tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'AT_EXECVE_CHECK-v6.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
Pull AT_EXECVE_CHECK from Kees Cook:
- Implement AT_EXECVE_CHECK flag to execveat(2) (Mickaël Salaün)
- Implement EXEC_RESTRICT_FILE and EXEC_DENY_INTERACTIVE securebits
(Mickaël Salaün)
- Add selftests and samples for AT_EXECVE_CHECK (Mickaël Salaün)
* tag 'AT_EXECVE_CHECK-v6.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
ima: instantiate the bprm_creds_for_exec() hook
samples/check-exec: Add an enlighten "inc" interpreter and 28 tests
selftests: ktap_helpers: Fix uninitialized variable
samples/check-exec: Add set-exec
selftests/landlock: Add tests for execveat + AT_EXECVE_CHECK
selftests/exec: Add 32 tests for AT_EXECVE_CHECK and exec securebits
security: Add EXEC_RESTRICT_FILE and EXEC_DENY_INTERACTIVE securebits
exec: Add a new AT_EXECVE_CHECK flag to execveat(2)
+1341
-14
+144
Documentation/userspace-api/check_exec.rst
+144
Documentation/userspace-api/check_exec.rst
···
1
+
.. SPDX-License-Identifier: GPL-2.0
2
+
.. Copyright © 2024 Microsoft Corporation
3
+
4
+
===================
5
+
Executability check
6
+
===================
7
+
8
+
The ``AT_EXECVE_CHECK`` :manpage:`execveat(2)` flag, and the
9
+
``SECBIT_EXEC_RESTRICT_FILE`` and ``SECBIT_EXEC_DENY_INTERACTIVE`` securebits
10
+
are intended for script interpreters and dynamic linkers to enforce a
11
+
consistent execution security policy handled by the kernel. See the
12
+
`samples/check-exec/inc.c`_ example.
13
+
14
+
Whether an interpreter should check these securebits or not depends on the
15
+
security risk of running malicious scripts with respect to the execution
16
+
environment, and whether the kernel can check if a script is trustworthy or
17
+
not. For instance, Python scripts running on a server can use arbitrary
18
+
syscalls and access arbitrary files. Such interpreters should then be
19
+
enlighten to use these securebits and let users define their security policy.
20
+
However, a JavaScript engine running in a web browser should already be
21
+
sandboxed and then should not be able to harm the user's environment.
22
+
23
+
Script interpreters or dynamic linkers built for tailored execution environments
24
+
(e.g. hardened Linux distributions or hermetic container images) could use
25
+
``AT_EXECVE_CHECK`` without checking the related securebits if backward
26
+
compatibility is handled by something else (e.g. atomic update ensuring that
27
+
all legitimate libraries are allowed to be executed). It is then recommended
28
+
for script interpreters and dynamic linkers to check the securebits at run time
29
+
by default, but also to provide the ability for custom builds to behave like if
30
+
``SECBIT_EXEC_RESTRICT_FILE`` or ``SECBIT_EXEC_DENY_INTERACTIVE`` were always
31
+
set to 1 (i.e. always enforce restrictions).
32
+
33
+
AT_EXECVE_CHECK
34
+
===============
35
+
36
+
Passing the ``AT_EXECVE_CHECK`` flag to :manpage:`execveat(2)` only performs a
37
+
check on a regular file and returns 0 if execution of this file would be
38
+
allowed, ignoring the file format and then the related interpreter dependencies
39
+
(e.g. ELF libraries, script's shebang).
40
+
41
+
Programs should always perform this check to apply kernel-level checks against
42
+
files that are not directly executed by the kernel but passed to a user space
43
+
interpreter instead. All files that contain executable code, from the point of
44
+
view of the interpreter, should be checked. However the result of this check
45
+
should only be enforced according to ``SECBIT_EXEC_RESTRICT_FILE`` or
46
+
``SECBIT_EXEC_DENY_INTERACTIVE.``.
47
+
48
+
The main purpose of this flag is to improve the security and consistency of an
49
+
execution environment to ensure that direct file execution (e.g.
50
+
``./script.sh``) and indirect file execution (e.g. ``sh script.sh``) lead to
51
+
the same result. For instance, this can be used to check if a file is
52
+
trustworthy according to the caller's environment.
53
+
54
+
In a secure environment, libraries and any executable dependencies should also
55
+
be checked. For instance, dynamic linking should make sure that all libraries
56
+
are allowed for execution to avoid trivial bypass (e.g. using ``LD_PRELOAD``).
57
+
For such secure execution environment to make sense, only trusted code should
58
+
be executable, which also requires integrity guarantees.
59
+
60
+
To avoid race conditions leading to time-of-check to time-of-use issues,
61
+
``AT_EXECVE_CHECK`` should be used with ``AT_EMPTY_PATH`` to check against a
62
+
file descriptor instead of a path.
63
+
64
+
SECBIT_EXEC_RESTRICT_FILE and SECBIT_EXEC_DENY_INTERACTIVE
65
+
==========================================================
66
+
67
+
When ``SECBIT_EXEC_RESTRICT_FILE`` is set, a process should only interpret or
68
+
execute a file if a call to :manpage:`execveat(2)` with the related file
69
+
descriptor and the ``AT_EXECVE_CHECK`` flag succeed.
70
+
71
+
This secure bit may be set by user session managers, service managers,
72
+
container runtimes, sandboxer tools... Except for test environments, the
73
+
related ``SECBIT_EXEC_RESTRICT_FILE_LOCKED`` bit should also be set.
74
+
75
+
Programs should only enforce consistent restrictions according to the
76
+
securebits but without relying on any other user-controlled configuration.
77
+
Indeed, the use case for these securebits is to only trust executable code
78
+
vetted by the system configuration (through the kernel), so we should be
79
+
careful to not let untrusted users control this configuration.
80
+
81
+
However, script interpreters may still use user configuration such as
82
+
environment variables as long as it is not a way to disable the securebits
83
+
checks. For instance, the ``PATH`` and ``LD_PRELOAD`` variables can be set by
84
+
a script's caller. Changing these variables may lead to unintended code
85
+
executions, but only from vetted executable programs, which is OK. For this to
86
+
make sense, the system should provide a consistent security policy to avoid
87
+
arbitrary code execution e.g., by enforcing a write xor execute policy.
88
+
89
+
When ``SECBIT_EXEC_DENY_INTERACTIVE`` is set, a process should never interpret
90
+
interactive user commands (e.g. scripts). However, if such commands are passed
91
+
through a file descriptor (e.g. stdin), its content should be interpreted if a
92
+
call to :manpage:`execveat(2)` with the related file descriptor and the
93
+
``AT_EXECVE_CHECK`` flag succeed.
94
+
95
+
For instance, script interpreters called with a script snippet as argument
96
+
should always deny such execution if ``SECBIT_EXEC_DENY_INTERACTIVE`` is set.
97
+
98
+
This secure bit may be set by user session managers, service managers,
99
+
container runtimes, sandboxer tools... Except for test environments, the
100
+
related ``SECBIT_EXEC_DENY_INTERACTIVE_LOCKED`` bit should also be set.
101
+
102
+
Here is the expected behavior for a script interpreter according to combination
103
+
of any exec securebits:
104
+
105
+
1. ``SECBIT_EXEC_RESTRICT_FILE=0`` and ``SECBIT_EXEC_DENY_INTERACTIVE=0``
106
+
107
+
Always interpret scripts, and allow arbitrary user commands (default).
