From: kernel test robot <lkp@intel.com>
To: "Mickaël Salaün" <mic@digikod.net>,
"Al Viro" <viro@zeniv.linux.org.uk>,
"Christian Brauner" <brauner@kernel.org>,
"Kees Cook" <keescook@chromium.org>,
"Linus Torvalds" <torvalds@linux-foundation.org>,
"Paul Moore" <paul@paul-moore.com>,
"Serge Hallyn" <serge@hallyn.com>,
"Theodore Ts'o" <tytso@mit.edu>
Cc: oe-kbuild-all@lists.linux.dev,
LKML <linux-kernel@vger.kernel.org>,
"Mickaël Salaün" <mic@digikod.net>,
"Adhemerval Zanella Netto" <adhemerval.zanella@linaro.org>,
"Alejandro Colomar" <alx@kernel.org>,
"Aleksa Sarai" <cyphar@cyphar.com>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Linux Memory Management List" <linux-mm@kvack.org>,
"Andy Lutomirski" <luto@kernel.org>,
"Arnd Bergmann" <arnd@arndb.de>,
"Casey Schaufler" <casey@schaufler-ca.com>,
"Christian Heimes" <christian@python.org>,
"Dmitry Vyukov" <dvyukov@google.com>,
"Elliott Hughes" <enh@google.com>,
"Eric Biggers" <ebiggers@kernel.org>,
"Eric Chiang" <ericchiang@google.com>,
"Fan Wu" <wufan@linux.microsoft.com>,
"Florian Weimer" <fweimer@redhat.com>,
"Geert Uytterhoeven" <geert@linux-m68k.org>,
"James Morris" <jamorris@linux.microsoft.com>,
"Jan Kara" <jack@suse.cz>, "Jann Horn" <jannh@google.com>,
"Jeff Xu" <jeffxu@google.com>, "Jonathan Corbet" <corbet@lwn.net>
Subject: Re: [PATCH v20 2/6] security: Add EXEC_RESTRICT_FILE and EXEC_DENY_INTERACTIVE securebits
Date: Tue, 15 Oct 2024 07:11:43 +0800 [thread overview]
Message-ID: <202410150702.GVWMEEA4-lkp@intel.com> (raw)
In-Reply-To: <20241011184422.977903-3-mic@digikod.net>
Hi Mickaël,
kernel test robot noticed the following build warnings:
[auto build test WARNING on 8cf0b93919e13d1e8d4466eb4080a4c4d9d66d7b]
url: https://github.com/intel-lab-lkp/linux/commits/Micka-l-Sala-n/exec-Add-a-new-AT_CHECK-flag-to-execveat-2/20241012-024801
base: 8cf0b93919e13d1e8d4466eb4080a4c4d9d66d7b
patch link: https://lore.kernel.org/r/20241011184422.977903-3-mic%40digikod.net
patch subject: [PATCH v20 2/6] security: Add EXEC_RESTRICT_FILE and EXEC_DENY_INTERACTIVE securebits
config: alpha-allnoconfig (https://download.01.org/0day-ci/archive/20241015/202410150702.GVWMEEA4-lkp@intel.com/config)
compiler: alpha-linux-gcc (GCC) 13.3.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20241015/202410150702.GVWMEEA4-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202410150702.GVWMEEA4-lkp@intel.com/
All warnings (new ones prefixed by >>):
In file included from include/linux/securebits.h:5,
from include/linux/init_task.h:13,
from init/init_task.c:2:
>> include/uapi/linux/securebits.h:135:23: warning: "/*" within comment [-Wcomment]
135 | * (e.g. sh /tmp/*.sh). This makes sense for (semi-restricted) user
|
vim +135 include/uapi/linux/securebits.h
97
98 #define SECBIT_EXEC_RESTRICT_FILE (issecure_mask(SECURE_EXEC_RESTRICT_FILE))
99 #define SECBIT_EXEC_RESTRICT_FILE_LOCKED \
100 (issecure_mask(SECURE_EXEC_RESTRICT_FILE_LOCKED))
101
102 /*
103 * When SECBIT_EXEC_DENY_INTERACTIVE is set, a process should never interpret
104 * interactive user commands (e.g. scripts). However, if such commands are
105 * passed through a file descriptor (e.g. stdin), its content should be
106 * interpreted if a call to execveat(2) with the related file descriptor and
107 * the AT_CHECK flag succeed.
