Re: [PATCH v5 2/6] fs: Add a MAY_EXECMOUNT flag to infer the noexec mount property

[PATCH v5 0/6] Add support for O_MAYEXEC · Mickaël Salaün <mic@digikod.net> · 2020-05-05
[PATCH v5 1/6] fs: Add support for an O_MAYEXEC flag on openat2(2) · Mickaël Salaün <mic@digikod.net> · 2020-05-05
Re: [PATCH v5 1/6] fs: Add support for an O_MAYEXEC flag on openat2(2) · Kees Cook <hidden> · 2020-05-12
Re: [PATCH v5 1/6] fs: Add support for an O_MAYEXEC flag on openat2(2) · Christian Heimes <hidden> · 2020-05-12
Re: [PATCH v5 1/6] fs: Add support for an O_MAYEXEC flag on openat2(2) · Kees Cook <hidden> · 2020-05-12
Re: [PATCH v5 1/6] fs: Add support for an O_MAYEXEC flag on openat2(2) · Mickaël Salaün <mic@digikod.net> · 2020-05-13
[PATCH v5 6/6] ima: add policy support for the new file open MAY_OPENEXEC flag · Mickaël Salaün <mic@digikod.net> · 2020-05-05
[PATCH v5 2/6] fs: Add a MAY_EXECMOUNT flag to infer the noexec mount property · Mickaël Salaün <mic@digikod.net> · 2020-05-05
Re: [PATCH v5 2/6] fs: Add a MAY_EXECMOUNT flag to infer the noexec mount property · Kees Cook <hidden> · 2020-05-12
Re: [PATCH v5 2/6] fs: Add a MAY_EXECMOUNT flag to infer the noexec mount property · Lev R. Oshvang . <hidden> · 2020-05-14
Re: [PATCH v5 2/6] fs: Add a MAY_EXECMOUNT flag to infer the noexec mount property · Kees Cook <hidden> · 2020-05-14
Re: [PATCH v5 2/6] fs: Add a MAY_EXECMOUNT flag to infer the noexec mount property · Lev R. Oshvang . <hidden> · 2020-05-17
[PATCH v5 4/6] selftest/openat2: Add tests for O_MAYEXEC enforcing · Mickaël Salaün <mic@digikod.net> · 2020-05-05
Re: [PATCH v5 4/6] selftest/openat2: Add tests for O_MAYEXEC enforcing · Kees Cook <hidden> · 2020-05-12
Re: [PATCH v5 4/6] selftest/openat2: Add tests for O_MAYEXEC enforcing · Mickaël Salaün <mic@digikod.net> · 2020-05-13
[PATCH v5 3/6] fs: Enable to enforce noexec mounts or file exec through O_MAYEXEC · Mickaël Salaün <mic@digikod.net> · 2020-05-05
Re: [PATCH v5 3/6] fs: Enable to enforce noexec mounts or file exec through O_MAYEXEC · Randy Dunlap <hidden> · 2020-05-05
Re: [PATCH v5 3/6] fs: Enable to enforce noexec mounts or file exec through O_MAYEXEC · Mickaël Salaün <mic@digikod.net> · 2020-05-05
Re: [PATCH v5 3/6] fs: Enable to enforce noexec mounts or file exec through O_MAYEXEC · Randy Dunlap <hidden> · 2020-05-05
Re: [PATCH v5 3/6] fs: Enable to enforce noexec mounts or file exec through O_MAYEXEC · Kees Cook <hidden> · 2020-05-12
Re: [PATCH v5 3/6] fs: Enable to enforce noexec mounts or file exec through O_MAYEXEC · Mickaël Salaün <mic@digikod.net> · 2020-05-13
Re: [PATCH v5 3/6] fs: Enable to enforce noexec mounts or file exec through O_MAYEXEC · Stephen Smalley <stephen.smalley.work@gmail.com> · 2020-05-13
Re: [PATCH v5 3/6] fs: Enable to enforce noexec mounts or file exec through O_MAYEXEC · Kees Cook <hidden> · 2020-05-13
Re: [PATCH v5 3/6] fs: Enable to enforce noexec mounts or file exec through O_MAYEXEC · Kees Cook <hidden> · 2020-05-14
RE: [PATCH v5 3/6] fs: Enable to enforce noexec mounts or file exec through O_MAYEXEC · David Laight <hidden> · 2020-05-14
Re: [PATCH v5 3/6] fs: Enable to enforce noexec mounts or file exec through O_MAYEXEC · Stephen Smalley <stephen.smalley.work@gmail.com> · 2020-05-14
Re: [PATCH v5 3/6] fs: Enable to enforce noexec mounts or file exec through O_MAYEXEC · Kees Cook <hidden> · 2020-05-14
Re: [PATCH v5 3/6] fs: Enable to enforce noexec mounts or file exec through O_MAYEXEC · Stephen Smalley <stephen.smalley.work@gmail.com> · 2020-05-14
