Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp460356imu; Wed, 12 Dec 2018 21:30:56 -0800 (PST) X-Google-Smtp-Source: AFSGD/XIjfQ3eAJv33iOtk1L1MsUFuFThkeDYDuCqUoqF4ASBK1E93zIXgfJSt3DRN05oUBTL3+V X-Received: by 2002:a63:6006:: with SMTP id u6mr993056pgb.176.1544679056542; Wed, 12 Dec 2018 21:30:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544679056; cv=none; d=google.com; s=arc-20160816; b=mvBn/gfkEQi+/S5Hsd4u7u1hYL0lTdtu3MyOZCFmGP6A3OI72gsDT+euGIMeCbj1S/ FdsedWVXV83Z4Wf8lwgaEfXn9kDJAwRMKswJckNrFI2YvSDC5m01bee2yfNAvFdhqnbu o4ewxXX4Kze9eIbHYi8CnC8o1ZgfdpEJbbI3nLugJsAogEY160xhjqa30xcbuV/UhbG0 9cCKZa4sTwtvKAP6DvlWtvaG0qZEQG1iOOf+LTyF6abZCUlfZ+SELBD43Bn6AXQWbFL7 Texy6mZNpQQ51quMeU4qoF9GXZlKskBJsD2ZfGNMjtbqDxLkLUAodvzCeOV6qL+qqMsM Ql1A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:message-id:in-reply-to:date:references:subject:cc:to :from; bh=JMcL40ABAaXrWrBQV3wUbwc/suMbKkIOXiQjzWUcloI=; b=qEwyAQuLwxCeP2RPWn5zzIu+W7MQ1KYeS9+Wm6akanb7MgISxEaLLATUYXwYRkr8n/ LIBEbPkFxB+VvRvUrca/npqZF8B+1CNVH33kLuLSjekUB80R6TtsV2UIU05ul4m+UNei Ola21hCOcpiTgreEuhzqlYkncvZd3eOS9LmjNz754OTBakZ/gDA+mVtoMX9FkS1HMwFQ iAFskVMoMlhjj/VtjUocdTHFKYZ+hcpa1PwE9wUTiT5HrkzyRN/IvMLQyWm6qDHuQTFC CJhoMerxthJXFIpml1YDqxlv5FtgVpL/8gFz7sMZHfhD6yDp9Y8aXbgcs63c9Tx6wtZF EhXQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p5si701293pga.352.2018.12.12.21.30.37; Wed, 12 Dec 2018 21:30:56 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726819AbeLMFWI convert rfc822-to-8bit (ORCPT + 99 others); Thu, 13 Dec 2018 00:22:08 -0500 Received: from mx1.redhat.com ([209.132.183.28]:44472 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726226AbeLMFWH (ORCPT ); Thu, 13 Dec 2018 00:22:07 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 624738E588; Thu, 13 Dec 2018 05:22:07 +0000 (UTC) Received: from oldenburg2.str.redhat.com (ovpn-116-82.ams2.redhat.com [10.36.116.82]) by smtp.corp.redhat.com (Postfix) with ESMTPS id CF8C85D9C7; Thu, 13 Dec 2018 05:22:02 +0000 (UTC) From: Florian Weimer To: Matthew Wilcox Cc: =?utf-8?Q?Micka=C3=ABl_Sala=C3=BCn?= , linux-kernel@vger.kernel.org, Al Viro , James Morris , Jonathan Corbet , Kees Cook , Matthew Garrett , Michael Kerrisk , =?utf-8?Q?Micka=C3=ABl_Sala=C3=BCn?= , Mimi Zohar , Philippe =?utf-8?Q?Tr=C3=A9buchet?= , Shuah Khan , Thibaut Sautereau , Vincent Strubel , Yves-Alexis Perez , kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org Subject: Re: [RFC PATCH v1 0/5] Add support for O_MAYEXEC References: <20181212081712.32347-1-mic@digikod.net> <20181213030228.GM6830@bombadil.infradead.org> Date: Thu, 13 Dec 2018 06:22:00 +0100 In-Reply-To: <20181213030228.GM6830@bombadil.infradead.org> (Matthew Wilcox's message of "Wed, 12 Dec 2018 19:02:28 -0800") Message-ID: <87bm5qovbb.fsf@oldenburg2.str.redhat.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Thu, 13 Dec 2018 05:22:07 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org * Matthew Wilcox: > On Wed, Dec 12, 2018 at 09:17:07AM +0100, Mickaël Salaün wrote: >> The goal of this patch series is to control script interpretation. A >> new O_MAYEXEC flag used by sys_open() is added to enable userland script >> interpreter to delegate to the kernel (and thus the system security >> policy) the permission to interpret scripts or other files containing >> what can be seen as commands. > > I don't have a problem with the concept, but we're running low on O_ bits. > Does this have to be done before the process gets a file descriptor, > or could we have a new syscall? Since we're going to be changing the > interpreters anyway, it doesn't seem like too much of an imposition to > ask them to use: > > int verify_for_exec(int fd) > > instead of adding an O_MAYEXEC. Will this work for auditing? Maybe add an interface which explicitly upgrades O_PATH descriptors, and give that a separate flag argument? I suppose that would be more friendly to auditing. Thanks, Florian