|
|
Subscribe / Log in / New account

O_MAYEXEC — explicitly opening files for execution

O_MAYEXEC — explicitly opening files for execution

Posted May 12, 2020 16:37 UTC (Tue) by l0kod (subscriber, #111864)
In reply to: O_MAYEXEC — explicitly opening files for execution by dullfire
Parent article: O_MAYEXEC — explicitly opening files for execution

As explained in the documentation patch, the ability to restrict code execution must be thought as a system-wide policy: https://lwn.net/ml/linux-kernel/20200505153156.925111-6-m...
As with other security policies, enforcing such execution prevention do not make sense on all system installations, especially developers' ones.

O_MAYEXEC is only one part of the solution. According to your threat model, using stdin (or other ways) to push code to interpreters may be legitimate or not. O_MAYEXEC doesn't help for this problem, but there is other solutions (which don't require kernel modification). You can get inspiration from CLIP OS 4: https://github.com/clipos-archive/clipos4_portage-overlay...

The difference between code and data is relative. According to your threat model, one way to draw a line is to identify which kind of input (Python, JavaScript, HTML, CSS…) can do system calls (which could lead to kernel attacks) or can have fine control of CPU instructions (which could lead to side channel attacks): https://lore.kernel.org/lkml/d1a81d06-7530-1f2b-858a-e42b...

to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds