From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FROM,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 27199 invoked from network); 11 May 2022 04:23:18 -0000 Received: from 9front.inri.net (168.235.81.73) by inbox.vuxu.org with ESMTPUTF8; 11 May 2022 04:23:18 -0000 Received: from mail-qt1-f181.google.com ([209.85.160.181]) by 9front; Wed May 11 00:21:56 -0400 2022 Received: by mail-qt1-f181.google.com with SMTP id o18so1189296qtk.7 for <9front@9front.org>; Tue, 10 May 2022 21:21:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=date:from:to:subject:user-agent:in-reply-to:references:message-id :mime-version:content-transfer-encoding; bh=mq1+72c/u61t4s0+x7gDajN4wRxlmrixp7s9B7NmaJE=; b=dcz6dsxQB4zvMvx7m89sCS0u0cLOIedQ2sk77fEPpdCBRHat1TZBFPnzz0LzfQwgU3 E6hdp5hEfJt8y91WRKam3hvJTah/nmcrxaXVAKubFBRG3lrYt5SfIU2cY81hHkLkf1n7 v1+UobIfLAywd4iOeEWnofCCiP3wvSsN7wQ/CsgN+aUif/ANOKgcXMdrfYje6doIwvya 1b9RIHHodia35FRxoxGwCZd07j79KE7aI4mSSLZXM9O7TAFJz3uC9R4HYmGgRuX9+Ihi rPzgbiIkCF5cPAEEQd+tJhjvlvP3lfuh7vrRU396qkANUaWrf0fkkXHrvgFF9opxi90a NzwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:subject:user-agent:in-reply-to :references:message-id:mime-version:content-transfer-encoding; bh=mq1+72c/u61t4s0+x7gDajN4wRxlmrixp7s9B7NmaJE=; b=xIi1b+bHDf1SpRaZpHe4DboXjhMlNBlg/IIyNcXzeVP3tWiid7aZYn5EJYR5xggcIc XcCQPHZJw3RcO325y9+0uEsI17I080gsAq42oNL2rzuFnWQmOl7nurdxrxMGkbvQmdLq m48s2kky5hvLw5QYcRgKYVmIVsY7v76CZGxijjesVFVh8GlvSOSNxilHAnFbDPKwJxXy LkDup4lQ/AE+FAEtISadnq9HsgIAAMhq27657fPYPkdCUc9KRzYOcvGfWyXIbSD8q4Wm 12YqxMjPnzZUzyk8OqbvXNFUXwqeaUClSZw+c3tMDd0j8mCXk+5QMLyKTCOzTfixRM7H FpbQ== X-Gm-Message-State: AOAM531uq+chU3qBLIcQ6ammf0MQ2KF62yYvMzJQFhWq+/YP0SpMf3Ix M0yoo2LpO6OJrIhz4SbtvfuDCo0oKcc= X-Google-Smtp-Source: ABdhPJw1mehUdfesXqzQ0dOBwKwK4QOBJbWJyPlrI2x6+lD5Lgj965lYUQLRFpGRQF6v0alnhUigTQ== X-Received: by 2002:ac8:7f51:0:b0:2f3:c5d9:a6d1 with SMTP id g17-20020ac87f51000000b002f3c5d9a6d1mr22678962qtk.636.1652242912580; Tue, 10 May 2022 21:21:52 -0700 (PDT) Return-Path: Received: from ?IPv6:::1? ([2601:246:4e03:dc20:4a6:541e:f71e:9f4]) by smtp.gmail.com with ESMTPSA id p6-20020a05620a056600b0069fc13ce226sm526251qkp.87.2022.05.10.21.21.49 for <9front@9front.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 10 May 2022 21:21:51 -0700 (PDT) Date: Tue, 10 May 2022 23:21:47 -0500 From: Amavect To: 9front@9front.org User-Agent: K-9 Mail for Android In-Reply-To: <0718a4ed-dd38-06f5-2071-6d2ded50b7fa@posixcafe.org> References: <77567FF86B34A592067F8FA1ADD7F3C6@eigenstate.org> <89328B14-29CE-4D30-AFAD-672900E2699D@gmail.com> <0718a4ed-dd38-06f5-2071-6d2ded50b7fa@posixcafe.org> Message-ID: <0BBC7720-2562-4C73-9153-0A37CF503820@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: optimized webscale module hypervisor-scale package Subject: Re: [9front] [PATCH] kernel: disallow executing from #| or #d Reply-To: 9front@9front.org Precedence: bulk I think the correct thing to do is to get the devices to respect the permis= sion bits, potentially allowing execution if chmod made it that way=2E Also check rw = bits=2E This would make it more consistent to my judgement=2E Then, we can decide whether to reject a wstat for trying to set the x bit= =2E Additionally, if you're restricting namespaces, you pretty much have to set RFNOMNT=2E This removes access to # directories=2E Devpipe is rendered useless due to using attach messages (can still use pi= pe(2)), while env and dup can still be pre-binded or not (like capabilities)=2E Thanks, Amavect