From: "Theodore Ts'o" <tytso@mit.edu>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: Christian Brauner <brauner@kernel.org>,
Al Viro <viro@zeniv.linux.org.uk>,
Kees Cook <keescook@chromium.org>,
Paul Moore <paul@paul-moore.com>, Serge Hallyn <serge@hallyn.com>,
Andy Lutomirski <luto@kernel.org>, Arnd Bergmann <arnd@arndb.de>,
Christian Heimes <christian@python.org>,
Dmitry Vyukov <dvyukov@google.com>,
Elliott Hughes <enh@google.com>,
Fan Wu <wufan@linux.microsoft.com>,
Florian Weimer <fweimer@redhat.com>, Jann Horn <jannh@google.com>,
Jeff Xu <jeffxu@google.com>, Jonathan Corbet <corbet@lwn.net>,
Jordan R Abrahams <ajordanr@google.com>,
Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
Luca Boccassi <bluca@debian.org>,
Matt Bobrowski <mattbobrowski@google.com>,
Miklos Szeredi <mszeredi@redhat.com>,
Mimi Zohar <zohar@linux.ibm.com>,
Nicolas Bouchinet <nicolas.bouchinet@oss.cyber.gouv.fr>,
Robert Waite <rowait@microsoft.com>,
Roberto Sassu <roberto.sassu@huawei.com>,
Scott Shell <scottsh@microsoft.com>,
Steve Dower <steve.dower@python.org>,
Steve Grubb <sgrubb@redhat.com>,
kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-integrity@vger.kernel.org,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [RFC PATCH v1 0/2] Add O_DENY_WRITE (complement AT_EXECVE_CHECK)
Date: Tue, 26 Aug 2025 08:30:41 -0400 [thread overview]
Message-ID: <20250826123041.GB1603531@mit.edu> (raw)
In-Reply-To: <20250826.aig5aiShunga@digikod.net>
Is there a single, unified design and requirements document that
describes the threat model, and what you are trying to achieve with
AT_EXECVE_CHECK and O_DENY_WRITE? I've been looking at the cover
letters for AT_EXECVE_CHECK and O_DENY_WRITE, and the documentation
that has landed for AT_EXECVE_CHECK and it really doesn't describe
what *are* the checks that AT_EXECVE_CHECK is trying to achieve:
"The AT_EXECVE_CHECK execveat(2) flag, and the
SECBIT_EXEC_RESTRICT_FILE and SECBIT_EXEC_DENY_INTERACTIVE
securebits are intended for script interpreters and dynamic linkers
to enforce a consistent execution security policy handled by the
kernel."
Um, what security policy? What checks? What is a sample exploit
which is blocked by AT_EXECVE_CHECK?
And then on top of it, why can't you do these checks by modifying the
script interpreters?
Confused,
- Ted
next prev parent reply other threads:[~2025-08-26 12:34 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-22 17:07 [RFC PATCH v1 0/2] Add O_DENY_WRITE (complement AT_EXECVE_CHECK) Mickaël Salaün
2025-08-22 17:07 ` [RFC PATCH v1 1/2] fs: Add O_DENY_WRITE Mickaël Salaün
2025-08-22 19:45 ` Jann Horn
2025-08-24 11:03 ` Mickaël Salaün
2025-08-24 18:04 ` Andy Lutomirski
2025-08-25 9:31 ` Mickaël Salaün
2025-08-25 9:39 ` Florian Weimer
2025-08-26 12:35 ` Mickaël Salaün
2025-08-25 16:43 ` Andy Lutomirski
2025-08-25 18:10 ` Jeff Xu
2025-08-25 17:57 ` Jeff Xu
2025-08-26 12:39 ` Mickaël Salaün
2025-08-26 20:29 ` Jeff Xu
2025-08-27 8:19 ` Mickaël Salaün
2025-08-28 20:17 ` Jeff Xu
2025-08-27 10:18 ` Aleksa Sarai
2025-08-27 10:29 ` Aleksa Sarai
2025-08-22 17:08 ` [RFC PATCH v1 2/2] selftests/exec: Add O_DENY_WRITE tests Mickaël Salaün
2025-08-26 9:07 ` [RFC PATCH v1 0/2] Add O_DENY_WRITE (complement AT_EXECVE_CHECK) Christian Brauner
2025-08-26 11:23 ` Mickaël Salaün
2025-08-26 12:30 ` Theodore Ts'o [this message]
2025-08-26 17:47 ` Mickaël Salaün
2025-08-26 20:50 ` Theodore Ts'o
2025-08-27 8:19 ` Mickaël Salaün
2025-08-27 17:35 ` Andy Lutomirski
2025-08-27 19:07 ` Mickaël Salaün
2025-08-27 20:35 ` Andy Lutomirski
2025-08-28 0:14 ` Aleksa Sarai
2025-08-28 0:32 ` Andy Lutomirski
2025-08-28 0:52 ` Aleksa Sarai
2025-08-28 21:01 ` Serge E. Hallyn
2025-09-01 11:05 ` Jann Horn
2025-09-01 13:18 ` Serge E. Hallyn
2025-09-01 16:01 ` Andy Lutomirski
2025-09-01 9:24 ` Roberto Sassu
2025-09-01 16:25 ` Andy Lutomirski
2025-09-01 17:01 ` Roberto Sassu
2025-09-02 8:57 ` Roberto Sassu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250826123041.GB1603531@mit.edu \
--to=tytso@mit.edu \
--cc=ajordanr@google.com \
--cc=arnd@arndb.de \
--cc=bluca@debian.org \
--cc=brauner@kernel.org \
--cc=christian@python.org \
--cc=corbet@lwn.net \
--cc=dvyukov@google.com \
--cc=enh@google.com \
--cc=fweimer@redhat.com \
--cc=jannh@google.com \
--cc=jeffxu@google.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mattbobrowski@google.com \
--cc=mic@digikod.net \
--cc=mszeredi@redhat.com \
--cc=nicolas.bouchinet@oss.cyber.gouv.fr \
--cc=nramas@linux.microsoft.com \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=rowait@microsoft.com \
--cc=scottsh@microsoft.com \
--cc=serge@hallyn.com \
--cc=sgrubb@redhat.com \
--cc=steve.dower@python.org \
--cc=viro@zeniv.linux.org.uk \
--cc=wufan@linux.microsoft.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).