[PATCH v5 3/6] fs: Enable to enforce noexec mounts or file exec through O_MAYEXEC
Randy Dunlap
rdunlap at infradead.org
Tue May 5 17:40:31 UTC 2020
On 5/5/20 9:55 AM, Mickaël Salaün wrote:
>
>
> On 05/05/2020 17:44, Randy Dunlap wrote:
>> On 5/5/20 8:31 AM, Mickaël Salaün wrote:
>>> diff --git a/security/Kconfig b/security/Kconfig
>>> index cd3cc7da3a55..d8fac9240d14 100644
>>> --- a/security/Kconfig
>>> +++ b/security/Kconfig
>>> @@ -230,6 +230,32 @@ config STATIC_USERMODEHELPER_PATH
>>> If you wish for all usermode helper programs to be disabled,
>>> specify an empty string here (i.e. "").
>>>
>>> +menuconfig OMAYEXEC_STATIC
>>> + tristate "Configure O_MAYEXEC behavior at build time"
>>> + ---help---
>>> + Enable to enforce O_MAYEXEC at build time, and disable the dedicated
>>> + fs.open_mayexec_enforce sysctl.
>>
>> That help message is a bit confusing IMO. Does setting/enabling OMAYEXEC_STATIC
>> both enforce O_MAYEXEC at build time and also disable the dedicated sysctl?
>
> Yes. What about this?
> "Define the O_MAYEXEC policy at build time only. As a side effect, this
> also disables the fs.open_mayexec_enforce sysctl."
>
Yes, much better. Thanks.
>>
>> Or are these meant to be alternatives, one for what Enabling this kconfig symbol
>> does and the other for what Disabling this symbol does? If so, it doesn't
>> say that.
>>
>>> +
>>> + See Documentation/admin-guide/sysctl/fs.rst for more details.
>>> +
>>> +if OMAYEXEC_STATIC
>>> +
>>> +config OMAYEXEC_ENFORCE_MOUNT
>>> + bool "Mount restriction"
>>> + default y
>>> + ---help---
>>> + Forbid opening files with the O_MAYEXEC option if their underlying VFS is
>>> + mounted with the noexec option or if their superblock forbids execution
>>> + of its content (e.g., /proc).
>>> +
>>> +config OMAYEXEC_ENFORCE_FILE
>>> + bool "File permission restriction"
>>> + ---help---
>>> + Forbid opening files with the O_MAYEXEC option if they are not marked as
>>> + executable for the current process (e.g., POSIX permissions).
>>> +
>>> +endif # OMAYEXEC_STATIC
>>> +
>>> source "security/selinux/Kconfig"
>>> source "security/smack/Kconfig"
>>> source "security/tomoyo/Kconfig"
>>
>>
--
~Randy
More information about the Linux-security-module-archive
mailing list