Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 13 Dec 2018 06:04:20 -0500
From: Mimi Zohar <>
To: Matthew Wilcox <>,
        Mickaël Salaün <>
Cc:, Al Viro <>,
 Morris <>, Jonathan Corbet <>,
        Kees Cook
 <>, Matthew Garrett <>,
 Kerrisk <>,
        Mickaël Salaün
        Philippe Trébuchet
        Shuah Khan <>,
 Sautereau <>,
        Vincent Strubel
        Yves-Alexis Perez
Subject: Re: [RFC PATCH v1 0/5] Add support for O_MAYEXEC

On Wed, 2018-12-12 at 19:02 -0800, Matthew Wilcox wrote:
> On Wed, Dec 12, 2018 at 09:17:07AM +0100, Mickaël Salaün wrote:
> > The goal of this patch series is to control script interpretation.  A
> > new O_MAYEXEC flag used by sys_open() is added to enable userland script
> > interpreter to delegate to the kernel (and thus the system security
> > policy) the permission to interpret scripts or other files containing
> > what can be seen as commands.
> I don't have a problem with the concept, but we're running low on O_ bits.
> Does this have to be done before the process gets a file descriptor,
> or could we have a new syscall?  Since we're going to be changing the
> interpreters anyway, it doesn't seem like too much of an imposition to
> ask them to use:
> 	int verify_for_exec(int fd)
> instead of adding an O_MAYEXEC.

The indication needs to be set during file open, before the open
returns to the caller.  This is the point where ima_file_check()
verifies the file's signature.  On failure, access to the file is


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.