From patchwork Mon Mar 21 16:15:57 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 12787509 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 024BCC433EF for ; Mon, 21 Mar 2022 16:15:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242088AbiCUQQd (ORCPT ); Mon, 21 Mar 2022 12:16:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60510 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1350888AbiCUQQb (ORCPT ); Mon, 21 Mar 2022 12:16:31 -0400 Received: from smtp-8faa.mail.infomaniak.ch (smtp-8faa.mail.infomaniak.ch [83.166.143.170]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F3E6328E2E for ; Mon, 21 Mar 2022 09:15:03 -0700 (PDT) Received: from smtp-3-0000.mail.infomaniak.ch (unknown [10.4.36.107]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4KMfpY1xlxzMptNy; Mon, 21 Mar 2022 17:15:01 +0100 (CET) Received: from localhost (unknown [23.97.221.149]) by smtp-3-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4KMfpV5pNCzlhRVJ; Mon, 21 Mar 2022 17:14:58 +0100 (CET) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: Linus Torvalds Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Al Viro , Andrew Morton , Christian Heimes , Geert Uytterhoeven , James Morris , Kees Cook , Luis Chamberlain , Mimi Zohar , Muhammad Usama Anjum , Paul Moore , =?utf-8?q?Philippe_Tr=C3=A9buchet?= , Shuah Khan , Steve Dower , Thibaut Sautereau , Vincent Strubel , linux-fsdevel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [GIT PULL] Add trusted_for(2) (was O_MAYEXEC) Date: Mon, 21 Mar 2022 17:15:57 +0100 Message-Id: <20220321161557.495388-1-mic@digikod.net> MIME-Version: 1.0 Precedence: bulk List-ID: Hi Linus, This patch series adds a new syscall named trusted_for. It enables user space to ask the kernel: is this file descriptor's content trusted to be used for this purpose? The set of usage currently only contains execution, but other may follow (e.g. configuration, sensitive data). If the kernel identifies the file descriptor as trustworthy for this usage, user space should then take this information into account. The "execution" usage means that the content of the file descriptor is trusted according to the system policy to be executed by user space, which means that it interprets the content or (try to) maps it as executable memory. A simple system-wide security policy can be set by the system administrator through a sysctl configuration consistent with the mount points or the file access rights. The documentation explains the prerequisites. It is important to note that this can only enable to extend access control managed by the kernel. Hence it enables current access control mechanism to be extended and become a superset of what they can currently control. Indeed, the security policy could also be delegated to an LSM, either a MAC system or an integrity system. For instance, this is required to close a major IMA measurement/appraisal interpreter integrity gap by bringing the ability to check the use of scripts. Other uses are expected as well. For further details, please see the latest cover letter: https://lore.kernel.org/r/20220104155024.48023-1-mic@digikod.net Commit dae71698b6c5 ("printk: Move back proc_dointvec_minmax_sysadmin() to sysctl.c") was recently added due to the sysctl refactoring. Commit e674341a90b9 ("selftests/interpreter: fix separate directory build") will fix some test build cases as explained here: https://lore.kernel.org/r/20220119101531.2850400-1-usama.anjum@collabora.com Merging this commit without the new KHDR_INCLUDES is not an issue. The upcoming kselftest pull request is ready: https://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest.git/log/?h=next This patch series has been open for review for more than three years and got a lot of feedbacks (and bikeshedding) which were all considered. Since I heard no objection, please consider to pull this code for v5.18-rc1 . These five patches have been successfully tested in the latest linux-next releases for several weeks. Regards, Mickaël --- The following changes since commit dcb85f85fa6f142aae1fe86f399d4503d49f2b60: gcc-plugins/stackleak: Use noinstr in favor of notrace (2022-02-03 17:02:21 -0800) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux.git tags/trusted-for-v18 for you to fetch changes up to e674341a90b95c3458d684ae25e6891afc3e03ad: selftests/interpreter: fix separate directory build (2022-03-04 10:56:25 +0100) ---------------------------------------------------------------- Add the trusted_for system call (v18) The final goal of this patch series is to enable the kernel to be a global policy manager by entrusting processes with access control at their level. To reach this goal, two complementary parts are required: * user space needs to be able to know if it can trust some file descriptor content for a specific usage; * and the kernel needs to make available some part of the policy configured by the system administrator. In a nutshell, this is a required building block to control script execution. For further details see the latest cover letter: https://lore.kernel.org/r/20220104155024.48023-1-mic@digikod.net ---------------------------------------------------------------- Mickaël Salaün (4): printk: Move back proc_dointvec_minmax_sysadmin() to sysctl.c fs: Add trusted_for(2) syscall implementation and related sysctl arch: Wire up trusted_for(2) selftest/interpreter: Add tests for trusted_for(2) policies Muhammad Usama Anjum (1): selftests/interpreter: fix separate directory build Documentation/admin-guide/sysctl/fs.rst | 50 +++ arch/alpha/kernel/syscalls/syscall.tbl | 1 + arch/arm/tools/syscall.tbl | 1 + arch/arm64/include/asm/unistd.h | 2 +- arch/arm64/include/asm/unistd32.h | 2 + arch/ia64/kernel/syscalls/syscall.tbl | 1 + arch/m68k/kernel/syscalls/syscall.tbl | 1 + arch/microblaze/kernel/syscalls/syscall.tbl | 1 + arch/mips/kernel/syscalls/syscall_n32.tbl | 1 + arch/mips/kernel/syscalls/syscall_n64.tbl | 1 + arch/mips/kernel/syscalls/syscall_o32.tbl | 1 + arch/parisc/kernel/syscalls/syscall.tbl | 1 + arch/powerpc/kernel/syscalls/syscall.tbl | 1 + arch/s390/kernel/syscalls/syscall.tbl | 1 + arch/sh/kernel/syscalls/syscall.tbl | 1 + arch/sparc/kernel/syscalls/syscall.tbl | 1 + arch/x86/entry/syscalls/syscall_32.tbl | 1 + arch/x86/entry/syscalls/syscall_64.tbl | 1 + arch/xtensa/kernel/syscalls/syscall.tbl | 1 + fs/open.c | 133 ++++++++ fs/proc/proc_sysctl.c | 2 +- include/linux/syscalls.h | 1 + include/linux/sysctl.h | 3 + include/uapi/asm-generic/unistd.h | 5 +- include/uapi/linux/trusted-for.h | 18 + kernel/printk/sysctl.c | 9 - kernel/sysctl.c | 9 + tools/testing/selftests/Makefile | 1 + tools/testing/selftests/interpreter/.gitignore | 2 + tools/testing/selftests/interpreter/Makefile | 21 ++ tools/testing/selftests/interpreter/config | 1 + .../selftests/interpreter/trust_policy_test.c | 362 +++++++++++++++++++++ 32 files changed, 625 insertions(+), 12 deletions(-) create mode 100644 include/uapi/linux/trusted-for.h create mode 100644 tools/testing/selftests/interpreter/.gitignore create mode 100644 tools/testing/selftests/interpreter/Makefile create mode 100644 tools/testing/selftests/interpreter/config create mode 100644 tools/testing/selftests/interpreter/trust_policy_test.c