[RFC PATCH v1 1/2] fs: Add O_DENY_WRITE
Florian Weimer
fweimer at redhat.com
Mon Aug 25 09:39:11 UTC 2025
* Mickaël Salaün:
> The order of checks would be:
> 1. open script with O_DENY_WRITE
> 2. check executability with AT_EXECVE_CHECK
> 3. read the content and interpret it
>
> The deny-write feature was to guarantee that there is no race condition
> between step 2 and 3. All these checks are supposed to be done by a
> trusted interpreter (which is allowed to be executed). The
> AT_EXECVE_CHECK call enables the caller to know if the kernel (and
> associated security policies) allowed the *current* content of the file
> to be executed. Whatever happen before or after that (wrt.
> O_DENY_WRITE) should be covered by the security policy.
Why isn't it an improper system configuration if the script file is
writable?
In the past, the argument was that making a file (writable and)
executable was an auditable even, and that provided enough coverage for
those people who are interested in this.
Thanks,
Florian
More information about the Linux-security-module-archive
mailing list