[RFC PATCH v8 0/3] Add support for AT_INTERPRETED (was O_MAYEXEC)
Thibaut Sautereau
thibaut.sautereau at clip-os.org
Thu Sep 10 09:26:56 UTC 2020
On Wed, Sep 09, 2020 at 06:08:51PM +0100, Matthew Wilcox wrote:
> On Wed, Sep 09, 2020 at 09:19:11AM +0200, Mickaël Salaün wrote:
> >
> > On 08/09/2020 20:50, Al Viro wrote:
> > > On Tue, Sep 08, 2020 at 09:59:53AM +0200, Mickaël Salaün wrote:
> > >> Hi,
> > >>
> > >> This height patch series rework the previous O_MAYEXEC series by not
> > >> adding a new flag to openat2(2) but to faccessat2(2) instead. As
> > >> suggested, this enables to perform the access check on a file descriptor
> > >> instead of on a file path (while opening it). This may require two
> > >> checks (one on open and then with faccessat2) but it is a more generic
> > >> approach [8].
> > >
> > > Again, why is that folded into lookup/open/whatnot, rather than being
> > > an operation applied to a file (e.g. O_PATH one)?
> >
> > I don't understand your question. AT_INTERPRETED can and should be used
> > with AT_EMPTY_PATH. The two checks I wrote about was for IMA.
>
> Al is saying you should add a new syscall, not try to fold it into
> some existing syscall.
>
> I agree with him. Add a new syscall, just like you were told to do it
> last time.
Sure, we'll do it. In the meantime, could we at least get an explanation
about why using faccessat2() instead of a new syscall is wrong? I could
see the reasons for separating the exec checks from the file opening,
but this time I don't understand. Is it because it brings too much
complexity to do_faccessat()?
--
Thibaut Sautereau
CLIP OS developer
More information about the Linux-security-module-archive
mailing list