Thread (80 messages) 80 messages, 12 authors, 2024-08-09

Re: [RFC PATCH v19 5/5] samples/should-exec: Add set-should-exec

From: Mickaël Salaün <mic@digikod.net>
Date: 2024-07-09 20:42:57
Also in: linux-api, linux-fsdevel, linux-integrity, lkml 

On Mon, Jul 08, 2024 at 03:40:42PM -0400, Mimi Zohar wrote:
Hi Mickaël,

On Thu, 2024-07-04 at 21:01 +0200, Mickaël Salaün wrote:
quoted
Add a simple tool to set SECBIT_SHOULD_EXEC_CHECK,
SECBIT_SHOULD_EXEC_RESTRICT, and their lock counterparts before
executing a command.  This should be useful to easily test against
script interpreters.
The print_usage() provides the calling syntax.  Could you provide an example of
how to use it and what to expect?
To set SECBIT_SHOULD_EXEC_CHECK, SECBIT_SHOULD_EXEC_RESTRICT, and lock
them on a new shell (session) we can use this:

./set-should-exec -crl -- bash -i

This would have no impact unless Bash, ld.so, or one of its child code
is patched to restrict execution (e.g. with execveat+AT_CHECK check).
Script interpreters and dynamic linkers need to be patch on a secure
sysetm.  Steve is enlightening Python, and we'll need more similar
changes for common user space code.  This can be an incremental work and
only enforced on some user sessions or containers for instance.

thanks,

Mimi
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help