108
+
109
+
No threat, everyone and everything is trusted, but we can get ahead of
110
+
potential issues thanks to the call to :manpage:`execveat(2)` with
111
+
``AT_EXECVE_CHECK`` which should always be performed but ignored by the
112
+
script interpreter. Indeed, this check is still important to enable systems
113
+
administrators to verify requests (e.g. with audit) and prepare for
114
+
migration to a secure mode.
115
+
116
+
2. ``SECBIT_EXEC_RESTRICT_FILE=1`` and ``SECBIT_EXEC_DENY_INTERACTIVE=0``
117
+
118
+
Deny script interpretation if they are not executable, but allow
119
+
arbitrary user commands.
120
+
121
+
The threat is (potential) malicious scripts run by trusted (and not fooled)
122
+
users. That can protect against unintended script executions (e.g. ``sh
123
+
/tmp/*.sh``). This makes sense for (semi-restricted) user sessions.
124
+
125
+
3. ``SECBIT_EXEC_RESTRICT_FILE=0`` and ``SECBIT_EXEC_DENY_INTERACTIVE=1``
126
+
127
+
Always interpret scripts, but deny arbitrary user commands.
128
+
129
+
This use case may be useful for secure services (i.e. without interactive
130
+
user session) where scripts' integrity is verified (e.g. with IMA/EVM or
131
+
dm-verity/IPE) but where access rights might not be ready yet. Indeed,
132
+
arbitrary interactive commands would be much more difficult to check.
133
+
134
+
4. ``SECBIT_EXEC_RESTRICT_FILE=1`` and ``SECBIT_EXEC_DENY_INTERACTIVE=1``
135
+
136
+
Deny script interpretation if they are not executable, and also deny
137
+
any arbitrary user commands.
138
+
139
+
The threat is malicious scripts run by untrusted users (but trusted code).
140
+
This makes sense for system services that may only execute trusted scripts.
141
+
142
+
.. Links
143
+
.. _samples/check-exec/inc.c:
144
+
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/samples/check-exec/inc.c
+1
Documentation/userspace-api/index.rst
+1
Documentation/userspace-api/index.rst
+18
-2
fs/exec.c
+18
-2
fs/exec.c
···
892
892
.lookup_flags = LOOKUP_FOLLOW,
893
893
};
894
894
895
-
if ((flags & ~(AT_SYMLINK_NOFOLLOW | AT_EMPTY_PATH)) != 0)
895
+
if ((flags &
896
+
~(AT_SYMLINK_NOFOLLOW | AT_EMPTY_PATH | AT_EXECVE_CHECK)) != 0)
896
897
return ERR_PTR(-EINVAL);
897
898
if (flags & AT_SYMLINK_NOFOLLOW)
898
899
open_exec_flags.lookup_flags &= ~LOOKUP_FOLLOW;
···
1565
1564
}
1566
1565
bprm->interp = bprm->filename;
1567
1566
1567
+
/*
1568
+
* At this point, security_file_open() has already been called (with
1569
+
* __FMODE_EXEC) and access control checks for AT_EXECVE_CHECK will
1570
+
* stop just after the security_bprm_creds_for_exec() call in
1571
+
* bprm_execve(). Indeed, the kernel should not try to parse the
1572
+
* content of the file with exec_binprm() nor change the calling
1573
+
* thread, which means that the following security functions will not
1574
+
* be called:
1575
+
* - security_bprm_check()
1576
+
* - security_bprm_creds_from_file()
1577
+
* - security_bprm_committing_creds()
1578
+
* - security_bprm_committed_creds()
1579
+
*/
1580
+
bprm->is_check = !!(flags & AT_EXECVE_CHECK);
1581
+
1568
1582
retval = bprm_mm_init(bprm);
1569
1583
if (!retval)
1570
1584
return bprm;
···
1861
1845
1862
1846
/* Set the unchanging part of bprm->cred */
1863
1847
retval = security_bprm_creds_for_exec(bprm);
1864
-
if (retval)
1848
+
if (retval || bprm->is_check)
1865
1849
goto out;
1866
1850
1867
1851
retval = exec_binprm(bprm);
+6
-1
include/linux/binfmts.h
+6
-1
include/linux/binfmts.h
···
44
44
*/
45
45
point_of_no_return:1,
46
46
/* Set when "comm" must come from the dentry. */
47
-
comm_from_dentry:1;
47
+
comm_from_dentry:1,
48
+
/*
49
+
* Set by user space to check executability according to the
50
+
* caller's environment.
51
+
*/
52
+
is_check:1;
48
53
struct file *executable; /* Executable to pass to the interpreter */
49
54
struct file *interpreter;
50
55
struct file *file;
+1
include/uapi/linux/audit.h
+1
include/uapi/linux/audit.h
···
161
161
#define AUDIT_INTEGRITY_RULE 1805 /* policy rule */
162
162
#define AUDIT_INTEGRITY_EVM_XATTR 1806 /* New EVM-covered xattr */
163
163
#define AUDIT_INTEGRITY_POLICY_RULE 1807 /* IMA policy rules */
164
+
#define AUDIT_INTEGRITY_USERSPACE 1808 /* Userspace enforced data integrity */
164
165
165
166
#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
166
167
+4
include/uapi/linux/fcntl.h
+4
include/uapi/linux/fcntl.h
···
155
155
#define AT_HANDLE_MNT_ID_UNIQUE 0x001 /* Return the u64 unique mount ID. */
156
156
#define AT_HANDLE_CONNECTABLE 0x002 /* Request a connectable file handle */
157
157
158
+
/* Flags for execveat2(2). */
159
+
#define AT_EXECVE_CHECK 0x10000 /* Only perform a check if execution
160
+
would be allowed. */
161
+
158
162
#endif /* _UAPI_LINUX_FCNTL_H */
+23
-1
include/uapi/linux/securebits.h
+23
-1
include/uapi/linux/securebits.h
···
52
52
#define SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED \
53
53
(issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE_LOCKED))
54
54
55
+
/* See Documentation/userspace-api/check_exec.rst */
56
+
#define SECURE_EXEC_RESTRICT_FILE 8
57
+
#define SECURE_EXEC_RESTRICT_FILE_LOCKED 9 /* make bit-8 immutable */
58
+
59
+
#define SECBIT_EXEC_RESTRICT_FILE (issecure_mask(SECURE_EXEC_RESTRICT_FILE))
60
+
#define SECBIT_EXEC_RESTRICT_FILE_LOCKED \
61
+
(issecure_mask(SECURE_EXEC_RESTRICT_FILE_LOCKED))
62
+
63
+
/* See Documentation/userspace-api/check_exec.rst */
64
+
#define SECURE_EXEC_DENY_INTERACTIVE 10
65
+
#define SECURE_EXEC_DENY_INTERACTIVE_LOCKED 11 /* make bit-10 immutable */
66
+
67
+
#define SECBIT_EXEC_DENY_INTERACTIVE \
68
+
(issecure_mask(SECURE_EXEC_DENY_INTERACTIVE))
69
+
#define SECBIT_EXEC_DENY_INTERACTIVE_LOCKED \
70
+
(issecure_mask(SECURE_EXEC_DENY_INTERACTIVE_LOCKED))
71
+
55
72
#define SECURE_ALL_BITS (issecure_mask(SECURE_NOROOT) | \
56
73
issecure_mask(SECURE_NO_SETUID_FIXUP) | \
57
74
issecure_mask(SECURE_KEEP_CAPS) | \
58
-
issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE))
75
+
issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE) | \
76
+
issecure_mask(SECURE_EXEC_RESTRICT_FILE) | \
77
+
issecure_mask(SECURE_EXEC_DENY_INTERACTIVE))
59
78
#define SECURE_ALL_LOCKS (SECURE_ALL_BITS << 1)
79
+
80
+
#define SECURE_ALL_UNPRIVILEGED (issecure_mask(SECURE_EXEC_RESTRICT_FILE) | \
81
+
issecure_mask(SECURE_EXEC_DENY_INTERACTIVE))
60
82
61
83
#endif /* _UAPI_LINUX_SECUREBITS_H */
+9
samples/Kconfig
+9
samples/Kconfig
···
291
291
help
292
292
Build samples that demonstrate the usage of the cgroup API.
