[RFC PATCH v1 0/2] Add O_DENY_WRITE (complement AT_EXECVE_CHECK)
Theodore Ts'o
tytso at mit.edu
Tue Aug 26 12:30:41 UTC 2025
Is there a single, unified design and requirements document that
describes the threat model, and what you are trying to achieve with
AT_EXECVE_CHECK and O_DENY_WRITE? I've been looking at the cover
letters for AT_EXECVE_CHECK and O_DENY_WRITE, and the documentation
that has landed for AT_EXECVE_CHECK and it really doesn't describe
what *are* the checks that AT_EXECVE_CHECK is trying to achieve:
"The AT_EXECVE_CHECK execveat(2) flag, and the
SECBIT_EXEC_RESTRICT_FILE and SECBIT_EXEC_DENY_INTERACTIVE
securebits are intended for script interpreters and dynamic linkers
to enforce a consistent execution security policy handled by the
kernel."
Um, what security policy? What checks? What is a sample exploit
which is blocked by AT_EXECVE_CHECK?
And then on top of it, why can't you do these checks by modifying the
script interpreters?
Confused,
- Ted
More information about the Linux-security-module-archive
mailing list