Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri,  6 Sep 2019 17:24:55 +0200
From: Mickaël Salaün <>
Cc: Mickaël Salaün <>,
        Aleksa Sarai <>, Alexei Starovoitov <>,
        Al Viro <>, Andy Lutomirski <>,
        Christian Heimes <>,
        Daniel Borkmann <>,
        Eric Chiang <>,
        Florian Weimer <>, James Morris <>,
        Jan Kara <>, Jann Horn <>,
        Jonathan Corbet <>, Kees Cook <>,
        Matthew Garrett <>,
        Matthew Wilcox <>,
        Michael Kerrisk <>,
        Mickaël Salaün <>,
        Mimi Zohar <>,
        Philippe Trébuchet <>,
        Scott Shell <>,
        Sean Christopherson <>,
        Shuah Khan <>, Song Liu <>,
        Steve Dower <>, Steve Grubb <>,
        Thibaut Sautereau <>,
        Vincent Strubel <>,
        Yves-Alexis Perez <>,,,,
Subject: [PATCH v2 5/5] doc: Add documentation for the fs.open_mayexec_enforce sysctl

Changes since v1:
* move from LSM/Yama to sysctl/fs

Signed-off-by: Mickaël Salaün <>
Reviewed-by: Philippe Trébuchet <>
Reviewed-by: Thibaut Sautereau <>
Cc: Jonathan Corbet <>
Cc: Kees Cook <>
Cc: Mickaël Salaün <>
 Documentation/admin-guide/sysctl/fs.rst | 43 +++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

diff --git a/Documentation/admin-guide/sysctl/fs.rst b/Documentation/admin-guide/sysctl/fs.rst
index 2a45119e3331..f2f5bbe428d6 100644
--- a/Documentation/admin-guide/sysctl/fs.rst
+++ b/Documentation/admin-guide/sysctl/fs.rst
@@ -37,6 +37,7 @@ Currently, these files are in /proc/sys/fs:
 - inode-nr
 - inode-state
 - nr_open
+- open_mayexec_enforce
 - overflowuid
 - overflowgid
 - pipe-user-pages-hard
@@ -165,6 +166,48 @@ system needs to prune the inode list instead of allocating
+The ``O_MAYEXEC`` flag can be passed to :manpage:`open(2)` to only open regular
+files that are expected to be executable.  If the file is not identified as
+executable, then the syscall returns -EACCES.  This may allow a script
+interpreter to check executable permission before reading commands from a file.
+One interesting use case is to enforce a "write xor execute" policy through
+Thanks to this flag, it is possible to enforce the ``noexec`` mount option
+(i.e.  the underlying mount point of the file is mounted with MNT_NOEXEC or its
+underlying superblock is SB_I_NOEXEC) not only on ELF binaries but also on
+scripts.  This may be possible thanks to script interpreters using the
+``O_MAYEXEC`` flag.  The executable permission is then checked before reading
+commands from a file, and thus can enforce the ``noexec`` at the interpreter
+level by propagating this security policy to the scripts.  To be fully
+effective, these interpreters also need to handle the other ways to execute
+code (for which the kernel can't help): command line parameters (e.g., option
+``-e`` for Perl), module loading (e.g., option ``-m`` for Python), stdin, file
+sourcing, environment variables, configuration files...  According to the
+threat model, it may be acceptable to allow some script interpreters (e.g.
+Bash) to interpret commands from stdin, may it be a TTY or a pipe, because it
+may not be enough to (directly) perform syscalls.
+There is two complementary security policies: enforce the ``noexec`` mount
+option, or enforce executable file permission.  These policies are handled by
+the ``fs.open_mayexec_enforce`` sysctl (writable only with ``CAP_MAC_ADMIN``)
+as a bitmask:
+1 - mount restriction:
+    check that the mount options for the underlying VFS mount do not prevent
+    execution.
+2 - file permission restriction:
+    check that the to-be-opened file is marked as executable for the current
+    process (e.g., POSIX permissions).
+Code samples can be found in tools/testing/selftests/exec/omayexec.c and
+ .
 overflowgid & overflowuid

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.