293
293
294
+
config SAMPLE_CHECK_EXEC
295
+
bool "Exec secure bits examples"
296
+
depends on CC_CAN_LINK && HEADERS_INSTALL
297
+
help
298
+
Build a tool to easily configure SECBIT_EXEC_RESTRICT_FILE and
299
+
SECBIT_EXEC_DENY_INTERACTIVE, and a simple script interpreter to
300
+
demonstrate how they should be used with execveat(2) +
301
+
AT_EXECVE_CHECK.
302
+
294
303
source "samples/rust/Kconfig"
295
304
296
305
endif # SAMPLES
+1
samples/Makefile
+1
samples/Makefile
···
3
3
4
4
subdir-$(CONFIG_SAMPLE_AUXDISPLAY) += auxdisplay
5
5
subdir-$(CONFIG_SAMPLE_ANDROID_BINDERFS) += binderfs
6
+
subdir-$(CONFIG_SAMPLE_CHECK_EXEC) += check-exec
6
7
subdir-$(CONFIG_SAMPLE_CGROUP) += cgroup
7
8
obj-$(CONFIG_SAMPLE_CONFIGFS) += configfs/
8
9
obj-$(CONFIG_SAMPLE_CONNECTOR) += connector/
+15
samples/check-exec/Makefile
+15
samples/check-exec/Makefile
+205
samples/check-exec/inc.c
+205
samples/check-exec/inc.c
···
1
+
// SPDX-License-Identifier: BSD-3-Clause
2
+
/*
3
+
* Very simple script interpreter that can evaluate two different commands (one
4
+
* per line):
5
+
* - "?" to initialize a counter from user's input;
6
+
* - "+" to increment the counter (which is set to 0 by default).
7
+
*
8
+
* See tools/testing/selftests/exec/check-exec-tests.sh and
9
+
* Documentation/userspace-api/check_exec.rst
10
+
*
11
+
* Copyright © 2024 Microsoft Corporation
12
+
*/
13
+
14
+
#define _GNU_SOURCE
15
+
#include <errno.h>
16
+
#include <linux/fcntl.h>
17
+
#include <linux/prctl.h>
18
+
#include <linux/securebits.h>
19
+
#include <stdbool.h>
20
+
#include <stdio.h>
21
+
#include <stdlib.h>
22
+
#include <string.h>
23
+
#include <sys/prctl.h>
24
+
#include <unistd.h>
25
+
26
+
/* Returns 1 on error, 0 otherwise. */
27
+
static int interpret_buffer(char *buffer, size_t buffer_size)
28
+
{
29
+
char *line, *saveptr = NULL;
30
+
long long number = 0;
31
+
32
+
/* Each command is the first character of a line. */
33
+
saveptr = NULL;
34
+
line = strtok_r(buffer, "\n", &saveptr);
35
+
while (line) {
36
+
if (*line != '#' && strlen(line) != 1) {
37
+
fprintf(stderr, "# ERROR: Unknown string\n");
38
+
return 1;
39
+
}
40
+
switch (*line) {
41
+
case '#':
42
+
/* Skips shebang and comments. */
43
+
break;
44
+
case '+':
45
+
/* Increments and prints the number. */
46
+
number++;
47
+
printf("%lld\n", number);
48
+
break;
49
+
case '?':
50
+
/* Reads integer from stdin. */
51
+
fprintf(stderr, "> Enter new number: \n");
52
+
if (scanf("%lld", &number) != 1) {
53
+
fprintf(stderr,
54
+
"# WARNING: Failed to read number from stdin\n");
55
+
}
56
+
break;
57
+
default:
58
+
fprintf(stderr, "# ERROR: Unknown character '%c'\n",
59
+
*line);
60
+
return 1;
61
+
}
62
+
line = strtok_r(NULL, "\n", &saveptr);
63
+
}
64
+
return 0;
65
+
}
66
+
67
+
/* Returns 1 on error, 0 otherwise. */
68
+
static int interpret_stream(FILE *script, char *const script_name,
69
+
char *const *const envp, const bool restrict_stream)
70
+
{
71
+
int err;
72
+
char *const script_argv[] = { script_name, NULL };
73
+
char buf[128] = {};
74
+
size_t buf_size = sizeof(buf);
75
+
76
+
/*
77
+
* We pass a valid argv and envp to the kernel to emulate a native
78
+
* script execution. We must use the script file descriptor instead of
79
+
* the script path name to avoid race conditions.
80
+
*/
81
+
err = execveat(fileno(script), "", script_argv, envp,
82
+
AT_EMPTY_PATH | AT_EXECVE_CHECK);
83
+
if (err && restrict_stream) {
84
+
perror("ERROR: Script execution check");
85
+
return 1;
86
+
}
87
+
88
+
/* Reads script. */
89
+
buf_size = fread(buf, 1, buf_size - 1, script);
90
+
return interpret_buffer(buf, buf_size);
91
+
}
92
+
93
+
static void print_usage(const char *argv0)
94
+
{
95
+
fprintf(stderr, "usage: %s <script.inc> | -i | -c <command>\n\n",
96
+
argv0);
97
+
fprintf(stderr, "Example:\n");
98
+
fprintf(stderr, " ./set-exec -fi -- ./inc -i < script-exec.inc\n");
99
+
}
100
+
101
+
int main(const int argc, char *const argv[], char *const *const envp)
102
+
{
103
+
int opt;
104
+
char *cmd = NULL;
105
+
char *script_name = NULL;
106
+
bool interpret_stdin = false;
107
+
FILE *script_file = NULL;
108
+
int secbits;
109
+
bool deny_interactive, restrict_file;
110
+
size_t arg_nb;
111
+
112
+
secbits = prctl(PR_GET_SECUREBITS);
113
+
if (secbits == -1) {
114
+
/*
115
+
* This should never happen, except with a buggy seccomp
116
+
* filter.
117
+
*/
118
+
perror("ERROR: Failed to get securebits");
119
+
return 1;
120
+
}
121
+
122
+
deny_interactive = !!(secbits & SECBIT_EXEC_DENY_INTERACTIVE);
123
+
restrict_file = !!(secbits & SECBIT_EXEC_RESTRICT_FILE);
124
+
125
+
while ((opt = getopt(argc, argv, "c:i")) != -1) {
126
+
switch (opt) {
127
+
case 'c':
128
+
if (cmd) {
129
+
fprintf(stderr, "ERROR: Command already set");
130
+
return 1;
131
+
}
132
+
cmd = optarg;
133
+
break;
134
+
case 'i':
135
+
interpret_stdin = true;
136
+
break;
137
+
default:
138
+
print_usage(argv[0]);
139
+
return 1;
140
+
}
141
+
}
142
+
143
+
/* Checks that only one argument is used, or read stdin. */
144
+
arg_nb = !!cmd + !!interpret_stdin;
145
+
if (arg_nb == 0 && argc == 2) {
146
+
script_name = argv[1];
147
+
} else if (arg_nb != 1) {
148
+
print_usage(argv[0]);
149
+
return 1;
150
+
}
151
+
152
+
if (cmd) {
153
+
/*
154
+
* Other kind of interactive interpretations should be denied
155
+
* as well (e.g. CLI arguments passing script snippets,
156
+
* environment variables interpreted as script). However, any
157
+
* way to pass script files should only be restricted according
158
+
* to restrict_file.
