Re: [PATCH v21 1/6] exec: Add a new AT_EXECVE_CHECK flag to execveat(2)

[PATCH v21 0/6] Script execution control (was O_MAYEXEC) · Mickaël Salaün <mic@digikod.net> · 2024-11-12
[PATCH v21 1/6] exec: Add a new AT_EXECVE_CHECK flag to execveat(2) · Mickaël Salaün <mic@digikod.net> · 2024-11-12
Re: [PATCH v21 1/6] exec: Add a new AT_EXECVE_CHECK flag to execveat(2) · Jeff Xu <hidden> · 2024-11-20
Re: [PATCH v21 1/6] exec: Add a new AT_EXECVE_CHECK flag to execveat(2) · Mickaël Salaün <mic@digikod.net> · 2024-11-20
Re: [PATCH v21 1/6] exec: Add a new AT_EXECVE_CHECK flag to execveat(2) · Jeff Xu <hidden> · 2024-11-20
Re: [PATCH v21 1/6] exec: Add a new AT_EXECVE_CHECK flag to execveat(2) · Mickaël Salaün <mic@digikod.net> · 2024-11-21
Re: [PATCH v21 1/6] exec: Add a new AT_EXECVE_CHECK flag to execveat(2) · Jeff Xu <hidden> · 2024-11-21
Re: [PATCH v21 1/6] exec: Add a new AT_EXECVE_CHECK flag to execveat(2) · Mickaël Salaün <mic@digikod.net> · 2024-11-22
Re: [PATCH v21 1/6] exec: Add a new AT_EXECVE_CHECK flag to execveat(2) · Jeff Xu <hidden> · 2024-11-25
Re: [PATCH v21 1/6] exec: Add a new AT_EXECVE_CHECK flag to execveat(2) · Mickaël Salaün <mic@digikod.net> · 2024-11-27
Re: [PATCH v21 1/6] exec: Add a new AT_EXECVE_CHECK flag to execveat(2) · Jeff Xu <hidden> · 2024-11-27
Re: [PATCH v21 1/6] exec: Add a new AT_EXECVE_CHECK flag to execveat(2) · Paul Moore <paul@paul-moore.com> · 2024-12-05
[PATCH v21 2/6] security: Add EXEC_RESTRICT_FILE and EXEC_DENY_INTERACTIVE securebits · Mickaël Salaün <mic@digikod.net> · 2024-11-12
Re: [PATCH v21 2/6] security: Add EXEC_RESTRICT_FILE and EXEC_DENY_INTERACTIVE securebits · Jeff Xu <hidden> · 2024-11-20
Re: [PATCH v21 2/6] security: Add EXEC_RESTRICT_FILE and EXEC_DENY_INTERACTIVE securebits · Mickaël Salaün <mic@digikod.net> · 2024-11-20
[PATCH v21 3/6] selftests/exec: Add 32 tests for AT_EXECVE_CHECK and exec securebits · Mickaël Salaün <mic@digikod.net> · 2024-11-12
[PATCH v21 6/6] samples/check-exec: Add an enlighten "inc" interpreter and 28 tests · Mickaël Salaün <mic@digikod.net> · 2024-11-12
Re: [PATCH v21 6/6] samples/check-exec: Add an enlighten "inc" interpreter and 28 tests · Mimi Zohar <zohar@linux.ibm.com> · 2024-11-21
Re: [PATCH v21 6/6] samples/check-exec: Add an enlighten "inc" interpreter and 28 tests · Mickaël Salaün <mic@digikod.net> · 2024-11-22
Re: [PATCH v21 6/6] samples/check-exec: Add an enlighten "inc" interpreter and 28 tests · Mimi Zohar <zohar@linux.ibm.com> · 2024-11-26
Re: [PATCH v21 6/6] samples/check-exec: Add an enlighten "inc" interpreter and 28 tests · Mickaël Salaün <mic@digikod.net> · 2024-11-27
Re: [PATCH v21 6/6] samples/check-exec: Add an enlighten "inc" interpreter and 28 tests · Mimi Zohar <zohar@linux.ibm.com> · 2024-11-27
[PATCH v21 4/6] selftests/landlock: Add tests for execveat + AT_EXECVE_CHECK · Mickaël Salaün <mic@digikod.net> · 2024-11-12
[PATCH v21 5/6] samples/check-exec: Add set-exec · Mickaël Salaün <mic@digikod.net> · 2024-11-12
Re: [PATCH v21 0/6] Script execution control (was O_MAYEXEC) · Kees Cook <kees@kernel.org> · 2024-11-21

From: Paul Moore <paul@paul-moore.com>
Date: 2024-12-05 03:33:46
Also in: linux-fsdevel, linux-integrity, linux-security-module, lkml

On Thu, Nov 21, 2024 at 8:40 AM Mickaël Salaün [off-list ref] wrote:

On Wed, Nov 20, 2024 at 08:06:07AM -0800, Jeff Xu wrote:

quoted

On Wed, Nov 20, 2024 at 1:42 AM Mickaël Salaün [off-list ref] wrote:

quoted

On Tue, Nov 19, 2024 at 05:17:00PM -0800, Jeff Xu wrote:

quoted

On Tue, Nov 12, 2024 at 11:22 AM Mickaël Salaün [off-list ref] wrote:

...

quoted hunk ↗ jump to hunk

quoted

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index cd57053b4a69..8d9ba5600cf2 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c

@@ -2662,6 +2662,7 @@ void __audit_bprm(struct linux_binprm *bprm)

        context->type = AUDIT_EXECVE;
        context->execve.argc = bprm->argc;
+       context->execve.is_check = bprm->is_check;

Where is execve.is_check used ?

It is used in bprm_execve(), exposed to the audit framework, and
potentially used by LSMs.

bprm_execve() uses bprm->is_check, not  the context->execve.is_check.

Correct, this is only for audit but not used yet.

Paul, Eric, do you want me to remove this field, leave it, or extend
this patch like this?

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 8d9ba5600cf2..12cf89fa224a 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c

@@ -1290,6 +1290,8 @@ static void audit_log_execve_info(struct audit_context *context,
                }
        } while (arg < context->execve.argc);

+       audit_log_format(*ab, " check=%d", context->execve.is_check);
+
        /* NOTE: the caller handles the final audit_log_end() call */

 out:

I would prefer to drop the audit changes rather than add a new field
to the audit record at this point in time.  Once we have a better
understanding of how things are actually being deployed by distros,
providers, and admins we can make a more reasoned decision on what we
should audit with respect to AT_EXECVE_CHECK.

Beyond that it looks okay to me from a LSM and audit perspective, so
feel free to add my ACK once you've dropped the audit bits.

Acked-by: Paul Moore <paul@paul-moore.com>

-- 
paul-moore.com

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help