[RFC PATCH v8 0/3] Add support for AT_INTERPRETED (was O_MAYEXEC)
Mickaël Salaün
mic at digikod.net
Wed Sep 9 17:55:48 UTC 2020
On 09/09/2020 19:08, Matthew Wilcox wrote:
> On Wed, Sep 09, 2020 at 09:19:11AM +0200, Mickaël Salaün wrote:
>>
>> On 08/09/2020 20:50, Al Viro wrote:
>>> On Tue, Sep 08, 2020 at 09:59:53AM +0200, Mickaël Salaün wrote:
>>>> Hi,
>>>>
>>>> This height patch series rework the previous O_MAYEXEC series by not
>>>> adding a new flag to openat2(2) but to faccessat2(2) instead. As
>>>> suggested, this enables to perform the access check on a file descriptor
>>>> instead of on a file path (while opening it). This may require two
>>>> checks (one on open and then with faccessat2) but it is a more generic
>>>> approach [8].
>>>
>>> Again, why is that folded into lookup/open/whatnot, rather than being
>>> an operation applied to a file (e.g. O_PATH one)?
>>
>> I don't understand your question. AT_INTERPRETED can and should be used
>> with AT_EMPTY_PATH. The two checks I wrote about was for IMA.
>
> Al is saying you should add a new syscall, not try to fold it into
> some existing syscall.
>
> I agree with him. Add a new syscall, just like you were told to do it
> last time.
>
OK, but I didn't receive a response for my proposition to extend
faccessat2(2).
More information about the Linux-security-module-archive
mailing list