On Sep 6, 2019, at 1:51 PM, Jeff Layton [off-list ref] wrote:

On Fri, 2019-09-06 at 13:06 -0700, Andy Lutomirski wrote:

quoted

I’m not at all convinced that the kernel needs to distinguish all these, but at least upgradability should be its own thing IMO.

Good point. Upgradability is definitely orthogonal, though the idea
there is to alter the default behavior. If the default is NOEXEC then
UPGRADE_EXEC would make sense.

In any case, I was mostly thinking about the middle two in your list
above. After more careful reading of the patches, I now get get that
Mickaël is more interested in the first, and that's really a different
sort of use-case.

Most opens never result in the fd being fed to fexecve or mmapped with
PROT_EXEC, so having userland explicitly opt-in to allowing that during
the open sounds like a reasonable thing to do.

But I get that preventing execution via script interpreters of files
that are not executable might be something nice to have.

Perhaps we need two flags for openat2?

OA2_MAYEXEC : test that permissions allow execution and that the file
doesn't reside on a noexec mount before allowing the open

OA2_EXECABLE : only allow fexecve or mmapping with PROT_EXEC if the fd
was opened with this

We could go one step farther and have three masks: check_perms,
fd_perms, and upgrade_perms.  check_perms says “fail if I don’t have
these perms”.  fd_perms is the permissions on the returned fd, and
upgrade_perms is the upgrade mask.  (fd_perms  & ~check_perms) != 0 is
an error.  This makes it possible to say "I want to make sure the file
is writable, but I don't actually want to write to it", which could
plausibly be useful.

I would argue that these things should have new, sane bits, e.g.
FILE_READ, FILE_WRITE, and FILE_EXECUTE (or maybe FILE_MAP_EXEC and
FILE_EXECVE).  And maybe there should be at least 16 bits for each
mask reserved.  Windows has a lot more mode bits than Linux, and it's
not entirely nuts.  We do *not* need any direct equivalent of O_RDWR
for openat2().

--Andy