159
+
*/
160
+
if (deny_interactive) {
161
+
fprintf(stderr,
162
+
"ERROR: Interactive interpretation denied.\n");
163
+
return 1;
164
+
}
165
+
166
+
return interpret_buffer(cmd, strlen(cmd));
167
+
}
168
+
169
+
if (interpret_stdin && !script_name) {
170
+
script_file = stdin;
171
+
/*
172
+
* As for any execve(2) call, this path may be logged by the
173
+
* kernel.
174
+
*/
175
+
script_name = "/proc/self/fd/0";
176
+
/*
177
+
* When stdin is used, it can point to a regular file or a
178
+
* pipe. Restrict stdin execution according to
179
+
* SECBIT_EXEC_DENY_INTERACTIVE but always allow executable
180
+
* files (which are not considered as interactive inputs).
181
+
*/
182
+
return interpret_stream(script_file, script_name, envp,
183
+
deny_interactive);
184
+
} else if (script_name && !interpret_stdin) {
185
+
/*
186
+
* In this sample, we don't pass any argument to scripts, but
187
+
* otherwise we would have to forge an argv with such
188
+
* arguments.
189
+
*/
190
+
script_file = fopen(script_name, "r");
191
+
if (!script_file) {
192
+
perror("ERROR: Failed to open script");
193
+
return 1;
194
+
}
195
+
/*
196
+
* Restricts file execution according to
197
+
* SECBIT_EXEC_RESTRICT_FILE.
198
+
*/
199
+
return interpret_stream(script_file, script_name, envp,
200
+
restrict_file);
201
+
}
202
+
203
+
print_usage(argv[0]);
204
+
return 1;
205
+
}
+9
samples/check-exec/run-script-ask.inc
+9
samples/check-exec/run-script-ask.inc
+5
samples/check-exec/script-ask.inc
+5
samples/check-exec/script-ask.inc
+4
samples/check-exec/script-exec.inc
+4
samples/check-exec/script-exec.inc
+4
samples/check-exec/script-noexec.inc
+4
samples/check-exec/script-noexec.inc
+85
samples/check-exec/set-exec.c
+85
samples/check-exec/set-exec.c
···
1
+
// SPDX-License-Identifier: BSD-3-Clause
2
+
/*
3
+
* Simple tool to set SECBIT_EXEC_RESTRICT_FILE, SECBIT_EXEC_DENY_INTERACTIVE,
4
+
* before executing a command.
5
+
*
6
+
* Copyright © 2024 Microsoft Corporation
7
+
*/
8
+
9
+
#define _GNU_SOURCE
10
+
#define __SANE_USERSPACE_TYPES__
11
+
#include <errno.h>
12
+
#include <linux/prctl.h>
13
+
#include <linux/securebits.h>
14
+
#include <stdbool.h>
15
+
#include <stdio.h>
16
+
#include <stdlib.h>
17
+
#include <string.h>
18
+
#include <sys/prctl.h>
19
+
#include <unistd.h>
20
+
21
+
static void print_usage(const char *argv0)
22
+
{
23
+
fprintf(stderr, "usage: %s -f|-i -- <cmd> [args]...\n\n", argv0);
24
+
fprintf(stderr, "Execute a command with\n");
25
+
fprintf(stderr, "- SECBIT_EXEC_RESTRICT_FILE set: -f\n");
26
+
fprintf(stderr, "- SECBIT_EXEC_DENY_INTERACTIVE set: -i\n");
27
+
}
28
+
29
+
int main(const int argc, char *const argv[], char *const *const envp)
30
+
{
31
+
const char *cmd_path;
32
+
char *const *cmd_argv;
33
+
int opt, secbits_cur, secbits_new;
34
+
bool has_policy = false;
35
+
36
+
secbits_cur = prctl(PR_GET_SECUREBITS);
37
+
if (secbits_cur == -1) {
38
+
/*
39
+
* This should never happen, except with a buggy seccomp
40
+
* filter.
41
+
*/
42
+
perror("ERROR: Failed to get securebits");
43
+
return 1;
44
+
}
45
+
46
+
secbits_new = secbits_cur;
47
+
while ((opt = getopt(argc, argv, "fi")) != -1) {
48
+
switch (opt) {
49
+
case 'f':
50
+
secbits_new |= SECBIT_EXEC_RESTRICT_FILE |
51
+
SECBIT_EXEC_RESTRICT_FILE_LOCKED;
52
+
has_policy = true;
53
+
break;
54
+
case 'i':
55
+
secbits_new |= SECBIT_EXEC_DENY_INTERACTIVE |
56
+
SECBIT_EXEC_DENY_INTERACTIVE_LOCKED;
57
+
has_policy = true;
58
+
break;
59
+
default:
60
+
print_usage(argv[0]);
61
+
return 1;
62
+
}
63
+
}
64
+
65
+
if (!argv[optind] || !has_policy) {
66
+
print_usage(argv[0]);
67
+
return 1;
68
+
}
69
+
70
+
if (secbits_cur != secbits_new &&
71
+
prctl(PR_SET_SECUREBITS, secbits_new)) {
72
+
perror("Failed to set secure bit(s).");
73
+
fprintf(stderr,
74
+
"Hint: The running kernel may not support this feature.\n");
75
+
return 1;
76
+
}
77
+
78
+
cmd_path = argv[optind];
79
+
cmd_argv = argv + optind;
80
+
fprintf(stderr, "Executing command...\n");
81
+
execvpe(cmd_path, cmd_argv, envp);
82
+
fprintf(stderr, "Failed to execute \"%s\": %s\n", cmd_path,
83
+
strerror(errno));
84
+
return 1;
85
+
}
+23
-6
security/commoncap.c
+23
-6
security/commoncap.c
···
1302
1302
& (old->securebits ^ arg2)) /*[1]*/
1303
1303
|| ((old->securebits & SECURE_ALL_LOCKS & ~arg2)) /*[2]*/
1304
1304
|| (arg2 & ~(SECURE_ALL_LOCKS | SECURE_ALL_BITS)) /*[3]*/
1305
-
|| (cap_capable(current_cred(),
1306
-
current_cred()->user_ns,
1307
-
CAP_SETPCAP,
1308
-
CAP_OPT_NONE) != 0) /*[4]*/
1309
1305
/*
1310
1306
* [1] no changing of bits that are locked
1311
1307
* [2] no unlocking of locks
1312
1308
* [3] no setting of unsupported bits
1313
-
* [4] doing anything requires privilege (go read about
1314
-
* the "sendmail capabilities bug")
1315
1309
*/
1316
1310
)
1317
1311
/* cannot change a locked bit */
1318
1312
return -EPERM;
1313
+
1314
+
/*
1315
+
* Doing anything requires privilege (go read about the
1316
+
* "sendmail capabilities bug"), except for unprivileged bits.
