linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Mickaël Salaün" <mic@digikod.net>
To: Florian Weimer <fweimer@redhat.com>
Cc: Andy Lutomirski <luto@amacapital.net>,
	Jann Horn <jannh@google.com>,  Al Viro <viro@zeniv.linux.org.uk>,
	Christian Brauner <brauner@kernel.org>,
	 Kees Cook <keescook@chromium.org>,
	Paul Moore <paul@paul-moore.com>,
	 Serge Hallyn <serge@hallyn.com>,
	Andy Lutomirski <luto@kernel.org>, Arnd Bergmann <arnd@arndb.de>,
	 Christian Heimes <christian@python.org>,
	Dmitry Vyukov <dvyukov@google.com>,
	 Elliott Hughes <enh@google.com>,
	Fan Wu <wufan@linux.microsoft.com>, Jeff Xu <jeffxu@google.com>,
	 Jonathan Corbet <corbet@lwn.net>,
	Jordan R Abrahams <ajordanr@google.com>,
	 Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
	Luca Boccassi <bluca@debian.org>,
	 Matt Bobrowski <mattbobrowski@google.com>,
	Miklos Szeredi <mszeredi@redhat.com>,
	 Mimi Zohar <zohar@linux.ibm.com>,
	Nicolas Bouchinet <nicolas.bouchinet@oss.cyber.gouv.fr>,
	 Robert Waite <rowait@microsoft.com>,
	Roberto Sassu <roberto.sassu@huawei.com>,
	 Scott Shell <scottsh@microsoft.com>,
	Steve Dower <steve.dower@python.org>,
	 Steve Grubb <sgrubb@redhat.com>,
	kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org,
	 linux-fsdevel@vger.kernel.org, linux-integrity@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	 linux-security-module@vger.kernel.org,
	Jeff Xu <jeffxu@chromium.org>
Subject: Re: [RFC PATCH v1 1/2] fs: Add O_DENY_WRITE
Date: Tue, 26 Aug 2025 14:35:08 +0200	[thread overview]
Message-ID: <20250826.Lie3ye8to7yo@digikod.net> (raw)
In-Reply-To: <lhuikibbv0g.fsf@oldenburg.str.redhat.com>

On Mon, Aug 25, 2025 at 11:39:11AM +0200, Florian Weimer wrote:
> * Mickaël Salaün:
> 
> > The order of checks would be:
> > 1. open script with O_DENY_WRITE
> > 2. check executability with AT_EXECVE_CHECK
> > 3. read the content and interpret it
> >
> > The deny-write feature was to guarantee that there is no race condition
> > between step 2 and 3.  All these checks are supposed to be done by a
> > trusted interpreter (which is allowed to be executed).  The
> > AT_EXECVE_CHECK call enables the caller to know if the kernel (and
> > associated security policies) allowed the *current* content of the file
> > to be executed.  Whatever happen before or after that (wrt.
> > O_DENY_WRITE) should be covered by the security policy.
> 
> Why isn't it an improper system configuration if the script file is
> writable?

It is, except if the system only wants to track executions (e.g. record
checksum of scripts) without restricting file modifications.

> 
> In the past, the argument was that making a file (writable and)
> executable was an auditable even, and that provided enough coverage for
> those people who are interested in this.

Yes, but in this case there is a race condition that this patch tried to
fix.

  reply	other threads:[~2025-08-26 12:35 UTC|newest]

Thread overview: 40+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-08-22 17:07 [RFC PATCH v1 0/2] Add O_DENY_WRITE (complement AT_EXECVE_CHECK) Mickaël Salaün
2025-08-22 17:07 ` [RFC PATCH v1 1/2] fs: Add O_DENY_WRITE Mickaël Salaün
2025-08-22 19:45   ` Jann Horn
2025-08-24 11:03     ` Mickaël Salaün
2025-08-24 18:04       ` Andy Lutomirski
2025-08-25  9:31         ` Mickaël Salaün
2025-08-25  9:39           ` Florian Weimer
2025-08-26 12:35             ` Mickaël Salaün [this message]
2025-08-25 16:43           ` Andy Lutomirski
2025-08-25 18:10             ` Jeff Xu
2025-08-25 17:57           ` Jeff Xu
2025-08-26 12:39             ` Mickaël Salaün
2025-08-26 20:29               ` Jeff Xu
2025-08-27  8:19                 ` Mickaël Salaün
2025-08-28 20:17                   ` Jeff Xu
2025-08-27 10:18     ` Aleksa Sarai
2025-08-27 10:29   ` Aleksa Sarai
2025-08-22 17:08 ` [RFC PATCH v1 2/2] selftests/exec: Add O_DENY_WRITE tests Mickaël Salaün
2025-08-26  9:07 ` [RFC PATCH v1 0/2] Add O_DENY_WRITE (complement AT_EXECVE_CHECK) Christian Brauner
2025-08-26 11:23   ` Mickaël Salaün
2025-08-26 12:30     ` Theodore Ts'o
2025-08-26 17:47       ` Mickaël Salaün
2025-08-26 20:50         ` Theodore Ts'o
2025-08-27  8:19           ` Mickaël Salaün
2025-08-27 17:35         ` Andy Lutomirski
2025-08-27 19:07           ` Mickaël Salaün
2025-08-27 20:35             ` Andy Lutomirski
2025-08-28  0:14     ` Aleksa Sarai
2025-08-28  0:32       ` Andy Lutomirski
2025-08-28  0:52         ` Aleksa Sarai
2025-08-28 21:01         ` Serge E. Hallyn
2025-09-01 11:05           ` Jann Horn
2025-09-01 13:18             ` Serge E. Hallyn
2025-09-01 16:01             ` Andy Lutomirski
2025-09-01  9:24       ` Roberto Sassu
2025-09-01 16:25         ` Andy Lutomirski
2025-09-01 17:01           ` Roberto Sassu
2025-09-02  8:57             ` Roberto Sassu
  -- strict thread matches above, loose matches on Subject: below --
2025-08-25 21:56 [RFC PATCH v1 1/2] fs: Add O_DENY_WRITE Andy Lutomirski
2025-08-25 23:06 ` Jeff Xu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250826.Lie3ye8to7yo@digikod.net \
    --to=mic@digikod.net \
    --cc=ajordanr@google.com \
    --cc=arnd@arndb.de \
    --cc=bluca@debian.org \
    --cc=brauner@kernel.org \
    --cc=christian@python.org \
    --cc=corbet@lwn.net \
    --cc=dvyukov@google.com \
    --cc=enh@google.com \
    --cc=fweimer@redhat.com \
    --cc=jannh@google.com \
    --cc=jeffxu@chromium.org \
    --cc=jeffxu@google.com \
    --cc=keescook@chromium.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-api@vger.kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=luto@kernel.org \
    --cc=mattbobrowski@google.com \
    --cc=mszeredi@redhat.com \
    --cc=nicolas.bouchinet@oss.cyber.gouv.fr \
    --cc=nramas@linux.microsoft.com \
    --cc=paul@paul-moore.com \
    --cc=roberto.sassu@huawei.com \
    --cc=rowait@microsoft.com \
    --cc=scottsh@microsoft.com \
    --cc=serge@hallyn.com \
    --cc=sgrubb@redhat.com \
    --cc=steve.dower@python.org \
    --cc=viro@zeniv.linux.org.uk \
    --cc=wufan@linux.microsoft.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).