[RFC PATCH v1 1/2] fs: Add O_DENY_WRITE
Mickaël Salaün
mic at digikod.net
Tue Aug 26 12:35:08 UTC 2025
On Mon, Aug 25, 2025 at 11:39:11AM +0200, Florian Weimer wrote:
> * Mickaël Salaün:
>
> > The order of checks would be:
> > 1. open script with O_DENY_WRITE
> > 2. check executability with AT_EXECVE_CHECK
> > 3. read the content and interpret it
> >
> > The deny-write feature was to guarantee that there is no race condition
> > between step 2 and 3. All these checks are supposed to be done by a
> > trusted interpreter (which is allowed to be executed). The
> > AT_EXECVE_CHECK call enables the caller to know if the kernel (and
> > associated security policies) allowed the *current* content of the file
> > to be executed. Whatever happen before or after that (wrt.
> > O_DENY_WRITE) should be covered by the security policy.
>
> Why isn't it an improper system configuration if the script file is
> writable?
It is, except if the system only wants to track executions (e.g. record
checksum of scripts) without restricting file modifications.
>
> In the past, the argument was that making a file (writable and)
> executable was an auditable even, and that provided enough coverage for
> those people who are interested in this.
Yes, but in this case there is a race condition that this patch tried to
fix.
More information about the Linux-security-module-archive
mailing list