On Thu, May 14, 2020 at 09:16:13PM +0200, Mickaël Salaün wrote: > On 14/05/2020 18:10, Stephen Smalley wrote: > > On Thu, May 14, 2020 at 11:45 AM Kees Cook <keescook@xxxxxxxxxxxx> wrote: > >> So, it looks like adding FMODE_EXEC into f_flags in do_open() is needed in > >> addition to injecting MAY_EXEC into acc_mode in do_open()? Hmmm > > > > Just do both in build_open_flags() and be done with it? Looks like he > > was already setting FMODE_EXEC in patch 1 so we just need to teach > > AppArmor/TOMOYO to check for it and perform file execute checking in > > that case if !current->in_execve? > > I can postpone the file permission check for another series to make this > one simpler (i.e. mount noexec only). Because it depends on the sysctl > setting, it is OK to add this check later, if needed. In the meantime, > AppArmor and Tomoyo could be getting ready for this. So, after playing around with this series, investigating Stephen's comments, digging through the existing FMODE_EXEC uses, and spending a bit more time thinking about Lev and Aleksa's dislike of the sysctls, I've got a much more radically simplified solution that I think could work. Maybe I've missed some earlier discussion that ruled this out, but I couldn't find it: let's just add O_EXEC and be done with it. It actually makes the execve() path more like openat2() and is much cleaner after a little refactoring. Here are the results, though I haven't emailed it yet since I still want to do some more testing: https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=kspp/o_exec/v1 I look forward to flames! ;) -- Kees Cook