lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 15 May 2020 09:58:00 +0900
From:   Tetsuo Handa <>
To:     Mickaël Salaün <>,
        Stephen Smalley <>
Cc:     Kees Cook <>,
        John Johansen <>,
        Kentaro Takeda <>,
        linux-kernel <>,
        Aleksa Sarai <>,
        Alexei Starovoitov <>,
        Al Viro <>,
        Andy Lutomirski <>,
        Christian Heimes <>,
        Daniel Borkmann <>,
        Deven Bowers <>,
        Eric Chiang <>,
        Florian Weimer <>,
        James Morris <>, Jan Kara <>,
        Jann Horn <>, Jonathan Corbet <>,
        Lakshmi Ramasubramanian <>,
        Matthew Garrett <>,
        Matthew Wilcox <>,
        Michael Kerrisk <>,
        Mickaël Salaün <>,
        Mimi Zohar <>,
        Philippe Trébuchet 
        Scott Shell <>,
        Sean Christopherson <>,
        Shuah Khan <>,
        Steve Dower <>,
        Steve Grubb <>,
        Thibaut Sautereau <>,
        Vincent Strubel <>,,,,
        LSM List <>,
        Linux FS Devel <>
Subject: Re: [PATCH v5 3/6] fs: Enable to enforce noexec mounts or file exec
 through O_MAYEXEC

On 2020/05/06 0:31, Mickaël Salaün wrote:
> The goal of this patch series is to enable to control script execution
> with interpreters help.  A new O_MAYEXEC flag, usable through
> openat2(2), is added to enable userspace script interpreter to delegate
> to the kernel (and thus the system security policy) the permission to
> interpret/execute scripts or other files containing what can be seen as
> commands.

Since TOMOYO considers that any file (even standard input which is connected
to keyboard) can provide data which can be interpreted as executable, TOMOYO
does not check traditional "execute permission". TOMOYO's execute permission
serves as a gate for replacing current process with a new file using execve()
syscall. All other calls (e.g. uselib(), open()) are simply treated as
opening a file for read/write/append etc. Therefore,

On 14/05/2020 18:10, Stephen Smalley wrote:> Just do both in build_open_flags() and be done with it? Looks like he
> was already setting FMODE_EXEC in patch 1 so we just need to teach> AppArmor/TOMOYO to check for it and perform file execute checking in> that case if !current->in_execve?
regarding TOMOYO, I don't think that TOMOYO needs to perform file execute
checking if !current->in_execve , even if O_MAYEXEC is introduced.

Powered by blists - more mailing lists