Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 9 Sep 2019 22:28:02 +1000
From: Aleksa Sarai <>
To: Mickaël Salaün <>
Cc: James Morris <>, Jeff Layton <>,
	Florian Weimer <>,
	Mickaël Salaün <>,, Alexei Starovoitov <>,
	Al Viro <>,
	Andy Lutomirski <>,
	Christian Heimes <>,
	Daniel Borkmann <>,
	Eric Chiang <>, Jan Kara <>,
	Jann Horn <>, Jonathan Corbet <>,
	Kees Cook <>,
	Matthew Garrett <>,
	Matthew Wilcox <>,
	Michael Kerrisk <>,
	Mimi Zohar <>,
	Philippe Trébuchet <>,
	Scott Shell <>,
	Sean Christopherson <>,
	Shuah Khan <>, Song Liu <>,
	Steve Dower <>,
	Steve Grubb <>,
	Thibaut Sautereau <>,
	Vincent Strubel <>,
	Yves-Alexis Perez <>,,,,
Subject: Re: [PATCH v2 1/5] fs: Add support for an O_MAYEXEC flag on

On 2019-09-09, Mickaël Salaün <> wrote:
> On 09/09/2019 12:12, James Morris wrote:
> > On Mon, 9 Sep 2019, Mickaël Salaün wrote:
> >> As I said, O_MAYEXEC should be ignored if it is not supported by the
> >> kernel, which perfectly fit with the current open(2) flags behavior, and
> >> should also behave the same with openat2(2).
> >
> > The problem here is programs which are already using the value of
> > O_MAYEXEC, which will break.  Hence, openat2(2).
> Well, it still depends on the sysctl, which doesn't enforce anything by
> default, hence doesn't break existing behavior, and this unused flags
> could be fixed/removed or reported by sysadmins or distro developers.

Okay, but then this means that new programs which really want to enforce
O_MAYEXEC (and know that they really do want this feature) won't be able
to unless an admin has set the relevant sysctl. Not to mention that the
old-kernel fallback will not cover the "it's disabled by the sysctl"
case -- so the fallback handling would need to be:

    int fd = open("foo", O_MAYEXEC|O_RDONLY);
    if (!(fcntl(fd, F_GETFL) & O_MAYEXEC))
    if (!sysctl_feature_is_enabled)

However, there is still a race here -- if an administrator enables
O_MAYEXEC after the program gets the fd, then you still won't hit the
fallback (and you can't tell that O_MAYEXEC checks weren't done).

You could fix the issue with the sysctl by clearing O_MAYEXEC from
f_flags if the sysctl is disabled. You could also avoid some of the
problems with it being a global setting by making it a prctl(2) which
processes can opt-in to (though this has its own major problems).

Sorry, but I'm just really not a fan of this.

Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH

Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.