On Thu, Dec 13, 2018 at 04:17:29PM +0100, Mickaël Salaün wrote: > On 13/12/2018 04:02, Matthew Wilcox wrote: > > On Wed, Dec 12, 2018 at 09:17:07AM +0100, Mickaël Salaün wrote: > >> The goal of this patch series is to control script interpretation. A > >> new O_MAYEXEC flag used by sys_open() is added to enable userland script > >> interpreter to delegate to the kernel (and thus the system security > >> policy) the permission to interpret scripts or other files containing > >> what can be seen as commands. > > > > I don't have a problem with the concept, but we're running low on O_ bits. > > Does this have to be done before the process gets a file descriptor, > > or could we have a new syscall? Since we're going to be changing the > > interpreters anyway, it doesn't seem like too much of an imposition to > > ask them to use: > > > > int verify_for_exec(int fd) > > > > instead of adding an O_MAYEXEC. > > Adding a new syscall for this simple use case seems excessive. I think We have somewhat less than 400 syscalls today. We have 20 O_ bits defined. Obviously there's a lower practical limit on syscalls, but in principle we could have up to 2^32 syscalls, and there are only 12 O_ bits remaining. > that the open/openat syscall familly are the right place to do an atomic > open and permission check, the same way the kernel does for other file > access. Moreover, it will be easier to patch upstream interpreters > without the burden of handling a (new) syscall that may not exist on the > running system, whereas unknown open flags are ignored. Ah, but that's the problem. The interpreter can see an -ENOSYS response and handle it appropriately. If the flag is silently ignored, the interpreter has no idea whether it can do a racy check or whether to skip even trying to do the check.
