Date: Tue, 16 Apr 2019 13:49:39 +0200 From: Florian Weimer <fweimer@...hat.com> To: Steve Grubb <sgrubb@...hat.com> Cc: Jan Kara <jack@...e.cz>, Mickaël Salaün <mic@...ikod.net>, linux-kernel@...r.kernel.org, Al Viro <viro@...iv.linux.org.uk>, James Morris <jmorris@...ei.org>, Jonathan Corbet <corbet@....net>, Kees Cook <keescook@...omium.org>, Matthew Garrett <mjg59@...gle.com>, Michael Kerrisk <mtk.manpages@...il.com>, Mickaël Salaün <mickael.salaun@....gouv.fr>, Mimi Zohar <zohar@...ux.ibm.com>, Philippe Trébuchet <philippe.trebuchet@....gouv.fr>, Shuah Khan <shuah@...nel.org>, Thibaut Sautereau <thibaut.sautereau@....gouv.fr>, Vincent Strubel <vincent.strubel@....gouv.fr>, Yves-Alexis Perez <yves-alexis.perez@....gouv.fr>, kernel-hardening@...ts.openwall.com, linux-api@...r.kernel.org, linux-security-module@...r.kernel.org, linux-fsdevel@...r.kernel.org, Matthew Bobrowski <mbobrowski@...browski.org> Subject: Re: [RFC PATCH v1 1/5] fs: Add support for an O_MAYEXEC flag on sys_open() * Steve Grubb: > This flag that is being proposed means that you would have to patch all > interpreters to use it. If you are sure that upstreams will accept that, why > not just change the policy to interpreters shouldn't execute anything unless > the execute bit is set? That is simpler and doesn't need a kernel change. And > setting the execute bit is an auditable event. I think we need something like O_MAYEXEC so that security policies can be enforced and noexec mounts can be detected. I don't think it's a good idea to do this in userspace, especially the latter. Thanks, Florian
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.