[RFC PATCH v1 0/2] Add O_DENY_WRITE (complement AT_EXECVE_CHECK)

linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: "Mickaël Salaün" <mic@digikod.net>
To: Al Viro <viro@zeniv.linux.org.uk>,
	Christian Brauner <brauner@kernel.org>,
	Kees Cook <keescook@chromium.org>,
	Paul Moore <paul@paul-moore.com>, Serge Hallyn <serge@hallyn.com>
Cc: "Mickaël Salaün" <mic@digikod.net>,
	"Andy Lutomirski" <luto@kernel.org>,
	"Arnd Bergmann" <arnd@arndb.de>,
	"Christian Heimes" <christian@python.org>,
	"Dmitry Vyukov" <dvyukov@google.com>,
	"Elliott Hughes" <enh@google.com>,
	"Fan Wu" <wufan@linux.microsoft.com>,
	"Florian Weimer" <fweimer@redhat.com>,
	"Jann Horn" <jannh@google.com>, "Jeff Xu" <jeffxu@google.com>,
	"Jonathan Corbet" <corbet@lwn.net>,
	"Jordan R Abrahams" <ajordanr@google.com>,
	"Lakshmi Ramasubramanian" <nramas@linux.microsoft.com>,
	"Luca Boccassi" <bluca@debian.org>,
	"Matt Bobrowski" <mattbobrowski@google.com>,
	"Miklos Szeredi" <mszeredi@redhat.com>,
	"Mimi Zohar" <zohar@linux.ibm.com>,
	"Nicolas Bouchinet" <nicolas.bouchinet@oss.cyber.gouv.fr>,
	"Robert Waite" <rowait@microsoft.com>,
	"Roberto Sassu" <roberto.sassu@huawei.com>,
	"Scott Shell" <scottsh@microsoft.com>,
	"Steve Dower" <steve.dower@python.org>,
	"Steve Grubb" <sgrubb@redhat.com>,
	kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org,
	linux-fsdevel@vger.kernel.org, linux-integrity@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	linux-security-module@vger.kernel.org
Subject: [RFC PATCH v1 0/2] Add O_DENY_WRITE (complement AT_EXECVE_CHECK)
Date: Fri, 22 Aug 2025 19:07:58 +0200	[thread overview]
Message-ID: <20250822170800.2116980-1-mic@digikod.net> (raw)

Hi,

Script interpreters can check if a file would be allowed to be executed
by the kernel using the new AT_EXECVE_CHECK flag. This approach works
well on systems with write-xor-execute policies, where scripts cannot
be modified by malicious processes. However, this protection may not be
available on more generic distributions.

The key difference between `./script.sh` and `sh script.sh` (when using
AT_EXECVE_CHECK) is that execve(2) prevents the script from being opened
for writing while it's being executed. To achieve parity, the kernel
should provide a mechanism for script interpreters to deny write access
during script interpretation. While interpreters can copy script content
into a buffer, a race condition remains possible after AT_EXECVE_CHECK.

This patch series introduces a new O_DENY_WRITE flag for use with
open*(2) and fcntl(2). Both interfaces are necessary since script
interpreters may receive either a file path or file descriptor. For
backward compatibility, open(2) with O_DENY_WRITE will not fail on
unsupported systems, while users requiring explicit support guarantees
can use openat2(2).

The check_exec.rst documentation and related examples do not mention this new
feature yet.