1317
+
* Indeed, the SECURE_ALL_UNPRIVILEGED bits are not
1318
+
* restrictions enforced by the kernel but by user space on
1319
+
* itself.
1320
+
*/
1321
+
if (cap_capable(current_cred(), current_cred()->user_ns,
1322
+
CAP_SETPCAP, CAP_OPT_NONE) != 0) {
1323
+
const unsigned long unpriv_and_locks =
1324
+
SECURE_ALL_UNPRIVILEGED |
1325
+
SECURE_ALL_UNPRIVILEGED << 1;
1326
+
const unsigned long changed = old->securebits ^ arg2;
1327
+
1328
+
/* For legacy reason, denies non-change. */
1329
+
if (!changed)
1330
+
return -EPERM;
1331
+
1332
+
/* Denies privileged changes. */
1333
+
if (changed & ~unpriv_and_locks)
1334
+
return -EPERM;
1335
+
}
1319
1336
1320
1337
new = prepare_creds();
1321
1338
if (!new)
+25
-2
security/integrity/ima/ima_appraise.c
+25
-2
security/integrity/ima/ima_appraise.c
···
8
8
#include <linux/module.h>
9
9
#include <linux/init.h>
10
10
#include <linux/file.h>
11
+
#include <linux/binfmts.h>
11
12
#include <linux/fs.h>
12
13
#include <linux/xattr.h>
13
14
#include <linux/magic.h>
···
470
469
return rc;
471
470
}
472
471
472
+
static bool is_bprm_creds_for_exec(enum ima_hooks func, struct file *file)
473
+
{
474
+
struct linux_binprm *bprm;
475
+
476
+
if (func == BPRM_CHECK) {
477
+
bprm = container_of(&file, struct linux_binprm, file);
478
+
return bprm->is_check;
479
+
}
480
+
return false;
481
+
}
482
+
473
483
/*
474
484
* ima_appraise_measurement - appraise file measurement
475
485
*
···
495
483
int xattr_len, const struct modsig *modsig)
496
484
{
497
485
static const char op[] = "appraise_data";
486
+
int audit_msgno = AUDIT_INTEGRITY_DATA;
498
487
const char *cause = "unknown";
499
488
struct dentry *dentry = file_dentry(file);
500
489
struct inode *inode = d_backing_inode(dentry);
···
506
493
/* If not appraising a modsig, we need an xattr. */
507
494
if (!(inode->i_opflags & IOP_XATTR) && !try_modsig)
508
495
return INTEGRITY_UNKNOWN;
496
+
497
+
/*
498
+
* Unlike any of the other LSM hooks where the kernel enforces file
499
+
* integrity, enforcing file integrity for the bprm_creds_for_exec()
500
+
* LSM hook with the AT_EXECVE_CHECK flag is left up to the discretion
501
+
* of the script interpreter(userspace). Differentiate kernel and
502
+
* userspace enforced integrity audit messages.
503
+
*/
504
+
if (is_bprm_creds_for_exec(func, file))
505
+
audit_msgno = AUDIT_INTEGRITY_USERSPACE;
509
506
510
507
/* If reading the xattr failed and there's no modsig, error out. */
511
508
if (rc <= 0 && !try_modsig) {
···
592
569
(iint->flags & IMA_FAIL_UNVERIFIABLE_SIGS))) {
593
570
status = INTEGRITY_FAIL;
594
571
cause = "unverifiable-signature";
595
-
integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
572
+
integrity_audit_msg(audit_msgno, inode, filename,
596
573
op, cause, rc, 0);
597
574
} else if (status != INTEGRITY_PASS) {
598
575
/* Fix mode, but don't replace file signatures. */
···
612
589
status = INTEGRITY_PASS;
613
590
}
614
591
615
-
integrity_audit_msg(AUDIT_INTEGRITY_DATA, inode, filename,
592
+
integrity_audit_msg(audit_msgno, inode, filename,
616
593
op, cause, rc, 0);
617
594
} else {
618
595
ima_cache_flags(iint, func);
+29
security/integrity/ima/ima_main.c
+29
security/integrity/ima/ima_main.c
···
555
555
}
556
556
557
557
/**
558
+
* ima_bprm_creds_for_exec - collect/store/appraise measurement.
559
+
* @bprm: contains the linux_binprm structure
560
+
*
561
+
* Based on the IMA policy and the execveat(2) AT_EXECVE_CHECK flag, measure
562
+
* and appraise the integrity of a file to be executed by script interpreters.
563
+
* Unlike any of the other LSM hooks where the kernel enforces file integrity,
564
+
* enforcing file integrity is left up to the discretion of the script
565
+
* interpreter (userspace).
566
+
*
567
+
* On success return 0. On integrity appraisal error, assuming the file
568
+
* is in policy and IMA-appraisal is in enforcing mode, return -EACCES.
569
+
*/
570
+
static int ima_bprm_creds_for_exec(struct linux_binprm *bprm)
571
+
{
572
+
/*
573
+
* As security_bprm_check() is called multiple times, both
574
+
* the script and the shebang interpreter are measured, appraised,
575
+
* and audited. Limit usage of this LSM hook to just measuring,
576
+
* appraising, and auditing the indirect script execution
577
+
* (e.g. ./sh example.sh).
578
+
*/
579
+
if (!bprm->is_check)
580
+
return 0;
581
+
582
+
return ima_bprm_check(bprm);
583
+
}
584
+
585
+
/**
558
586
* ima_file_check - based on policy, collect/store measurement.
559
587
* @file: pointer to the file to be measured
560
588
* @mask: contains MAY_READ, MAY_WRITE, MAY_EXEC or MAY_APPEND
···
1202
1174
1203
1175
static struct security_hook_list ima_hooks[] __ro_after_init = {
1204
1176
LSM_HOOK_INIT(bprm_check_security, ima_bprm_check),
1177
+
LSM_HOOK_INIT(bprm_creds_for_exec, ima_bprm_creds_for_exec),
1205
1178
LSM_HOOK_INIT(file_post_open, ima_file_check),
1206
1179
LSM_HOOK_INIT(inode_post_create_tmpfile, ima_post_create_tmpfile),
1207
1180
LSM_HOOK_INIT(file_release, ima_file_free),
+10
security/security.c
+10
security/security.c
···
1248
1248
* to 1 if AT_SECURE should be set to request libc enable secure mode. @bprm
1249
1249
* contains the linux_binprm structure.
1250
1250
*
1251
+
* If execveat(2) is called with the AT_EXECVE_CHECK flag, bprm->is_check is
1252
+
* set. The result must be the same as without this flag even if the execution
1253
+
* will never really happen and @bprm will always be dropped.
1254
+
*
1255
+
* This hook must not change current->cred, only @bprm->cred.
1256
+
*
1251
1257
* Return: Returns 0 if the hook is successful and permission is granted.
1252
1258
*/
1253
1259
int security_bprm_creds_for_exec(struct linux_binprm *bprm)
···
3102
3096
*
3103
3097
* Save open-time permission checking state for later use upon file_permission,
3104
3098
* and recheck access if anything has changed since inode_permission.
3099
+
*
3100
+
* We can check if a file is opened for execution (e.g. execve(2) call), either
3101
+
* directly or indirectly (e.g. ELF's ld.so) by checking file->f_flags &
3102
+
* __FMODE_EXEC .
3105
3103
*
3106
3104
* Return: Returns 0 if permission is granted.
