[PATCH v1] shebang: restrict python interactive prompt/interpreter

[PATCH v1] shebang: restrict python interactive prompt/interpreter · Mimi Zohar <hidden> · 2017-06-09
[PATCH v1] shebang: restrict python interactive prompt/interpreter · penguin-kernel@I-love.SAKURA.ne.jp (Tetsuo Handa) · 2017-06-09
[PATCH v1] shebang: restrict python interactive prompt/interpreter · Matt Brown <hidden> · 2017-06-09
[PATCH v1] shebang: restrict python interactive prompt/interpreter · penguin-kernel@I-love.SAKURA.ne.jp (Tetsuo Handa) · 2017-06-09
[PATCH v1] shebang: restrict python interactive prompt/interpreter · Matt Brown <hidden> · 2017-06-09
[PATCH v1] shebang: restrict python interactive prompt/interpreter · Jason Zaman <hidden> · 2017-06-09
[PATCH v1] shebang: restrict python interactive prompt/interpreter · Matt Brown <hidden> · 2017-06-09
[PATCH v1] shebang: restrict python interactive prompt/interpreter · penguin-kernel@I-love.SAKURA.ne.jp (Tetsuo Handa) · 2017-06-09
[PATCH v1] shebang: restrict python interactive prompt/interpreter · Kees Cook <hidden> · 2017-06-10
[PATCH v1] shebang: restrict python interactive prompt/interpreter · penguin-kernel@I-love.SAKURA.ne.jp (Tetsuo Handa) · 2017-06-10
[PATCH v1] shebang: restrict python interactive prompt/interpreter · Matt Brown <hidden> · 2017-06-12
[PATCH v1] shebang: restrict python interactive prompt/interpreter · penguin-kernel@I-love.SAKURA.ne.jp (Tetsuo Handa) · 2017-06-10
[PATCH v1] shebang: restrict python interactive prompt/interpreter · Mimi Zohar <hidden> · 2017-06-09
[PATCH v1] shebang: restrict python interactive prompt/interpreter · penguin-kernel@I-love.SAKURA.ne.jp (Tetsuo Handa) · 2017-06-09

STALE3287d

From: Matt Brown <hidden>
Date: 2017-06-09 16:37:50

On 6/9/17 11:41 AM, Tetsuo Handa wrote:

Matt Brown wrote:

quoted

What about execution via ld-linux ?

   $ /lib64/ld-linux-x86-64.so.2 /usr/bin/python2

Just tested this and you are correct, this allows you to bypass the
protection.

I was able to fix this bypass by including /lib64/ld-linux-x86-64.so.2
in the list of interpreters.

And there is also PYTHONINSPECT environment variable. ;-)

# echo '#!/usr/bin/python2' > run-python
# chmod 755 run-python
# ./run-python
# PYTHONINSPECT=yes ./run-python

quoted

quoted
quoted
print "hello"

hello

quoted

quoted
quoted

While this bypass works against this LSM alone, when combined with
Trusted Path Execution this is prevented for non-root/untrusted user.
This is why I feel like this is such a great feature to combine with TPE
as I said here:

http://www.openwall.com/lists/kernel-hardening/2017/06/09/13

Results from my test:

$ PYTHONINSPECT=yes ./run-python


-bash: ./run-python: /usr/bin/python2: bad interpreter: Operation not
permitted

and in the dmesg log:
TPE: Denied exec of /home/test/run-python Reason: file in non-root-owned
directory

Matt
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help