Regards,

Mickaël Salaün (2):
  fs: Add O_DENY_WRITE
  selftests/exec: Add O_DENY_WRITE tests

 fs/fcntl.c                                |  26 ++-
 fs/file_table.c                           |   2 +
 fs/namei.c                                |   6 +
 include/linux/fcntl.h                     |   2 +-
 include/uapi/asm-generic/fcntl.h          |   4 +
 tools/testing/selftests/exec/check-exec.c | 219 ++++++++++++++++++++++
 6 files changed, 256 insertions(+), 3 deletions(-)

base-commit: c17b750b3ad9f45f2b6f7e6f7f4679844244f0b9
-- 
2.50.1

next             reply	other threads:[~2025-08-22 17:08 UTC|newest]

Thread overview: 38+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-08-22 17:07 Mickaël Salaün [this message]
2025-08-22 17:07 ` [RFC PATCH v1 1/2] fs: Add O_DENY_WRITE Mickaël Salaün
2025-08-22 19:45   ` Jann Horn
2025-08-24 11:03     ` Mickaël Salaün
2025-08-24 18:04       ` Andy Lutomirski
2025-08-25  9:31         ` Mickaël Salaün
2025-08-25  9:39           ` Florian Weimer
2025-08-26 12:35             ` Mickaël Salaün
2025-08-25 16:43           ` Andy Lutomirski
2025-08-25 18:10             ` Jeff Xu
2025-08-25 17:57           ` Jeff Xu
2025-08-26 12:39             ` Mickaël Salaün
2025-08-26 20:29               ` Jeff Xu
2025-08-27  8:19                 ` Mickaël Salaün
2025-08-28 20:17                   ` Jeff Xu
2025-08-27 10:18     ` Aleksa Sarai
2025-08-27 10:29   ` Aleksa Sarai
2025-08-22 17:08 ` [RFC PATCH v1 2/2] selftests/exec: Add O_DENY_WRITE tests Mickaël Salaün
2025-08-26  9:07 ` [RFC PATCH v1 0/2] Add O_DENY_WRITE (complement AT_EXECVE_CHECK) Christian Brauner
2025-08-26 11:23   ` Mickaël Salaün
2025-08-26 12:30     ` Theodore Ts'o
2025-08-26 17:47       ` Mickaël Salaün
2025-08-26 20:50         ` Theodore Ts'o
2025-08-27  8:19           ` Mickaël Salaün
2025-08-27 17:35         ` Andy Lutomirski
2025-08-27 19:07           ` Mickaël Salaün
2025-08-27 20:35             ` Andy Lutomirski
2025-08-28  0:14     ` Aleksa Sarai
2025-08-28  0:32       ` Andy Lutomirski
2025-08-28  0:52         ` Aleksa Sarai
2025-08-28 21:01         ` Serge E. Hallyn
2025-09-01 11:05           ` Jann Horn
2025-09-01 13:18             ` Serge E. Hallyn
2025-09-01 16:01             ` Andy Lutomirski
2025-09-01  9:24       ` Roberto Sassu
2025-09-01 16:25         ` Andy Lutomirski
2025-09-01 17:01           ` Roberto Sassu
2025-09-02  8:57             ` Roberto Sassu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250822170800.2116980-1-mic@digikod.net \
    --to=mic@digikod.net \
    --cc=ajordanr@google.com \
    --cc=arnd@arndb.de \
    --cc=bluca@debian.org \
    --cc=brauner@kernel.org \
    --cc=christian@python.org \
    --cc=corbet@lwn.net \
    --cc=dvyukov@google.com \
    --cc=enh@google.com \
    --cc=fweimer@redhat.com \
    --cc=jannh@google.com \
    --cc=jeffxu@google.com \
    --cc=keescook@chromium.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-api@vger.kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=luto@kernel.org \
    --cc=mattbobrowski@google.com \
    --cc=mszeredi@redhat.com \
    --cc=nicolas.bouchinet@oss.cyber.gouv.fr \
    --cc=nramas@linux.microsoft.com \
    --cc=paul@paul-moore.com \
    --cc=roberto.sassu@huawei.com \
    --cc=rowait@microsoft.com \
    --cc=scottsh@microsoft.com \
    --cc=serge@hallyn.com \
    --cc=sgrubb@redhat.com \
    --cc=steve.dower@python.org \
    --cc=viro@zeniv.linux.org.uk \
    --cc=wufan@linux.microsoft.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).