Bug 1322443 - kernel: Implement O_NEEDEXEC in open, openat
Summary: kernel: Implement O_NEEDEXEC in open, openat
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Kernel Maintainer List
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1322444
TreeView+ depends on / blocked
 
Reported: 2016-03-30 14:00 UTC by Florian Weimer
Modified: 2022-11-16 18:54 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Florian Weimer 2016-03-30 14:00:37 UTC 
For downstream certification requirements, we need to make execution of scripts an auditable event.  This means that script interpreters need to tell the kernel that they are opening a file for execution.  A new open flag, tentatively named O_NEEDEXEC, conveys this information to the kernel.  Actual enforcement (x bit or extended attribute) would be implemented by a kernel security module.

This is different from O_EXEC (which is more like O_PATH because it allows opening a file with less-than-read access).  For special applications, O_NEEDEXEC might even be combined with O_RDWR.
Comment 1 Josh Boyer 2016-03-30 14:06:50 UTC 
Have you brought this up with the upstream kernel community or have you identified a developer that is going to do so?  Opening this bug is fine if you need it to track things, but it will not likely result in anything actually being merged.
Comment 2 Florian Weimer 2016-03-30 14:12:25 UTC 
(In reply to Josh Boyer from comment #1)
> Have you brought this up with the upstream kernel community or have you
> identified a developer that is going to do so?  Opening this bug is fine if
> you need it to track things, but it will not likely result in anything
> actually being merged.

Thanks for the clarification.  Unfortunately, I do not know yet who is going to do the actual implementation/coordination work.  The kernel and glibc changes are only a very small part of the overall picture.
Comment 3 Josh Boyer 2016-03-30 14:23:25 UTC 
(In reply to Florian Weimer from comment #2)
> (In reply to Josh Boyer from comment #1)
> > Have you brought this up with the upstream kernel community or have you
> > identified a developer that is going to do so?  Opening this bug is fine if
> > you need it to track things, but it will not likely result in anything
> > actually being merged.
> 
> Thanks for the clarification.  Unfortunately, I do not know yet who is going
> to do the actual implementation/coordination work.  The kernel and glibc
> changes are only a very small part of the overall picture.

It might be helpful to have pointers to the overall picture in any case.  This request seems somewhat ambiguous to someone not familiar with the context and reasoning behind it.
Comment 4 Florian Weimer 2016-03-30 15:03:53 UTC 
I added a bit of background here:

  https://fedoraproject.org/wiki/Changes/AllScriptsExecutable

I hope this clarifies the scope and technical aspects.
Note You need to log in before you can comment on or make changes to this bug.