Date: Tue, 11 Aug 2020 09:07:41 -0400 From: Steve Grubb <sgrubb@...hat.com> To: David Laight <David.Laight@...lab.com>, Al Viro <viro@...iv.linux.org.uk>, Mickaël Salaün <mic@...ikod.net> Cc: Kees Cook <keescook@...omium.org>, Andrew Morton <akpm@...ux-foundation.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, Aleksa Sarai <cyphar@...har.com>, Alexei Starovoitov <ast@...nel.org>, Andy Lutomirski <luto@...nel.org>, Christian Brauner <christian.brauner@...ntu.com>, Christian Heimes <christian@...hon.org>, Daniel Borkmann <daniel@...earbox.net>, Deven Bowers <deven.desai@...ux.microsoft.com>, Dmitry Vyukov <dvyukov@...gle.com>, Eric Biggers <ebiggers@...nel.org>, Eric Chiang <ericchiang@...gle.com>, Florian Weimer <fweimer@...hat.com>, James Morris <jmorris@...ei.org>, Jan Kara <jack@...e.cz>, Jann Horn <jannh@...gle.com>, Jonathan Corbet <corbet@....net>, Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>, Matthew Garrett <mjg59@...gle.com>, Matthew Wilcox <willy@...radead.org>, Michael Kerrisk <mtk.manpages@...il.com>, Mimi Zohar <zohar@...ux.ibm.com>, Philippe Trébuchet <philippe.trebuchet@....gouv.fr>, Scott Shell <scottsh@mi crosoft.com>, Sean Christopherson <sean.j.christopherson@...el.com>, Shuah Khan <shuah@...nel.org>, Steve Dower <steve.dower@...hon.org>, Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>, Thibaut Sautereau <thibaut.sautereau@...p-os.org>, Vincent Strubel <vincent.strubel@....gouv.fr>, "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, "linux-api@...r.kernel.org" <linux-api@...r.kernel.org>, "linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>, "linux-security-module@...r.kernel.org" <linux-security-module@...r.kernel.org>, "linux-fsdevel@...r.kernel.org" <linux-fsdevel@...r.kernel.org> Subject: Re: [PATCH v7 0/7] Add support for O_MAYEXEC On Tuesday, August 11, 2020 4:50:53 AM EDT Mickaël Salaün wrote: > On 11/08/2020 10:09, David Laight wrote: > >> On 11/08/2020 00:28, Al Viro wrote: > >>> On Mon, Aug 10, 2020 at 10:09:09PM +0000, David Laight wrote: > >>>>> On Mon, Aug 10, 2020 at 10:11:53PM +0200, Mickaël Salaün wrote: > >>>>>> It seems that there is no more complains nor questions. Do you want > >>>>>> me > >>>>>> to send another series to fix the order of the S-o-b in patch 7? > >>>>> > >>>>> There is a major question regarding the API design and the choice of > >>>>> hooking that stuff on open(). And I have not heard anything > >>>>> resembling > >>>>> a coherent answer. > >>>> > >>>> To me O_MAYEXEC is just the wrong name. > >>>> The bit would be (something like) O_INTERPRET to indicate > >>>> what you want to do with the contents. > >> > >> The properties is "execute permission". This can then be checked by > >> interpreters or other applications, then the generic O_MAYEXEC name. > > > > The english sense of MAYEXEC is just wrong for what you are trying > > to check. > > We think it reflects exactly what it's purpose is. > > >>> ... which does not answer the question - name of constant is the least > >>> of > >>> the worries here. Why the hell is "apply some unspecified checks to > >>> file" combined with opening it, rather than being an independent > >>> primitive > >>> you apply to an already opened file? Just in case - "'cuz that's how > >>> we'd > >>> done it" does not make a good answer... > > > > Maybe an access_ok() that acts on an open fd would be more > > appropriate. > > Which might end up being an fcntrl() action. > > That would give you a full 32bit mask of options. > > I previously talk about fcntl(2): > https://firstname.lastname@example.org > et/ Fcntl is too late for anything using FANOTIFY. Everything needs to be upfront or other security systems cannot use it. -Steve
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.