> On Sep 6, 2019, at 12:07 PM, Steve Grubb <sgrubb@xxxxxxxxxx> wrote: > >> On Friday, September 6, 2019 2:57:00 PM EDT Florian Weimer wrote: >> * Steve Grubb: >>> Now with LD_AUDIT >>> $ LD_AUDIT=/home/sgrubb/test/openflags/strip-flags.so.0 strace ./test >>> 2>&1 | grep passwd openat(3, "passwd", O_RDONLY) = 4 >>> >>> No O_CLOEXEC flag. >> >> I think you need to explain in detail why you consider this a problem. > > Because you can strip the O_MAYEXEC flag from being passed into the kernel. > Once you do that, you defeat the security mechanism because it never gets > invoked. The issue is that the only thing that knows _why_ something is being > opened is user space. With this mechanism, you can attempt to pass this > reason to the kernel so that it may see if policy permits this. But you can > just remove the flag. I’m with Florian here. Once you are executing code in a process, you could just emulate some other unapproved code. This series is not intended to provide the kind of absolute protection you’re imagining. What the kernel *could* do is prevent mmapping a non-FMODE_EXEC file with PROT_EXEC, which would indeed have a real effect (in an iOS-like world, for example) but would break many, many things.
