Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 7 Sep 2019 03:07:39 +1000
From: Aleksa Sarai <>
To: Mickaël Salaün <>
Cc: Florian Weimer <>,
	Mickaël Salaün <>,, Alexei Starovoitov <>,
	Al Viro <>,
	Andy Lutomirski <>,
	Christian Heimes <>,
	Daniel Borkmann <>,
	Eric Chiang <>,
	James Morris <>, Jan Kara <>,
	Jann Horn <>, Jonathan Corbet <>,
	Kees Cook <>,
	Matthew Garrett <>,
	Matthew Wilcox <>,
	Michael Kerrisk <>,
	Mimi Zohar <>,
	Philippe Trébuchet <>,
	Scott Shell <>,
	Sean Christopherson <>,
	Shuah Khan <>, Song Liu <>,
	Steve Dower <>,
	Steve Grubb <>,
	Thibaut Sautereau <>,
	Vincent Strubel <>,
	Yves-Alexis Perez <>,,,,
Subject: Re: [PATCH v2 1/5] fs: Add support for an O_MAYEXEC flag on

On 2019-09-06, Mickaël Salaün <> wrote:
> On 06/09/2019 17:56, Florian Weimer wrote:
> > Let's assume I want to add support for this to the glibc dynamic loader,
> > while still being able to run on older kernels.
> >
> > Is it safe to try the open call first, with O_MAYEXEC, and if that fails
> > with EINVAL, try again without O_MAYEXEC?
> The kernel ignore unknown open(2) flags, so yes, it is safe even for
> older kernel to use O_MAYEXEC.

Depends on your definition of "safe" -- a security feature that you will
silently not enable on older kernels doesn't sound super safe to me.
Unfortunately this is a limitation of open(2) that we cannot change --
which is why the openat2(2) proposal I've been posting gives -EINVAL for
unknown O_* flags.

There is a way to probe for support (though unpleasant), by creating a
test O_MAYEXEC fd and then checking if the flag is present in

Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH

Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.