Re: [PATCH v6 5/7] fs,doc: Enable to enforce noexec mounts or file exec through O_MAYEXEC

2020-07-22 Thread Kees Cook
On Wed, Jul 22, 2020 at 09:04:28PM +0200, Mickaël Salaün wrote: > > On 22/07/2020 18:16, Thibaut Sautereau wrote: > > On Thu, Jul 16, 2020 at 04:39:14PM +0200, Mickaël Salaün wrote: > >> > >> On 15/07/2020 22:37, Kees Cook wrote: > >>> On Tue, Jul 14, 2020 at 08:16:36PM +0200, Mickaël Salaün

Re: [PATCH v6 5/7] fs,doc: Enable to enforce noexec mounts or file exec through O_MAYEXEC

2020-07-22 Thread Mickaël Salaün
On 22/07/2020 18:16, Thibaut Sautereau wrote: > On Thu, Jul 16, 2020 at 04:39:14PM +0200, Mickaël Salaün wrote: >> >> On 15/07/2020 22:37, Kees Cook wrote: >>> On Tue, Jul 14, 2020 at 08:16:36PM +0200, Mickaël Salaün wrote: @@ -2849,7 +2855,7 @@ static int may_open(const struct path *path,

Re: [PATCH v6 5/7] fs,doc: Enable to enforce noexec mounts or file exec through O_MAYEXEC

2020-07-22 Thread Thibaut Sautereau
On Thu, Jul 16, 2020 at 04:39:14PM +0200, Mickaël Salaün wrote: > > On 15/07/2020 22:37, Kees Cook wrote: > > On Tue, Jul 14, 2020 at 08:16:36PM +0200, Mickaël Salaün wrote: > >> @@ -2849,7 +2855,7 @@ static int may_open(const struct path *path, int > >> acc_mode, int flag) > >>case S_IFLNK:

Re: [PATCH v6 5/7] fs,doc: Enable to enforce noexec mounts or file exec through O_MAYEXEC

2020-07-16 Thread Mickaël Salaün
On 14/07/2020 20:40, Randy Dunlap wrote: > Hi, > > On 7/14/20 11:16 AM, Mickaël Salaün wrote: > >> --- >> Documentation/admin-guide/sysctl/fs.rst | 45 + >> fs/namei.c | 29 +--- >> include/linux/fs.h | 1 +

Re: [PATCH v6 5/7] fs,doc: Enable to enforce noexec mounts or file exec through O_MAYEXEC

2020-07-16 Thread Mickaël Salaün
On 15/07/2020 22:37, Kees Cook wrote: > On Tue, Jul 14, 2020 at 08:16:36PM +0200, Mickaël Salaün wrote: >> @@ -2849,7 +2855,7 @@ static int may_open(const struct path *path, int >> acc_mode, int flag) >> case S_IFLNK: >> return -ELOOP; >> case S_IFDIR: >> -if

Re: [PATCH v6 5/7] fs,doc: Enable to enforce noexec mounts or file exec through O_MAYEXEC

2020-07-15 Thread Kees Cook
On Tue, Jul 14, 2020 at 08:16:36PM +0200, Mickaël Salaün wrote: > @@ -2849,7 +2855,7 @@ static int may_open(const struct path *path, int > acc_mode, int flag) > case S_IFLNK: > return -ELOOP; > case S_IFDIR: > - if (acc_mode & (MAY_WRITE | MAY_EXEC)) > +

Re: [PATCH v6 5/7] fs,doc: Enable to enforce noexec mounts or file exec through O_MAYEXEC

2020-07-14 Thread Randy Dunlap
Hi, On 7/14/20 11:16 AM, Mickaël Salaün wrote: > --- > Documentation/admin-guide/sysctl/fs.rst | 45 + > fs/namei.c | 29 +--- > include/linux/fs.h | 1 + > kernel/sysctl.c | 12

[PATCH v6 5/7] fs,doc: Enable to enforce noexec mounts or file exec through O_MAYEXEC

2020-07-14 Thread Mickaël Salaün
Allow for the enforcement of the O_MAYEXEC openat2(2) flag. Thanks to the noexec option from the underlying VFS mount, or to the file execute permission, userspace can enforce these execution policies. This may allow script interpreters to check execution permission before reading commands from