3107
3105
*/
+4
tools/testing/selftests/exec/.gitignore
+4
tools/testing/selftests/exec/.gitignore
+18
-1
tools/testing/selftests/exec/Makefile
+18
-1
tools/testing/selftests/exec/Makefile
···
1
1
# SPDX-License-Identifier: GPL-2.0
2
2
CFLAGS = -Wall
3
3
CFLAGS += -Wno-nonnull
4
+
CFLAGS += $(KHDR_INCLUDES)
5
+
6
+
LDLIBS += -lcap
4
7
5
8
ALIGNS := 0x1000 0x200000 0x1000000
6
9
ALIGN_PIES := $(patsubst %,load_address.%,$(ALIGNS))
7
10
ALIGN_STATIC_PIES := $(patsubst %,load_address.static.%,$(ALIGNS))
8
11
ALIGNMENT_TESTS := $(ALIGN_PIES) $(ALIGN_STATIC_PIES)
9
12
10
-
TEST_PROGS := binfmt_script.py
13
+
TEST_PROGS := binfmt_script.py check-exec-tests.sh
11
14
TEST_GEN_PROGS := execveat non-regular $(ALIGNMENT_TESTS)
15
+
TEST_GEN_PROGS_EXTENDED := false inc set-exec script-exec.inc script-noexec.inc
12
16
TEST_GEN_FILES := execveat.symlink execveat.denatured script subdir
13
17
# Makefile is a run-time dependency, since it's accessed by the execveat test
14
18
TEST_FILES := Makefile
15
19
16
20
TEST_GEN_PROGS += recursion-depth
17
21
TEST_GEN_PROGS += null-argv
22
+
TEST_GEN_PROGS += check-exec
18
23
19
24
EXTRA_CLEAN := $(OUTPUT)/subdir.moved $(OUTPUT)/execveat.moved $(OUTPUT)/xxxxx* \
20
25
$(OUTPUT)/S_I*.test
21
26
22
27
include ../lib.mk
28
+
29
+
CHECK_EXEC_SAMPLES := $(top_srcdir)/samples/check-exec
23
30
24
31
$(OUTPUT)/subdir:
25
32
mkdir -p $@
···
45
38
$(OUTPUT)/load_address.static.0x%: load_address.c
46
39
$(CC) $(CFLAGS) $(LDFLAGS) -Wl,-z,max-page-size=$(lastword $(subst ., ,$@)) \
47
40
-fPIE -static-pie $< -o $@
41
+
$(OUTPUT)/false: false.c
42
+
$(CC) $(CFLAGS) $(LDFLAGS) -static $< -o $@
43
+
$(OUTPUT)/inc: $(CHECK_EXEC_SAMPLES)/inc.c
44
+
$(CC) $(CFLAGS) $(LDFLAGS) $< -o $@
45
+
$(OUTPUT)/set-exec: $(CHECK_EXEC_SAMPLES)/set-exec.c
46
+
$(CC) $(CFLAGS) $(LDFLAGS) $< -o $@
47
+
$(OUTPUT)/script-exec.inc: $(CHECK_EXEC_SAMPLES)/script-exec.inc
48
+
cp $< $@
49
+
$(OUTPUT)/script-noexec.inc: $(CHECK_EXEC_SAMPLES)/script-noexec.inc
50
+
cp $< $@
+205
tools/testing/selftests/exec/check-exec-tests.sh
+205
tools/testing/selftests/exec/check-exec-tests.sh
···
1
+
#!/usr/bin/env bash
2
+
# SPDX-License-Identifier: GPL-2.0
3
+
#
4
+
# Test the "inc" interpreter.
5
+
#
6
+
# See include/uapi/linux/securebits.h, include/uapi/linux/fcntl.h and
7
+
# samples/check-exec/inc.c
8
+
#
9
+
# Copyright © 2024 Microsoft Corporation
10
+
11
+
set -u -e -o pipefail
12
+
13
+
EXPECTED_OUTPUT="1"
14
+
exec 2>/dev/null
15
+
16
+
DIR="$(dirname $(readlink -f "$0"))"
17
+
source "${DIR}"/../kselftest/ktap_helpers.sh
18
+
19
+
exec_direct() {
20
+
local expect="$1"
21
+
local script="$2"
22
+
shift 2
23
+
local ret=0
24
+
local out
25
+
26
+
# Updates PATH for `env` to execute the `inc` interpreter.
27
+
out="$(PATH="." "$@" "${script}")" || ret=$?
28
+
29
+
if [[ ${ret} -ne ${expect} ]]; then
30
+
echo "ERROR: Wrong expectation for direct file execution: ${ret}"
31
+
return 1
32
+
fi
33
+
if [[ ${ret} -eq 0 && "${out}" != "${EXPECTED_OUTPUT}" ]]; then
34
+
echo "ERROR: Wrong output for direct file execution: ${out}"
35
+
return 1
36
+
fi
37
+
}
38
+
39
+
exec_indirect() {
40
+
local expect="$1"
41
+
local script="$2"
42
+
shift 2
43
+
local ret=0
44
+
local out
45
+
46
+
# Script passed as argument.
47
+
out="$("$@" ./inc "${script}")" || ret=$?
48
+
49
+
if [[ ${ret} -ne ${expect} ]]; then
50
+
echo "ERROR: Wrong expectation for indirect file execution: ${ret}"
51
+
return 1
52
+
fi
53
+
if [[ ${ret} -eq 0 && "${out}" != "${EXPECTED_OUTPUT}" ]]; then
54
+
echo "ERROR: Wrong output for indirect file execution: ${out}"
55
+
return 1
56
+
fi
57
+
}
58
+
59
+
exec_stdin_reg() {
60
+
local expect="$1"
61
+
local script="$2"
62
+
shift 2
63
+
local ret=0
64
+
local out
65
+
66
+
# Executing stdin must be allowed if the related file is executable.
67
+
out="$("$@" ./inc -i < "${script}")" || ret=$?
68
+
69
+
if [[ ${ret} -ne ${expect} ]]; then
70
+
echo "ERROR: Wrong expectation for stdin regular file execution: ${ret}"
71
+
return 1
72
+
fi
73
+
if [[ ${ret} -eq 0 && "${out}" != "${EXPECTED_OUTPUT}" ]]; then
74
+
echo "ERROR: Wrong output for stdin regular file execution: ${out}"
75
+
return 1
76
+
fi
77
+
}
78
+
79
+
exec_stdin_pipe() {
80
+
local expect="$1"
81
+
shift
82
+
local ret=0
83
+
local out
84
+
85
+
# A pipe is not executable.
86
+
out="$(cat script-exec.inc | "$@" ./inc -i)" || ret=$?
87
+
88
+
if [[ ${ret} -ne ${expect} ]]; then
89
+
echo "ERROR: Wrong expectation for stdin pipe execution: ${ret}"
90
+
return 1
91
+
fi
92
+
}
93
+
94
+
exec_argument() {
95
+
local expect="$1"
96
+
local ret=0
97
+
shift
98
+
local out
99
+
100
+
# Script not coming from a file must not be executed.
101
+
out="$("$@" ./inc -c "$(< script-exec.inc)")" || ret=$?
