The fexecve function could be implemented entirely in libc, via execve(2) on a file name of the form "/proc/self/fd/<N>". Any security concerns around fexecve() also apply to exec of /proc/self/fd/<N>.I gave a try to this approach. There is an unexpected issue:The descriptor is probably already "closed on exec" before the syscall tries to use it.
I believe that we should not "fix" that without a proper design of how all the parts will work together.
Some questions that I would like to see answered are: Should it be possible to exec a fd only if a special flag was used in the open(2) call? Should the file's executability be checked at open time or at exec time, or both, or does it depend on open flags or on what happened to the fd in between open and exec? Should the record of the fact that the fd may be eligible for exec be erased when the fd is passed from one process to another? Always or only sometimes? How can fds obtained from procfs be made to follow the rules?
--apb (Alan Barrett)