[PATCH v2 0/5] Add support for O_MAYEXEC

[Andy Lutomirski]

> On Sep 6, 2019, at 12:07 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> 
>> On Friday, September 6, 2019 2:57:00 PM EDT Florian Weimer wrote:
>> * Steve Grubb:
>>> Now with LD_AUDIT
>>> $ LD_AUDIT=/home/sgrubb/test/openflags/strip-flags.so.0 strace ./test
>>> 2>&1 | grep passwd openat(3, "passwd", O_RDONLY)           = 4
>>> 
>>> No O_CLOEXEC flag.
>> 
>> I think you need to explain in detail why you consider this a problem.
> 
> Because you can strip the O_MAYEXEC flag from being passed into the kernel. 
> Once you do that, you defeat the security mechanism because it never gets 
> invoked. The issue is that the only thing that knows _why_ something is being 
> opened is user space. With this mechanism, you can attempt to pass this 
> reason to the kernel so that it may see if policy permits this. But you can 
> just remove the flag.

I’m with Florian here. Once you are executing code in a process, you could just emulate some other unapproved code. This series is not intended to provide the kind of absolute protection you’re imagining.

What the kernel *could* do is prevent mmapping a non-FMODE_EXEC file with PROT_EXEC, which would indeed have a real effect (in an iOS-like world, for example) but would break many, many things.