102
+
103
+
if [[ ${ret} -ne ${expect} ]]; then
104
+
echo "ERROR: Wrong expectation for arbitrary argument execution: ${ret}"
105
+
return 1
106
+
fi
107
+
if [[ ${ret} -eq 0 && "${out}" != "${EXPECTED_OUTPUT}" ]]; then
108
+
echo "ERROR: Wrong output for arbitrary argument execution: ${out}"
109
+
return 1
110
+
fi
111
+
}
112
+
113
+
exec_interactive() {
114
+
exec_stdin_pipe "$@"
115
+
exec_argument "$@"
116
+
}
117
+
118
+
ktap_test() {
119
+
ktap_test_result "$*" "$@"
120
+
}
121
+
122
+
ktap_print_header
123
+
ktap_set_plan 28
124
+
125
+
# Without secbit configuration, nothing is changed.
126
+
127
+
ktap_print_msg "By default, executable scripts are allowed to be interpreted and executed."
128
+
ktap_test exec_direct 0 script-exec.inc
129
+
ktap_test exec_indirect 0 script-exec.inc
130
+
131
+
ktap_print_msg "By default, executable stdin is allowed to be interpreted."
132
+
ktap_test exec_stdin_reg 0 script-exec.inc
133
+
134
+
ktap_print_msg "By default, non-executable scripts are allowed to be interpreted, but not directly executed."
135
+
# We get 126 because of direct execution by Bash.
136
+
ktap_test exec_direct 126 script-noexec.inc
137
+
ktap_test exec_indirect 0 script-noexec.inc
138
+
139
+
ktap_print_msg "By default, non-executable stdin is allowed to be interpreted."
140
+
ktap_test exec_stdin_reg 0 script-noexec.inc
141
+
142
+
ktap_print_msg "By default, interactive commands are allowed to be interpreted."
143
+
ktap_test exec_interactive 0
144
+
145
+
# With only file restriction: protect non-malicious users from inadvertent errors (e.g. python ~/Downloads/*.py).
146
+
147
+
ktap_print_msg "With -f, executable scripts are allowed to be interpreted and executed."
148
+
ktap_test exec_direct 0 script-exec.inc ./set-exec -f --
149
+
ktap_test exec_indirect 0 script-exec.inc ./set-exec -f --
150
+
151
+
ktap_print_msg "With -f, executable stdin is allowed to be interpreted."
152
+
ktap_test exec_stdin_reg 0 script-exec.inc ./set-exec -f --
153
+
154
+
ktap_print_msg "With -f, non-executable scripts are not allowed to be executed nor interpreted."
155
+
# Direct execution of non-executable script is alwayse denied by the kernel.
156
+
ktap_test exec_direct 1 script-noexec.inc ./set-exec -f --
157
+
ktap_test exec_indirect 1 script-noexec.inc ./set-exec -f --
158
+
159
+
ktap_print_msg "With -f, non-executable stdin is allowed to be interpreted."
160
+
ktap_test exec_stdin_reg 0 script-noexec.inc ./set-exec -f --
161
+
162
+
ktap_print_msg "With -f, interactive commands are allowed to be interpreted."
163
+
ktap_test exec_interactive 0 ./set-exec -f --
164
+
165
+
# With only denied interactive commands: check or monitor script content (e.g. with LSM).
166
+
167
+
ktap_print_msg "With -i, executable scripts are allowed to be interpreted and executed."
168
+
ktap_test exec_direct 0 script-exec.inc ./set-exec -i --
169
+
ktap_test exec_indirect 0 script-exec.inc ./set-exec -i --
170
+
171
+
ktap_print_msg "With -i, executable stdin is allowed to be interpreted."
172
+
ktap_test exec_stdin_reg 0 script-exec.inc ./set-exec -i --
173
+
174
+
ktap_print_msg "With -i, non-executable scripts are allowed to be interpreted, but not directly executed."
175
+
# Direct execution of non-executable script is alwayse denied by the kernel.
176
+
ktap_test exec_direct 1 script-noexec.inc ./set-exec -i --
177
+
ktap_test exec_indirect 0 script-noexec.inc ./set-exec -i --
178
+
179
+
ktap_print_msg "With -i, non-executable stdin is not allowed to be interpreted."
180
+
ktap_test exec_stdin_reg 1 script-noexec.inc ./set-exec -i --
181
+
182
+
ktap_print_msg "With -i, interactive commands are not allowed to be interpreted."
183
+
ktap_test exec_interactive 1 ./set-exec -i --
184
+
185
+
# With both file restriction and denied interactive commands: only allow executable scripts.
186
+
187
+
ktap_print_msg "With -fi, executable scripts are allowed to be interpreted and executed."
188
+
ktap_test exec_direct 0 script-exec.inc ./set-exec -fi --
189
+
ktap_test exec_indirect 0 script-exec.inc ./set-exec -fi --
190
+
191
+
ktap_print_msg "With -fi, executable stdin is allowed to be interpreted."
192
+
ktap_test exec_stdin_reg 0 script-exec.inc ./set-exec -fi --
193
+
194
+
ktap_print_msg "With -fi, non-executable scripts are not allowed to be interpreted nor executed."
195
+
# Direct execution of non-executable script is alwayse denied by the kernel.
196
+
ktap_test exec_direct 1 script-noexec.inc ./set-exec -fi --
197
+
ktap_test exec_indirect 1 script-noexec.inc ./set-exec -fi --
198
+
199
+
ktap_print_msg "With -fi, non-executable stdin is not allowed to be interpreted."
200
+
ktap_test exec_stdin_reg 1 script-noexec.inc ./set-exec -fi --
201
+
202
+
ktap_print_msg "With -fi, interactive commands are not allowed to be interpreted."
203
+
ktap_test exec_interactive 1 ./set-exec -fi --
204
+
205
+
ktap_finished
+456
tools/testing/selftests/exec/check-exec.c
+456
tools/testing/selftests/exec/check-exec.c
···
1
+
// SPDX-License-Identifier: GPL-2.0
2
+
/*
3
+
* Test execveat(2) with AT_EXECVE_CHECK, and prctl(2) with
4
+
* SECBIT_EXEC_RESTRICT_FILE, SECBIT_EXEC_DENY_INTERACTIVE, and their locked
5
+
* counterparts.
6
+
*
7
+
* Copyright © 2018-2020 ANSSI
8
+
* Copyright © 2024 Microsoft Corporation
9
+
*
10
+
* Author: Mickaël Salaün <mic@digikod.net>
11
+
*/
12
+
13
+
#include <asm-generic/unistd.h>
14
+
#include <errno.h>
15
+
#include <fcntl.h>
16
+
#include <linux/prctl.h>
17
+
#include <linux/securebits.h>
18
+
#include <stdio.h>
19
+
#include <stdlib.h>
20
+
#include <sys/capability.h>
21
+
#include <sys/mount.h>
22
+
#include <sys/prctl.h>
23
+
#include <sys/socket.h>
24
+
#include <sys/stat.h>
25
+
#include <sys/sysmacros.h>
26
+
#include <unistd.h>
27
+
28
+
/* Defines AT_EXECVE_CHECK without type conflicts. */
29
+
#define _ASM_GENERIC_FCNTL_H
30
+
#include <linux/fcntl.h>
31
+
32
+
#include "../kselftest_harness.h"
33
+
34
+
static void drop_privileges(struct __test_metadata *const _metadata)
35
+
{
36
+
const unsigned int noroot = SECBIT_NOROOT | SECBIT_NOROOT_LOCKED;
37
+
cap_t cap_p;
38
+
39
+
if ((cap_get_secbits() & noroot) != noroot)
40
+
EXPECT_EQ(0, cap_set_secbits(noroot));
41
+
42
+
cap_p = cap_get_proc();
43
+
EXPECT_NE(NULL, cap_p);
44
+
EXPECT_NE(-1, cap_clear(cap_p));
45
+
46
+
/*
47
+
* Drops everything, especially CAP_SETPCAP, CAP_DAC_OVERRIDE, and
48
+
* CAP_DAC_READ_SEARCH.
