On 10/09/2020 19:21, Mickaël Salaün wrote: > > On 10/09/2020 19:04, Matthew Wilcox wrote: >> On Thu, Sep 10, 2020 at 06:46:09PM +0200, Mickaël Salaün wrote: >>> This ninth patch series rework the previous AT_INTERPRETED and O_MAYEXEC >>> series with a new syscall: introspect_access(2) . Access check are now >>> only possible on a file descriptor, which enable to avoid possible race >>> conditions in user space. >> >> But introspection is about examining _yourself_. This isn't about >> doing that. It's about doing ... something ... to a script that you're >> going to execute. If the script were going to call the syscall, then >> it might be introspection. Or if the interpreter were measuring itself, >> that would be introspection. But neither of those would be useful things >> to do, because an attacker could simply avoid doing them. > > Picking a good name other than "access" (or faccessat2) is not easy. The > idea with introspect_access() is for the calling task to ask the kernel > if this task should allows to do give access to a kernel resource which > is already available to this task. In this sense, we think that > introspection makes sense because it is the choice of the task to allow > or deny an access. > >> >> So, bad name. What might be better? sys_security_check()? >> sys_measure()? sys_verify_fd()? I don't know. >> > > "security_check" looks quite broad, "measure" doesn't make sense here, > "verify_fd" doesn't reflect that it is an access check. Yes, not easy, > but if this is the only concern we are on the good track. :) > > > Other ideas: > - interpret_access (mainly, but not only, for interpreters) > - indirect_access > - may_access > - faccessat3 > I think that entrusted_access(2) looks good. What do you think?
