[PATCH v5 3/6] fs: Enable to enforce noexec mounts or file exec through O_MAYEXEC
Mickaël Salaün
mic at digikod.net
Tue May 5 16:55:59 UTC 2020
On 05/05/2020 17:44, Randy Dunlap wrote:
> On 5/5/20 8:31 AM, Mickaël Salaün wrote:
>> diff --git a/security/Kconfig b/security/Kconfig
>> index cd3cc7da3a55..d8fac9240d14 100644
>> --- a/security/Kconfig
>> +++ b/security/Kconfig
>> @@ -230,6 +230,32 @@ config STATIC_USERMODEHELPER_PATH
>> If you wish for all usermode helper programs to be disabled,
>> specify an empty string here (i.e. "").
>>
>> +menuconfig OMAYEXEC_STATIC
>> + tristate "Configure O_MAYEXEC behavior at build time"
>> + ---help---
>> + Enable to enforce O_MAYEXEC at build time, and disable the dedicated
>> + fs.open_mayexec_enforce sysctl.
>
> That help message is a bit confusing IMO. Does setting/enabling OMAYEXEC_STATIC
> both enforce O_MAYEXEC at build time and also disable the dedicated sysctl?
Yes. What about this?
"Define the O_MAYEXEC policy at build time only. As a side effect, this
also disables the fs.open_mayexec_enforce sysctl."
>
> Or are these meant to be alternatives, one for what Enabling this kconfig symbol
> does and the other for what Disabling this symbol does? If so, it doesn't
> say that.
>
>> +
>> + See Documentation/admin-guide/sysctl/fs.rst for more details.
>> +
>> +if OMAYEXEC_STATIC
>> +
>> +config OMAYEXEC_ENFORCE_MOUNT
>> + bool "Mount restriction"
>> + default y
>> + ---help---
>> + Forbid opening files with the O_MAYEXEC option if their underlying VFS is
>> + mounted with the noexec option or if their superblock forbids execution
>> + of its content (e.g., /proc).
>> +
>> +config OMAYEXEC_ENFORCE_FILE
>> + bool "File permission restriction"
>> + ---help---
>> + Forbid opening files with the O_MAYEXEC option if they are not marked as
>> + executable for the current process (e.g., POSIX permissions).
>> +
>> +endif # OMAYEXEC_STATIC
>> +
>> source "security/selinux/Kconfig"
>> source "security/smack/Kconfig"
>> source "security/tomoyo/Kconfig"
>
>
More information about the Linux-security-module-archive
mailing list