Implement O_MAYEXEC / trusted_for()

[kees]

While executable files can be made non-executable, and mount points can be mounted with "noexec", there isn't a good way (short of comprehensive LSM policy) to block running an arbitrary shared library or script with an executable from such a place. This "noexec bypass using interpreters" is a long-standing hole in userspace defenses and there needs to be a way to check with the kernel on the origin of a given file to see if it should be allowed to be loaded by an interpreter.

Various versions of this functionality have existed in other distro patches for a while now (ClipOS and Chrome OS at least), but this needs to be done in upstream.

This series implements the trusted_for() syscall, which needs interpreters to use to validate permissions: https://lore.kernel.org/lkml/20211008104840.1733385-1-mic@digikod.net

But we likely need to use the original design, based on Linus's feedback: https://lore.kernel.org/lkml/20200723171227.446711-1-mic@digikod.net/

Basically only this patch remains, but needs to work with faccessat via AT_EACCESS instead of via open: https://lore.kernel.org/lkml/20200723171227.446711-5-mic@digikod.net/ (and it must be strictly fd-based to avoid ToCToU on path-based APIs)

On the interpreter side, various things need to be considered (-c, stdin, etc). Some references:

• PEP 578 https://peps.python.org/pep-0578/
• CLIP OS patches https://github.com/search?q=repo%3Aclipos-archive%2Fclipos4_portage-overlay+o_mayexec&type=code

[l0kod]

Sounds good, I'm working on this.

[l0kod]

An IMA extension has been proposed: https://lore.kernel.org/all/20211013110113.13239-1-zohar@linux.ibm.com/

[l0kod]

I sent a v17 to address a minor issue.

[l0kod]

I sent a v18 but it is missing a Reviewed-by or Acked-by for the new printk sysctl patch though.

[kees]

PR sent but Linus wants a redesign.

[l0kod]

[RFC PATCH v19 0/5] Script execution control (was O_MAYEXEC)