|
|
|
``AT_EXECVE_CHECK`` flag succeed.
|
|
|
|
|
|
|
|
|
|
For instance, script interpreters called with a script snippet as argument
|
|
|
|
|
should always deny such execution if ``SECBIT_EXEC_DENY_INTERACTIVE`` is set.
|
|
|
|
|
|
|
|
|
|
This secure bit may be set by user session managers, service managers,
|
|
|
|
|
container runtimes, sandboxer tools... Except for test environments, the
|
|
|
|
|
related ``SECBIT_EXEC_DENY_INTERACTIVE_LOCKED`` bit should also be set.
|
|
|
|
|
|
|
|
|
|
Here is the expected behavior for a script interpreter according to combination
|
|
|
|
|
of any exec securebits:
|
|
|
|
|
|
|
|
|
|
1. ``SECBIT_EXEC_RESTRICT_FILE=0`` and ``SECBIT_EXEC_DENY_INTERACTIVE=0``
|
|
|
|
|
|
|
|
|
|
Always interpret scripts, and allow arbitrary user commands (default).
|
|
|
|
|
|
|
|
|
|
No threat, everyone and everything is trusted, but we can get ahead of
|
|
|
|
|
potential issues thanks to the call to :manpage:`execveat(2)` with
|
|
|
|
|
``AT_EXECVE_CHECK`` which should always be performed but ignored by the
|
|
|
|
|
script interpreter. Indeed, this check is still important to enable systems
|
|
|
|
|
administrators to verify requests (e.g. with audit) and prepare for
|
|
|
|
|
migration to a secure mode.
|
|
|
|
|
|
|
|
|
|
2. ``SECBIT_EXEC_RESTRICT_FILE=1`` and ``SECBIT_EXEC_DENY_INTERACTIVE=0``
|
|
|
|
|
|
|
|
|
|
Deny script interpretation if they are not executable, but allow
|
|
|
|
|
arbitrary user commands.
|
|
|
|
|
|
|
|
|
|
The threat is (potential) malicious scripts run by trusted (and not fooled)
|
|
|
|
|
users. That can protect against unintended script executions (e.g. ``sh
|
|
|
|
|
/tmp/*.sh``). This makes sense for (semi-restricted) user sessions.
|
|
|
|
|
|
|
|
|
|
3. ``SECBIT_EXEC_RESTRICT_FILE=0`` and ``SECBIT_EXEC_DENY_INTERACTIVE=1``
|
|
|
|
|
|
|
|
|
|
Always interpret scripts, but deny arbitrary user commands.
|
|
|
|
|
|
|
|
|
|
This use case may be useful for secure services (i.e. without interactive
|
|
|
|
|
user session) where scripts' integrity is verified (e.g. with IMA/EVM or
|
|
|
|
|
dm-verity/IPE) but where access rights might not be ready yet. Indeed,
|
|
|
|
|
arbitrary interactive commands would be much more difficult to check.
|
|
|
|
|
|
|
|
|
|
4. ``SECBIT_EXEC_RESTRICT_FILE=1`` and ``SECBIT_EXEC_DENY_INTERACTIVE=1``
|
|
|
|
|
|
|
|
|
|
Deny script interpretation if they are not executable, and also deny
|
|
|
|
|
any arbitrary user commands.
|
|
|
|
|
|
|
|
|
|
The threat is malicious scripts run by untrusted users (but trusted code).
|
|
|
|
|
This makes sense for system services that may only execute trusted scripts.
|
|
|
|
|
|
|
|
|
|
.. Links
|
|
|
|
|
.. _samples/check-exec/inc.c:
|
|
|
|
|
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/samples/check-exec/inc.c
|