| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250826-skorpion-magma-141496988fdc@brauner> Date: Tue, 26 Aug 2025 11:07:03 +0200 From: Christian Brauner <brauner@...nel.org> To: Mickaël Salaün <mic@...ikod.net> Cc: Al Viro <viro@...iv.linux.org.uk>, Kees Cook <keescook@...omium.org>, Paul Moore <paul@...l-moore.com>, Serge Hallyn <serge@...lyn.com>, Andy Lutomirski <luto@...nel.org>, Arnd Bergmann <arnd@...db.de>, Christian Heimes <christian@...hon.org>, Dmitry Vyukov <dvyukov@...gle.com>, Elliott Hughes <enh@...gle.com>, Fan Wu <wufan@...ux.microsoft.com>, Florian Weimer <fweimer@...hat.com>, Jann Horn <jannh@...gle.com>, Jeff Xu <jeffxu@...gle.com>, Jonathan Corbet <corbet@....net>, Jordan R Abrahams <ajordanr@...gle.com>, Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>, Luca Boccassi <bluca@...ian.org>, Matt Bobrowski <mattbobrowski@...gle.com>, Miklos Szeredi <mszeredi@...hat.com>, Mimi Zohar <zohar@...ux.ibm.com>, Nicolas Bouchinet <nicolas.bouchinet@....cyber.gouv.fr>, Robert Waite <rowait@...rosoft.com>, Roberto Sassu <roberto.sassu@...wei.com>, Scott Shell <scottsh@...rosoft.com>, Steve Dower <steve.dower@...hon.org>, Steve Grubb <sgrubb@...hat.com>, kernel-hardening@...ts.openwall.com, linux-api@...r.kernel.org, linux-fsdevel@...r.kernel.org, linux-integrity@...r.kernel.org, linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org Subject: Re: [RFC PATCH v1 0/2] Add O_DENY_WRITE (complement AT_EXECVE_CHECK) On Fri, Aug 22, 2025 at 07:07:58PM +0200, Mickaël Salaün wrote: > Hi, > > Script interpreters can check if a file would be allowed to be executed > by the kernel using the new AT_EXECVE_CHECK flag. This approach works > well on systems with write-xor-execute policies, where scripts cannot > be modified by malicious processes. However, this protection may not be > available on more generic distributions. > > The key difference between `./script.sh` and `sh script.sh` (when using > AT_EXECVE_CHECK) is that execve(2) prevents the script from being opened > for writing while it's being executed. To achieve parity, the kernel > should provide a mechanism for script interpreters to deny write access > during script interpretation. While interpreters can copy script content > into a buffer, a race condition remains possible after AT_EXECVE_CHECK. > > This patch series introduces a new O_DENY_WRITE flag for use with > open*(2) and fcntl(2). Both interfaces are necessary since script > interpreters may receive either a file path or file descriptor. For > backward compatibility, open(2) with O_DENY_WRITE will not fail on > unsupported systems, while users requiring explicit support guarantees > can use openat2(2). We've said no to abusing the O_* flag space for that AT_EXECVE_* stuff before and you've been told by Linus as well that this is a nogo. Nothing has changed in that regard and I'm not interested in stuffing the VFS APIs full of special-purpose behavior to work around the fact that this is work that needs to be done in userspace. Change the apps, stop pushing more and more cruft into the VFS that has no business there. That's before we get into all the issues that are introduced by this mechanism that magically makes arbitrary files unwritable. It's not just a DoS it's likely to cause breakage in userspace as well. I removed the deny-write from execve because it already breaks various use-cases or leads to spurious failures in e.g., go. We're not spreading this disease as a first-class VFS API.
Powered by blists - more mailing lists