Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250822170800.2116980-1-mic@digikod.net>
Date: Fri, 22 Aug 2025 19:07:58 +0200
From: Mickaël Salaün <mic@...ikod.net>
To: Al Viro <viro@...iv.linux.org.uk>,
	Christian Brauner <brauner@...nel.org>,
	Kees Cook <keescook@...omium.org>,
	Paul Moore <paul@...l-moore.com>,
	Serge Hallyn <serge@...lyn.com>
Cc: Mickaël Salaün <mic@...ikod.net>,
	Andy Lutomirski <luto@...nel.org>,
	Arnd Bergmann <arnd@...db.de>,
	Christian Heimes <christian@...hon.org>,
	Dmitry Vyukov <dvyukov@...gle.com>,
	Elliott Hughes <enh@...gle.com>,
	Fan Wu <wufan@...ux.microsoft.com>,
	Florian Weimer <fweimer@...hat.com>,
	Jann Horn <jannh@...gle.com>,
	Jeff Xu <jeffxu@...gle.com>,
	Jonathan Corbet <corbet@....net>,
	Jordan R Abrahams <ajordanr@...gle.com>,
	Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>,
	Luca Boccassi <bluca@...ian.org>,
	Matt Bobrowski <mattbobrowski@...gle.com>,
	Miklos Szeredi <mszeredi@...hat.com>,
	Mimi Zohar <zohar@...ux.ibm.com>,
	Nicolas Bouchinet <nicolas.bouchinet@....cyber.gouv.fr>,
	Robert Waite <rowait@...rosoft.com>,
	Roberto Sassu <roberto.sassu@...wei.com>,
	Scott Shell <scottsh@...rosoft.com>,
	Steve Dower <steve.dower@...hon.org>,
	Steve Grubb <sgrubb@...hat.com>,
	kernel-hardening@...ts.openwall.com,
	linux-api@...r.kernel.org,
	linux-fsdevel@...r.kernel.org,
	linux-integrity@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org
Subject: [RFC PATCH v1 0/2] Add O_DENY_WRITE (complement AT_EXECVE_CHECK)

Hi,

Script interpreters can check if a file would be allowed to be executed
by the kernel using the new AT_EXECVE_CHECK flag. This approach works
well on systems with write-xor-execute policies, where scripts cannot
be modified by malicious processes. However, this protection may not be
available on more generic distributions.

The key difference between `./script.sh` and `sh script.sh` (when using
AT_EXECVE_CHECK) is that execve(2) prevents the script from being opened
for writing while it's being executed. To achieve parity, the kernel
should provide a mechanism for script interpreters to deny write access
during script interpretation. While interpreters can copy script content
into a buffer, a race condition remains possible after AT_EXECVE_CHECK.

This patch series introduces a new O_DENY_WRITE flag for use with
open*(2) and fcntl(2). Both interfaces are necessary since script
interpreters may receive either a file path or file descriptor. For
backward compatibility, open(2) with O_DENY_WRITE will not fail on
unsupported systems, while users requiring explicit support guarantees
can use openat2(2).

The check_exec.rst documentation and related examples do not mention this new
feature yet.

Regards,

Mickaël Salaün (2):
  fs: Add O_DENY_WRITE
  selftests/exec: Add O_DENY_WRITE tests

 fs/fcntl.c                                |  26 ++-
 fs/file_table.c                           |   2 +
 fs/namei.c                                |   6 +
 include/linux/fcntl.h                     |   2 +-
 include/uapi/asm-generic/fcntl.h          |   4 +
 tools/testing/selftests/exec/check-exec.c | 219 ++++++++++++++++++++++
 6 files changed, 256 insertions(+), 3 deletions(-)


base-commit: c17b750b3ad9f45f2b6f7e6f7f4679844244f0b9
-- 
2.50.1

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.