Bug 1322443

Summary: kernel: Implement O_NEEDEXEC in open, openat
Product: [Fedora] Fedora Reporter: Florian Weimer <fweimer>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: gansalmon, itamar, jonathan, kernel-maint, madhu.chinakonda, mchehab, sam, sgrubb
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1322444    

Description Florian Weimer 2016-03-30 14:00:37 UTC 
For downstream certification requirements, we need to make execution of scripts an auditable event.  This means that script interpreters need to tell the kernel that they are opening a file for execution.  A new open flag, tentatively named O_NEEDEXEC, conveys this information to the kernel.  Actual enforcement (x bit or extended attribute) would be implemented by a kernel security module.

This is different from O_EXEC (which is more like O_PATH because it allows opening a file with less-than-read access).  For special applications, O_NEEDEXEC might even be combined with O_RDWR.
Comment 1 Josh Boyer 2016-03-30 14:06:50 UTC 
Have you brought this up with the upstream kernel community or have you identified a developer that is going to do so?  Opening this bug is fine if you need it to track things, but it will not likely result in anything actually being merged.
Comment 2 Florian Weimer 2016-03-30 14:12:25 UTC 
(In reply to Josh Boyer from comment #1)
> Have you brought this up with the upstream kernel community or have you
> identified a developer that is going to do so?  Opening this bug is fine if
> you need it to track things, but it will not likely result in anything
> actually being merged.

Thanks for the clarification.  Unfortunately, I do not know yet who is going to do the actual implementation/coordination work.  The kernel and glibc changes are only a very small part of the overall picture.
Comment 3 Josh Boyer 2016-03-30 14:23:25 UTC 
(In reply to Florian Weimer from comment #2)
> (In reply to Josh Boyer from comment #1)
> > Have you brought this up with the upstream kernel community or have you
> > identified a developer that is going to do so?  Opening this bug is fine if
> > you need it to track things, but it will not likely result in anything
> > actually being merged.
> 
> Thanks for the clarification.  Unfortunately, I do not know yet who is going
> to do the actual implementation/coordination work.  The kernel and glibc
> changes are only a very small part of the overall picture.

It might be helpful to have pointers to the overall picture in any case.  This request seems somewhat ambiguous to someone not familiar with the context and reasoning behind it.
Comment 4 Florian Weimer 2016-03-30 15:03:53 UTC 
I added a bit of background here:

  https://fedoraproject.org/wiki/Changes/AllScriptsExecutable

I hope this clarifies the scope and technical aspects.