108 *
109 * For instance, script interpreters called with a script snippet as argument
110 * should always deny such execution if SECBIT_EXEC_DENY_INTERACTIVE is set.
111 *
112 * This secure bit may be set by user session managers, service managers,
113 * container runtimes, sandboxer tools... Except for test environments, the
114 * related SECBIT_EXEC_DENY_INTERACTIVE_LOCKED bit should also be set.
115 *
116 * See the SECBIT_EXEC_RESTRICT_FILE documentation.
117 *
118 * Here is the expected behavior for a script interpreter according to
119 * combination of any exec securebits:
120 *
121 * 1. SECURE_EXEC_RESTRICT_FILE=0 SECURE_EXEC_DENY_INTERACTIVE=0 (default)
122 * Always interpret scripts, and allow arbitrary user commands.
123 * => No threat, everyone and everything is trusted, but we can get ahead of
124 * potential issues thanks to the call to execveat with AT_CHECK which
125 * should always be performed but ignored by the script interpreter.
126 * Indeed, this check is still important to enable systems administrators
127 * to verify requests (e.g. with audit) and prepare for migration to a
128 * secure mode.
129 *
130 * 2. SECURE_EXEC_RESTRICT_FILE=1 SECURE_EXEC_DENY_INTERACTIVE=0
131 * Deny script interpretation if they are not executable, but allow
132 * arbitrary user commands.
133 * => The threat is (potential) malicious scripts run by trusted (and not
134 * fooled) users. That can protect against unintended script executions
> 135 * (e.g. sh /tmp/*.sh). This makes sense for (semi-restricted) user
136 * sessions.
137 *
138 * 3. SECURE_EXEC_RESTRICT_FILE=0 SECURE_EXEC_DENY_INTERACTIVE=1
139 * Always interpret scripts, but deny arbitrary user commands.
140 * => This use case may be useful for secure services (i.e. without
141 * interactive user session) where scripts' integrity is verified (e.g.
142 * with IMA/EVM or dm-verity/IPE) but where access rights might not be
143 * ready yet. Indeed, arbitrary interactive commands would be much more
144 * difficult to check.
145 *
146 * 4. SECURE_EXEC_RESTRICT_FILE=1 SECURE_EXEC_DENY_INTERACTIVE=1
147 * Deny script interpretation if they are not executable, and also deny
148 * any arbitrary user commands.
149 * => The threat is malicious scripts run by untrusted users (but trusted
150 * code). This makes sense for system services that may only execute
151 * trusted scripts.
152 */
153 #define SECURE_EXEC_DENY_INTERACTIVE 10
154 #define SECURE_EXEC_DENY_INTERACTIVE_LOCKED 11 /* make bit-10 immutable */
155
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
next parent reply other threads:[~2024-10-14 23:12 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20241011184422.977903-3-mic@digikod.net>
2024-10-14 23:11 ` kernel test robot [this message]
2024-10-14 23:52 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202410150702.GVWMEEA4-lkp@intel.com \
--to=lkp@intel.com \
--cc=adhemerval.zanella@linaro.org \
--cc=akpm@linux-foundation.org \
--cc=alx@kernel.org \
--cc=arnd@arndb.de \
--cc=brauner@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=christian@python.org \
--cc=corbet@lwn.net \
--cc=cyphar@cyphar.com \
--cc=dvyukov@google.com \
--cc=ebiggers@kernel.org \
--cc=enh@google.com \
--cc=ericchiang@google.com \
--cc=fweimer@redhat.com \
--cc=geert@linux-m68k.org \
--cc=jack@suse.cz \
--cc=jamorris@linux.microsoft.com \
--cc=jannh@google.com \
--cc=jeffxu@google.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=mic@digikod.net \
--cc=oe-kbuild-all@lists.linux.dev \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=viro@zeniv.linux.org.uk \
--cc=wufan@linux.microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox