[PATCH v5 3/6] fs: Enable to enforce noexec mounts or file exec through O_MAYEXEC
Kees Cook
keescook at chromium.org
Thu May 14 03:05:09 UTC 2020
On Wed, May 13, 2020 at 04:27:39PM -0700, Kees Cook wrote:
> Like, couldn't just the entire thing just be:
>
> diff --git a/fs/namei.c b/fs/namei.c
> index a320371899cf..0ab18e19f5da 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -2849,6 +2849,13 @@ static int may_open(const struct path *path, int acc_mode, int flag)
> break;
> }
>
> + if (unlikely(mask & MAY_OPENEXEC)) {
> + if (sysctl_omayexec_enforce & OMAYEXEC_ENFORCE_MOUNT &&
> + path_noexec(path))
> + return -EACCES;
> + if (sysctl_omayexec_enforce & OMAYEXEC_ENFORCE_FILE)
> + acc_mode |= MAY_EXEC;
> + }
> error = inode_permission(inode, MAY_OPEN | acc_mode);
> if (error)
> return error;
>
FYI, I've confirmed this now. Effectively with patch 2 dropped, patch 3
reduced to this plus the Kconfig and sysctl changes, the self tests
pass.
I think this makes things much cleaner and correct.
--
Kees Cook
More information about the Linux-security-module-archive
mailing list