Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 6 Sep 2019 12:26:51 -0700
From: Andy Lutomirski <>
To: Steve Grubb <>
Cc: Florian Weimer <>,
 Mickaël Salaün <>,, Aleksa Sarai <>,
 Alexei Starovoitov <>, Al Viro <>,
 Andy Lutomirski <>, Christian Heimes <>,
 Daniel Borkmann <>,
 Eric Chiang <>, James Morris <>,
 Jan Kara <>, Jann Horn <>,
 Jonathan Corbet <>, Kees Cook <>,
 Matthew Garrett <>, Matthew Wilcox <>,
 Michael Kerrisk <>,
 Mickaël Salaün <>,
 Mimi Zohar <>,
 Philippe Trébuchet <>,
 Scott Shell <>,
 Sean Christopherson <>,
 Shuah Khan <>, Song Liu <>,
 Steve Dower <>,
 Thibaut S autereau <>,
 Vincent Strubel <>,
 Yves-Alexis Perez <>,,,,
Subject: Re: [PATCH v2 0/5] Add support for O_MAYEXEC

> On Sep 6, 2019, at 12:07 PM, Steve Grubb <> wrote:
>> On Friday, September 6, 2019 2:57:00 PM EDT Florian Weimer wrote:
>> * Steve Grubb:
>>> Now with LD_AUDIT
>>> $ LD_AUDIT=/home/sgrubb/test/openflags/ strace ./test
>>> 2>&1 | grep passwd openat(3, "passwd", O_RDONLY)           = 4
>>> No O_CLOEXEC flag.
>> I think you need to explain in detail why you consider this a problem.
> Because you can strip the O_MAYEXEC flag from being passed into the kernel. 
> Once you do that, you defeat the security mechanism because it never gets 
> invoked. The issue is that the only thing that knows _why_ something is being 
> opened is user space. With this mechanism, you can attempt to pass this 
> reason to the kernel so that it may see if policy permits this. But you can 
> just remove the flag.

I’m with Florian here. Once you are executing code in a process, you could just emulate some other unapproved code. This series is not intended to provide the kind of absolute protection you’re imagining.

What the kernel *could* do is prevent mmapping a non-FMODE_EXEC file with PROT_EXEC, which would indeed have a real effect (in an iOS-like world, for example) but would break many, many things.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.