Re: [PATCH v5 3/6] fs: Enable to enforce noexec mounts or file exec through O_MAYEXEC · Kees Cook <hidden> · 2020-05-14
Re: [PATCH v5 3/6] fs: Enable to enforce noexec mounts or file exec through O_MAYEXEC · Stephen Smalley <stephen.smalley.work@gmail.com> · 2020-05-14
Re: [PATCH v5 3/6] fs: Enable to enforce noexec mounts or file exec through O_MAYEXEC · Mickaël Salaün <mic@digikod.net> · 2020-05-14
Re: [PATCH v5 3/6] fs: Enable to enforce noexec mounts or file exec through O_MAYEXEC · Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> · 2020-05-15
How about just O_EXEC? (was Re: [PATCH v5 3/6] fs: Enable to enforce noexec mounts or file exec through O_MAYEXEC) · Kees Cook <hidden> · 2020-05-15
Re: How about just O_EXEC? (was Re: [PATCH v5 3/6] fs: Enable to enforce noexec mounts or file exec through O_MAYEXEC) · Mickaël Salaün <mic@digikod.net> · 2020-05-15
Re: How about just O_EXEC? (was Re: [PATCH v5 3/6] fs: Enable to enforce noexec mounts or file exec through O_MAYEXEC) · Kees Cook <hidden> · 2020-05-15
Re: How about just O_EXEC? (was Re: [PATCH v5 3/6] fs: Enable to enforce noexec mounts or file exec through O_MAYEXEC) · Mickaël Salaün <mic@digikod.net> · 2020-05-15
Re: [PATCH v5 3/6] fs: Enable to enforce noexec mounts or file exec through O_MAYEXEC · Mickaël Salaün <mic@digikod.net> · 2020-05-14
[PATCH v5 5/6] doc: Add documentation for the fs.open_mayexec_enforce sysctl · Mickaël Salaün <mic@digikod.net> · 2020-05-05
Re: [PATCH v5 5/6] doc: Add documentation for the fs.open_mayexec_enforce sysctl · Kees Cook <hidden> · 2020-05-12
Re: [PATCH v5 5/6] doc: Add documentation for the fs.open_mayexec_enforce sysctl · Mickaël Salaün <mic@digikod.net> · 2020-05-13
Re: [PATCH v5 0/6] Add support for O_MAYEXEC · Mickaël Salaün <mic@digikod.net> · 2020-05-05
Re: [PATCH v5 0/6] Add support for O_MAYEXEC · Lev R. Oshvang . <hidden> · 2020-05-06
Re: [PATCH v5 0/6] Add support for O_MAYEXEC · Aleksa Sarai <hidden> · 2020-05-06
Re: [PATCH v5 0/6] Add support for O_MAYEXEC · Mickaël Salaün <mic@digikod.net> · 2020-05-07
RE: [PATCH v5 0/6] Add support for O_MAYEXEC · David Laight <hidden> · 2020-05-07
Re: [PATCH v5 0/6] Add support for O_MAYEXEC · Mickaël Salaün <mic@digikod.net> · 2020-05-07
RE: [PATCH v5 0/6] Add support for O_MAYEXEC · David Laight <hidden> · 2020-05-07
Re: [PATCH v5 0/6] Add support for O_MAYEXEC · Mickaël Salaün <mic@digikod.net> · 2020-05-07
RE: [PATCH v5 0/6] Add support for O_MAYEXEC · David Laight <hidden> · 2020-05-07
Re: [PATCH v5 0/6] Add support for O_MAYEXEC · Mickaël Salaün <mic@digikod.net> · 2020-05-07
Re: [PATCH v5 0/6] Add support for O_MAYEXEC · Lev R. Oshvang . <hidden> · 2020-05-08
Re: [PATCH v5 0/6] Add support for O_MAYEXEC · Mimi Zohar <zohar@linux.ibm.com> · 2020-05-08

From: Kees Cook <hidden>
Date: 2020-05-14 15:49:03
Also in: linux-fsdevel, linux-integrity, linux-security-module, lkml

On Thu, May 14, 2020 at 11:14:04AM +0300, Lev R. Oshvang . wrote:

New sysctl is indeed required to allow userspace that places scripts
or libs under noexec mounts.

But since this is a not-uncommon environment, we must have the sysctl
otherwise this change would break those systems.

fs.mnt_noexec_strict =0 (allow, e) , 1 (deny any file with --x
permission), 2 (deny when O_MAYEXEC absent), for any file with ---x
permissions)

I don't think we want another mount option -- this is already fully
expressed with noexec and the system-wide sysctl.

-- 
Kees Cook

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help