On Fri, May 15, 2020 at 04:43:37PM +0200, Florian Weimer wrote: > * Kees Cook: > > > On Fri, May 15, 2020 at 10:43:34AM +0200, Florian Weimer wrote: > >> * Kees Cook: > >> > >> > Maybe I've missed some earlier discussion that ruled this out, but I > >> > couldn't find it: let's just add O_EXEC and be done with it. It actually > >> > makes the execve() path more like openat2() and is much cleaner after > >> > a little refactoring. Here are the results, though I haven't emailed it > >> > yet since I still want to do some more testing: > >> > https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=kspp/o_exec/v1 > >> > >> I think POSIX specifies O_EXEC in such a way that it does not confer > >> read permissions. This seems incompatible with what we are trying to > >> achieve here. > > > > I was trying to retain this behavior, since we already make this > > distinction between execve() and uselib() with the MAY_* flags: > > > > execve(): > > struct open_flags open_exec_flags = { > > .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC, > > .acc_mode = MAY_EXEC, > > > > uselib(): > > static const struct open_flags uselib_flags = { > > .open_flag = O_LARGEFILE | O_RDONLY | __FMODE_EXEC, > > .acc_mode = MAY_READ | MAY_EXEC, > > > > I tried to retain this in my proposal, in the O_EXEC does not imply > > MAY_READ: > > That doesn't quite parse for me, sorry. > > The point is that the script interpreter actually needs to *read* those > files in order to execute them. I think I misunderstood what you meant (Mickaël got me sorted out now). If O_EXEC is already meant to be "EXEC and _not_ READ nor WRITE", then yes, this new flag can't be O_EXEC. I was reading the glibc documentation (which treats it as a permission bit flag, not POSIX, which treats it as a complete mode description). -- Kees Cook
