On 2019-09-06, Mickaël Salaün <mickael.salaun@xxxxxxxxxxx> wrote: > > On 06/09/2019 17:56, Florian Weimer wrote: > > Let's assume I want to add support for this to the glibc dynamic loader, > > while still being able to run on older kernels. > > > > Is it safe to try the open call first, with O_MAYEXEC, and if that fails > > with EINVAL, try again without O_MAYEXEC? > > The kernel ignore unknown open(2) flags, so yes, it is safe even for > older kernel to use O_MAYEXEC. Depends on your definition of "safe" -- a security feature that you will silently not enable on older kernels doesn't sound super safe to me. Unfortunately this is a limitation of open(2) that we cannot change -- which is why the openat2(2) proposal I've been posting gives -EINVAL for unknown O_* flags. There is a way to probe for support (though unpleasant), by creating a test O_MAYEXEC fd and then checking if the flag is present in /proc/self/fdinfo/$n. -- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH <https://www.cyphar.com/>
Attachment:
signature.asc
Description: PGP signature