Re: [PATCH v2 0/5] Add support for O_MAYEXEC

2019-09-09 Thread Mickaël Salaün
On 07/09/2019 00:44, Aleksa Sarai wrote: > On 2019-09-06, Andy Lutomirski wrote: >>> On Sep 6, 2019, at 12:07 PM, Steve Grubb wrote: >>> On Friday, September 6, 2019 2:57:00 PM EDT Florian Weimer wrote: * Steve Grubb: > Now with LD_AUDIT > $ LD_AUDIT=/home/sgrubb/test/openflag

Re: [PATCH v2 0/5] Add support for O_MAYEXEC

2019-09-08 Thread James Morris
On Fri, 6 Sep 2019, Mickaël Salaün wrote: > Furthermore, the security policy can also be delegated to an LSM, either > a MAC system or an integrity system. For instance, the new kernel > MAY_OPENEXEC flag closes a major IMA measurement/appraisal interpreter > integrity gap by bringing the ability

Re: [PATCH v2 0/5] Add support for O_MAYEXEC

2019-09-06 Thread Aleksa Sarai
On 2019-09-06, Andy Lutomirski wrote: > > On Sep 6, 2019, at 12:07 PM, Steve Grubb wrote: > > > >> On Friday, September 6, 2019 2:57:00 PM EDT Florian Weimer wrote: > >> * Steve Grubb: > >>> Now with LD_AUDIT > >>> $ LD_AUDIT=/home/sgrubb/test/openflags/strip-flags.so.0 strace ./test > >>> 2>&1

Re: [PATCH v2 0/5] Add support for O_MAYEXEC

2019-09-06 Thread Andy Lutomirski
> On Sep 6, 2019, at 12:07 PM, Steve Grubb wrote: > >> On Friday, September 6, 2019 2:57:00 PM EDT Florian Weimer wrote: >> * Steve Grubb: >>> Now with LD_AUDIT >>> $ LD_AUDIT=/home/sgrubb/test/openflags/strip-flags.so.0 strace ./test >>> 2>&1 | grep passwd openat(3, "passwd", O_RDONLY)

Re: [PATCH v2 0/5] Add support for O_MAYEXEC

2019-09-06 Thread Steve Grubb
On Friday, September 6, 2019 2:57:00 PM EDT Florian Weimer wrote: > * Steve Grubb: > > Now with LD_AUDIT > > $ LD_AUDIT=/home/sgrubb/test/openflags/strip-flags.so.0 strace ./test > > 2>&1 | grep passwd openat(3, "passwd", O_RDONLY) = 4 > > > > No O_CLOEXEC flag. > > I think you need to

Re: [PATCH v2 0/5] Add support for O_MAYEXEC

2019-09-06 Thread Florian Weimer
* Steve Grubb: > Now with LD_AUDIT > $ LD_AUDIT=/home/sgrubb/test/openflags/strip-flags.so.0 strace ./test 2>&1 | > grep passwd > openat(3, "passwd", O_RDONLY) = 4 > > No O_CLOEXEC flag. I think you need to explain in detail why you consider this a problem. With LD_PRELOAD and LD_AUDI

Re: [PATCH v2 0/5] Add support for O_MAYEXEC

2019-09-06 Thread Steve Grubb
On Friday, September 6, 2019 11:24:50 AM EDT Mickaël Salaün wrote: > The goal of this patch series is to control script interpretation. A > new O_MAYEXEC flag used by sys_open() is added to enable userspace > script interpreter to delegate to the kernel (and thus the system > security policy) the