From patchwork Tue Jan 31 14:48:25 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mimi Zohar <zohar@linux.vnet.ibm.com>
X-Patchwork-Id: 9547405
Return-Path: <linux-security-module-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	779DD6016C
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Tue, 31 Jan 2017 14:48:37 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 69D3428304
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Tue, 31 Jan 2017 14:48:37 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 5E5E12838C; Tue, 31 Jan 2017 14:48:37 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI
	autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D823328304
	for <patchwork-linux-security-module@patchwork.kernel.org>;
	Tue, 31 Jan 2017 14:48:36 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751168AbdAaOsg (ORCPT
	<rfc822;patchwork-linux-security-module@patchwork.kernel.org>);
	Tue, 31 Jan 2017 09:48:36 -0500
Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:34654 "EHLO
	mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL)
	by vger.kernel.org with ESMTP id S1750822AbdAaOsf (ORCPT
	<rfc822;linux-security-module@vger.kernel.org>);
	Tue, 31 Jan 2017 09:48:35 -0500
Received: from pps.filterd (m0098414.ppops.net [127.0.0.1])
	by mx0b-001b2d01.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id
	v0VEdHVi114822 for <linux-security-module@vger.kernel.org>;
	Tue, 31 Jan 2017 09:48:34 -0500
Received: from e28smtp05.in.ibm.com (e28smtp05.in.ibm.com [125.16.236.5])
	by mx0b-001b2d01.pphosted.com with ESMTP id 28aubsbmcv-1
	(version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT)
	for <linux-security-module@vger.kernel.org>;
	Tue, 31 Jan 2017 09:48:33 -0500
Received: from localhost
	by e28smtp05.in.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use
	Only! Violators will be prosecuted
	for <linux-security-module@vger.kernel.org> from
	<zohar@linux.vnet.ibm.com>; Tue, 31 Jan 2017 20:18:30 +0530
Received: from d28dlp02.in.ibm.com (9.184.220.127)
	by e28smtp05.in.ibm.com (192.168.1.135) with IBM ESMTP SMTP Gateway:
	Authorized Use Only! Violators will be prosecuted;
	Tue, 31 Jan 2017 20:18:29 +0530
Received: from d28relay01.in.ibm.com (d28relay01.in.ibm.com [9.184.220.58])
	by d28dlp02.in.ibm.com (Postfix) with ESMTP id 592EF394004E
	for <linux-security-module@vger.kernel.org>;
	Tue, 31 Jan 2017 20:18:29 +0530 (IST)
Received: from d28av04.in.ibm.com (d28av04.in.ibm.com [9.184.220.66])
	by d28relay01.in.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id
	v0VEmTWd45219978 for <linux-security-module@vger.kernel.org>;
	Tue, 31 Jan 2017 20:18:29 +0530
Received: from d28av04.in.ibm.com (localhost [127.0.0.1])
	by d28av04.in.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id
	v0VEmSn2001573 for <linux-security-module@vger.kernel.org>;
	Tue, 31 Jan 2017 20:18:29 +0530
Received: from localhost.localdomain ([9.80.91.222])
	by d28av04.in.ibm.com (8.14.4/8.14.4/NCO v10.0 AVin) with ESMTP id
	v0VEmPGw001506; Tue, 31 Jan 2017 20:18:26 +0530
Subject: [RFC PATCH] shebang: restrict python interactive prompt/interpreter
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: linux-security-module <linux-security-module@vger.kernel.org>
Cc: Paul Moore <pmoore@redhat.com>,
	"casey.schaufler" <casey.schaufler@intel.com>,
	John Johansen <john.johansen@canonical.com>,
	Kees Cook <keescook@chromium.org>
Date: Tue, 31 Jan 2017 09:48:25 -0500
X-Mailer: Evolution 3.12.11 (3.12.11-1.fc21) 
Mime-Version: 1.0
X-TM-AS-MML: disable
X-Content-Scanned: Fidelis XPS MAILER
x-cbid: 17013114-0016-0000-0000-000003D64C38
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 17013114-0017-0000-0000-000028BA5A43
Message-Id: <1485874105.5036.5.camel@linux.vnet.ibm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, ,
	definitions=2017-01-31_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
	spamscore=0 suspectscore=0
	malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam
	adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000
	definitions=main-1701310127
Sender: owner-linux-security-module@vger.kernel.org
Precedence: bulk
List-ID: <linux-security-module.vger.kernel.org>
X-Virus-Scanned: ClamAV using ClamSMTP

This patch, posted as a proof of concept, defines a new, minor LSM named
"shebang", that restricts python such that scripts are allowed to execute,
while the interactive prompt/interpreter is not available.  When used in
conjunction with an IMA appraise execute policy requiring files signatures,
only signed python scripts would be allowed to execute.

Based on pathname (very lame!), this patch prevents the interactive
prompt/interpreter from being executed.  Before making it just a bit more
robust, do we really need a new minor LSM or can the existing LSMs
(eg. SELinux, Smack, AppArmor) be configured to provide this support?

Any suggestions or other solutions would be much appreciated!

thanks!

Mimi Zohar <zohar@linux.vnet.ibm.com>
---
 security/Kconfig                  |  1 +
 security/Makefile                 |  2 ++
 security/shebang/Kconfig          | 15 ++++++++++++
 security/shebang/Makefile         |  3 +++
 security/shebang/shebang_python.c | 50 +++++++++++++++++++++++++++++++++++++++
 5 files changed, 71 insertions(+)
 create mode 100644 security/shebang/Kconfig
 create mode 100644 security/shebang/Makefile
 create mode 100644 security/shebang/shebang_python.c

diff --git a/security/Kconfig b/security/Kconfig
index 118f4549404e..8b12837ce933 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -164,6 +164,7 @@ source security/tomoyo/Kconfig
 source security/apparmor/Kconfig
 source security/loadpin/Kconfig
 source security/yama/Kconfig
+source security/shebang/Kconfig
 
 source security/integrity/Kconfig
 
diff --git a/security/Makefile b/security/Makefile
index f2d71cdb8e19..00a8dbebb07f 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -9,6 +9,7 @@ subdir-$(CONFIG_SECURITY_TOMOYO)        += tomoyo
 subdir-$(CONFIG_SECURITY_APPARMOR)	+= apparmor
 subdir-$(CONFIG_SECURITY_YAMA)		+= yama
 subdir-$(CONFIG_SECURITY_LOADPIN)	+= loadpin
+subdir-$(CONFIG_SECURITY_SHEBANG)	+= shebang
 
 # always enable default capabilities
 obj-y					+= commoncap.o
@@ -24,6 +25,7 @@ obj-$(CONFIG_SECURITY_TOMOYO)		+= tomoyo/
 obj-$(CONFIG_SECURITY_APPARMOR)		+= apparmor/
 obj-$(CONFIG_SECURITY_YAMA)		+= yama/
 obj-$(CONFIG_SECURITY_LOADPIN)		+= loadpin/
+obj-$(CONFIG_SECURITY_SHEBANG)		+= shebang/
 obj-$(CONFIG_CGROUP_DEVICE)		+= device_cgroup.o
 
 # Object integrity file lists
diff --git a/security/shebang/Kconfig b/security/shebang/Kconfig
new file mode 100644
index 000000000000..c2e943159307
--- /dev/null
+++ b/security/shebang/Kconfig
@@ -0,0 +1,15 @@
+config SECURITY_SHEBANG
+	bool "Restrict python interactive prompt/interpreter"
+	depends on SECURITY
+	help
+	  Restrict python so that python scripts are allowed to execute,
+	  while the interactive prompt/interpreter is not available.  When
+	  used in conjunction with an IMA appraise policy requiring files
+	  signatures, only signed scripts will be executed.
+
+config SECURITY_INTERP_PATHNAME
+	string "interpreter pathname"
+	depends on SECURITY_SHEBANG
+	default "/usr/bin/python"
+	help
+	  This option defines a script interpreter pathname.
diff --git a/security/shebang/Makefile b/security/shebang/Makefile
new file mode 100644
index 000000000000..f1b83dcb96d1
--- /dev/null
+++ b/security/shebang/Makefile
@@ -0,0 +1,3 @@
+obj-$(CONFIG_SECURITY_SHEBANG) += shebang.o
+
+shebang-y := shebang_python.o
diff --git a/security/shebang/shebang_python.c b/security/shebang/shebang_python.c
new file mode 100644
index 000000000000..5f319badd2b3
--- /dev/null
+++ b/security/shebang/shebang_python.c
@@ -0,0 +1,50 @@
+/*
+ * shebang security module
+ *
+ * Copyright (C) 2017 IBM Corporation
+ *
+ * Authors:
+ * Mimi Zohar <zohar@linux.vnet.ibm.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ */
+
+#define pr_fmt(fmt) "shebang: " fmt
+#include <linux/module.h>
+#include <linux/binfmts.h>
+#include <linux/lsm_hooks.h>
+
+static char *pathname;
+
+/**
+ * shebang_bprm_check
+ * @bprm: contains the linux_binprm structure
+ */
+int shebang_bprm_check(struct linux_binprm *bprm)
+{
+	if ((bprm->interp == bprm->filename) &&
+	    strcmp(bprm->interp, pathname) == 0) {
+		pr_info("prevent executing %s \n", bprm->interp);
+		return -EPERM;
+	}
+	return 0;
+}
+
+static struct security_hook_list shebang_hooks[] = {
+	LSM_HOOK_INIT(bprm_check_security, shebang_bprm_check)
+};
+
+static int __init init_shebang(void)
+{
+	pathname = kstrdup(CONFIG_SECURITY_INTERP_PATHNAME, GFP_KERNEL);
+	security_add_hooks(shebang_hooks, ARRAY_SIZE(shebang_hooks), "shebang");
+	pr_info("initialized\n");
+	return 0;
+}
+
+late_initcall(init_shebang);
+
+MODULE_LICENSE("GPL");