From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 65B6AC10F13 for ; Tue, 16 Apr 2019 11:49:54 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 449A520821 for ; Tue, 16 Apr 2019 11:49:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729461AbfDPLts (ORCPT ); Tue, 16 Apr 2019 07:49:48 -0400 Received: from mx1.redhat.com ([209.132.183.28]:32856 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726672AbfDPLts (ORCPT ); Tue, 16 Apr 2019 07:49:48 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 1832459460; Tue, 16 Apr 2019 11:49:47 +0000 (UTC) Received: from oldenburg2.str.redhat.com (unknown [10.36.118.39]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 1FFA45D71A; Tue, 16 Apr 2019 11:49:40 +0000 (UTC) From: Florian Weimer To: Steve Grubb Cc: Jan Kara , =?utf-8?Q?Micka=C3=ABl_Sala=C3=BCn?= , linux-kernel@vger.kernel.org, Al Viro , James Morris , Jonathan Corbet , Kees Cook , Matthew Garrett , Michael Kerrisk , =?utf-8?Q?Micka=C3=ABl_Sala=C3=BCn?= , Mimi Zohar , Philippe =?utf-8?Q?Tr=C3=A9buchet?= , Shuah Khan , Thibaut Sautereau , Vincent Strubel , Yves-Alexis Perez , kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, Matthew Bobrowski Subject: Re: [RFC PATCH v1 1/5] fs: Add support for an O_MAYEXEC flag on sys_open() References: <20181212081712.32347-1-mic@digikod.net> <20181212081712.32347-2-mic@digikod.net> <20181212144306.GA19945@quack2.suse.cz> <3452959.b6JmBh7Lnt@x2> Date: Tue, 16 Apr 2019 13:49:39 +0200 In-Reply-To: <3452959.b6JmBh7Lnt@x2> (Steve Grubb's message of "Mon, 15 Apr 2019 14:47:49 -0400") Message-ID: <87wojuxj8s.fsf@oldenburg2.str.redhat.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Tue, 16 Apr 2019 11:49:47 +0000 (UTC) Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: * Steve Grubb: > This flag that is being proposed means that you would have to patch all > interpreters to use it. If you are sure that upstreams will accept that, why > not just change the policy to interpreters shouldn't execute anything unless > the execute bit is set? That is simpler and doesn't need a kernel change. And > setting the execute bit is an auditable event. I think we need something like O_MAYEXEC so that security policies can be enforced and noexec mounts can be detected. I don't think it's a good idea to do this in userspace, especially the latter. Thanks, Florian