Re: [PATCH v5 3/6] fs: Enable to enforce noexec mounts or file exec through O_MAYEXEC

From: Randy Dunlap
Date: Tue May 05 2020 - 11:44:44 EST


On 5/5/20 8:31 AM, MickaÃl SalaÃn wrote:
> diff --git a/security/Kconfig b/security/Kconfig
> index cd3cc7da3a55..d8fac9240d14 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -230,6 +230,32 @@ config STATIC_USERMODEHELPER_PATH
> If you wish for all usermode helper programs to be disabled,
> specify an empty string here (i.e. "").
>
> +menuconfig OMAYEXEC_STATIC
> + tristate "Configure O_MAYEXEC behavior at build time"
> + ---help---
> + Enable to enforce O_MAYEXEC at build time, and disable the dedicated
> + fs.open_mayexec_enforce sysctl.

That help message is a bit confusing IMO. Does setting/enabling OMAYEXEC_STATIC
both enforce O_MAYEXEC at build time and also disable the dedicated sysctl?

Or are these meant to be alternatives, one for what Enabling this kconfig symbol
does and the other for what Disabling this symbol does? If so, it doesn't
say that.

> +
> + See Documentation/admin-guide/sysctl/fs.rst for more details.
> +
> +if OMAYEXEC_STATIC
> +
> +config OMAYEXEC_ENFORCE_MOUNT
> + bool "Mount restriction"
> + default y
> + ---help---
> + Forbid opening files with the O_MAYEXEC option if their underlying VFS is
> + mounted with the noexec option or if their superblock forbids execution
> + of its content (e.g., /proc).
> +
> +config OMAYEXEC_ENFORCE_FILE
> + bool "File permission restriction"
> + ---help---
> + Forbid opening files with the O_MAYEXEC option if they are not marked as
> + executable for the current process (e.g., POSIX permissions).
> +
> +endif # OMAYEXEC_STATIC
> +
> source "security/selinux/Kconfig"
> source "security/smack/Kconfig"
> source "security/tomoyo/Kconfig"


--
~Randy
Reported-by: Randy Dunlap <rdunlap@xxxxxxxxxxxxx>