Re: [RFC PATCH v1 0/2] Add O_DENY_WRITE (complement AT_EXECVE_CHECK)
From: "Theodore Ts'o" <tytso@mit.edu>
Date: 2025-08-26 12:34:42
Also in:
linux-api, linux-fsdevel, linux-integrity, lkml
Is there a single, unified design and requirements document that describes the threat model, and what you are trying to achieve with AT_EXECVE_CHECK and O_DENY_WRITE? I've been looking at the cover letters for AT_EXECVE_CHECK and O_DENY_WRITE, and the documentation that has landed for AT_EXECVE_CHECK and it really doesn't describe what *are* the checks that AT_EXECVE_CHECK is trying to achieve: "The AT_EXECVE_CHECK execveat(2) flag, and the SECBIT_EXEC_RESTRICT_FILE and SECBIT_EXEC_DENY_INTERACTIVE securebits are intended for script interpreters and dynamic linkers to enforce a consistent execution security policy handled by the kernel." Um, what security policy? What checks? What is a sample exploit which is blocked by AT_EXECVE_CHECK? And then on top of it, why can't you do these checks by modifying the script interpreters? Confused, - Ted