| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250822170800.2116980-1-mic@digikod.net> Date: Fri, 22 Aug 2025 19:07:58 +0200 From: Mickaël Salaün <mic@...ikod.net> To: Al Viro <viro@...iv.linux.org.uk>, Christian Brauner <brauner@...nel.org>, Kees Cook <keescook@...omium.org>, Paul Moore <paul@...l-moore.com>, Serge Hallyn <serge@...lyn.com> Cc: Mickaël Salaün <mic@...ikod.net>, Andy Lutomirski <luto@...nel.org>, Arnd Bergmann <arnd@...db.de>, Christian Heimes <christian@...hon.org>, Dmitry Vyukov <dvyukov@...gle.com>, Elliott Hughes <enh@...gle.com>, Fan Wu <wufan@...ux.microsoft.com>, Florian Weimer <fweimer@...hat.com>, Jann Horn <jannh@...gle.com>, Jeff Xu <jeffxu@...gle.com>, Jonathan Corbet <corbet@....net>, Jordan R Abrahams <ajordanr@...gle.com>, Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>, Luca Boccassi <bluca@...ian.org>, Matt Bobrowski <mattbobrowski@...gle.com>, Miklos Szeredi <mszeredi@...hat.com>, Mimi Zohar <zohar@...ux.ibm.com>, Nicolas Bouchinet <nicolas.bouchinet@....cyber.gouv.fr>, Robert Waite <rowait@...rosoft.com>, Roberto Sassu <roberto.sassu@...wei.com>, Scott Shell <scottsh@...rosoft.com>, Steve Dower <steve.dower@...hon.org>, Steve Grubb <sgrubb@...hat.com>, kernel-hardening@...ts.openwall.com, linux-api@...r.kernel.org, linux-fsdevel@...r.kernel.org, linux-integrity@...r.kernel.org, linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org Subject: [RFC PATCH v1 0/2] Add O_DENY_WRITE (complement AT_EXECVE_CHECK) Hi, Script interpreters can check if a file would be allowed to be executed by the kernel using the new AT_EXECVE_CHECK flag. This approach works well on systems with write-xor-execute policies, where scripts cannot be modified by malicious processes. However, this protection may not be available on more generic distributions. The key difference between `./script.sh` and `sh script.sh` (when using AT_EXECVE_CHECK) is that execve(2) prevents the script from being opened for writing while it's being executed. To achieve parity, the kernel should provide a mechanism for script interpreters to deny write access during script interpretation. While interpreters can copy script content into a buffer, a race condition remains possible after AT_EXECVE_CHECK. This patch series introduces a new O_DENY_WRITE flag for use with open*(2) and fcntl(2). Both interfaces are necessary since script interpreters may receive either a file path or file descriptor. For backward compatibility, open(2) with O_DENY_WRITE will not fail on unsupported systems, while users requiring explicit support guarantees can use openat2(2). The check_exec.rst documentation and related examples do not mention this new feature yet. Regards, Mickaël Salaün (2): fs: Add O_DENY_WRITE selftests/exec: Add O_DENY_WRITE tests fs/fcntl.c | 26 ++- fs/file_table.c | 2 + fs/namei.c | 6 + include/linux/fcntl.h | 2 +- include/uapi/asm-generic/fcntl.h | 4 + tools/testing/selftests/exec/check-exec.c | 219 ++++++++++++++++++++++ 6 files changed, 256 insertions(+), 3 deletions(-) base-commit: c17b750b3ad9f45f2b6f7e6f7f4679844244f0b9 -- 2.50.1
Powered by blists - more mailing lists