49
+
*/
50
+
EXPECT_NE(-1, cap_set_proc(cap_p));
51
+
EXPECT_NE(-1, cap_free(cap_p));
52
+
}
53
+
54
+
static int test_secbits_set(const unsigned int secbits)
55
+
{
56
+
int err;
57
+
58
+
err = prctl(PR_SET_SECUREBITS, secbits);
59
+
if (err)
60
+
return errno;
61
+
return 0;
62
+
}
63
+
64
+
FIXTURE(access)
65
+
{
66
+
int memfd, pipefd;
67
+
int pipe_fds[2], socket_fds[2];
68
+
};
69
+
70
+
FIXTURE_VARIANT(access)
71
+
{
72
+
const bool mount_exec;
73
+
const bool file_exec;
74
+
};
75
+
76
+
/* clang-format off */
77
+
FIXTURE_VARIANT_ADD(access, mount_exec_file_exec) {
78
+
/* clang-format on */
79
+
.mount_exec = true,
80
+
.file_exec = true,
81
+
};
82
+
83
+
/* clang-format off */
84
+
FIXTURE_VARIANT_ADD(access, mount_exec_file_noexec) {
85
+
/* clang-format on */
86
+
.mount_exec = true,
87
+
.file_exec = false,
88
+
};
89
+
90
+
/* clang-format off */
91
+
FIXTURE_VARIANT_ADD(access, mount_noexec_file_exec) {
92
+
/* clang-format on */
93
+
.mount_exec = false,
94
+
.file_exec = true,
95
+
};
96
+
97
+
/* clang-format off */
98
+
FIXTURE_VARIANT_ADD(access, mount_noexec_file_noexec) {
99
+
/* clang-format on */
100
+
.mount_exec = false,
101
+
.file_exec = false,
102
+
};
103
+
104
+
static const char binary_path[] = "./false";
105
+
static const char workdir_path[] = "./test-mount";
106
+
static const char reg_file_path[] = "./test-mount/regular_file";
107
+
static const char dir_path[] = "./test-mount/directory";
108
+
static const char block_dev_path[] = "./test-mount/block_device";
109
+
static const char char_dev_path[] = "./test-mount/character_device";
110
+
static const char fifo_path[] = "./test-mount/fifo";
111
+
112
+
FIXTURE_SETUP(access)
113
+
{
114
+
int procfd_path_size;
115
+
static const char path_template[] = "/proc/self/fd/%d";
116
+
char procfd_path[sizeof(path_template) + 10];
117
+
118
+
/* Makes sure we are not already restricted nor locked. */
119
+
EXPECT_EQ(0, test_secbits_set(0));
120
+
121
+
/*
122
+
* Cleans previous workspace if any error previously happened (don't
123
+
* check errors).
124
+
*/
125
+
umount(workdir_path);
126
+
rmdir(workdir_path);
127
+
128
+
/* Creates a clean mount point. */
129
+
ASSERT_EQ(0, mkdir(workdir_path, 00700));
130
+
ASSERT_EQ(0, mount("test", workdir_path, "tmpfs",
131
+
MS_MGC_VAL | (variant->mount_exec ? 0 : MS_NOEXEC),
132
+
"mode=0700,size=9m"));
133
+
134
+
/* Creates a regular file. */
135
+
ASSERT_EQ(0, mknod(reg_file_path,
136
+
S_IFREG | (variant->file_exec ? 0700 : 0600), 0));
137
+
/* Creates a directory. */
138
+
ASSERT_EQ(0, mkdir(dir_path, variant->file_exec ? 0700 : 0600));
139
+
/* Creates a character device: /dev/null. */
140
+
ASSERT_EQ(0, mknod(char_dev_path, S_IFCHR | 0400, makedev(1, 3)));
141
+
/* Creates a block device: /dev/loop0 */
142
+
ASSERT_EQ(0, mknod(block_dev_path, S_IFBLK | 0400, makedev(7, 0)));
143
+
/* Creates a fifo. */
144
+
ASSERT_EQ(0, mknod(fifo_path, S_IFIFO | 0600, 0));
145
+
146
+
/* Creates a regular file without user mount point. */
147
+
self->memfd = memfd_create("test-exec-probe", MFD_CLOEXEC);
148
+
ASSERT_LE(0, self->memfd);
149
+
/* Sets mode, which must be ignored by the exec check. */
150
+
ASSERT_EQ(0, fchmod(self->memfd, variant->file_exec ? 0700 : 0600));
151
+
152
+
/* Creates a pipefs file descriptor. */
153
+
ASSERT_EQ(0, pipe(self->pipe_fds));
154
+
procfd_path_size = snprintf(procfd_path, sizeof(procfd_path),
155
+
path_template, self->pipe_fds[0]);
156
+
ASSERT_LT(procfd_path_size, sizeof(procfd_path));
157
+
self->pipefd = open(procfd_path, O_RDWR | O_CLOEXEC);
158
+
ASSERT_LE(0, self->pipefd);
159
+
ASSERT_EQ(0, fchmod(self->pipefd, variant->file_exec ? 0700 : 0600));
160
+
161
+
/* Creates a socket file descriptor. */
162
+
ASSERT_EQ(0, socketpair(AF_UNIX, SOCK_DGRAM | SOCK_CLOEXEC, 0,
163
+
self->socket_fds));
164
+
}
165
+
166
+
FIXTURE_TEARDOWN_PARENT(access)
167
+
{
168
+
/* There is no need to unlink the test files. */
169
+
EXPECT_EQ(0, umount(workdir_path));
170
+
EXPECT_EQ(0, rmdir(workdir_path));
171
+
}
172
+
173
+
static void fill_exec_fd(struct __test_metadata *_metadata, const int fd_out)
174
+
{
175
+
char buf[1024];
176
+
size_t len;
177
+
int fd_in;
178
+
179
+
fd_in = open(binary_path, O_CLOEXEC | O_RDONLY);
180
+
ASSERT_LE(0, fd_in);
181
+
/* Cannot use copy_file_range(2) because of EXDEV. */
182
+
len = read(fd_in, buf, sizeof(buf));
183
+
EXPECT_LE(0, len);
184
+
while (len > 0) {
185
+
EXPECT_EQ(len, write(fd_out, buf, len))
186
+
{
187
+
TH_LOG("Failed to write: %s (%d)", strerror(errno),
188
+
errno);
189
+
}
190
+
len = read(fd_in, buf, sizeof(buf));
191
+
EXPECT_LE(0, len);
192
+
}
193
+
EXPECT_EQ(0, close(fd_in));
194
+
}
195
+
196
+
static void fill_exec_path(struct __test_metadata *_metadata,
197
+
const char *const path)
198
+
{
199
+
int fd_out;
200
+
201
+
fd_out = open(path, O_CLOEXEC | O_WRONLY);
202
+
ASSERT_LE(0, fd_out)
203
+
{
204
+
TH_LOG("Failed to open %s: %s", path, strerror(errno));
205
+
}
206
+
fill_exec_fd(_metadata, fd_out);
207
+
EXPECT_EQ(0, close(fd_out));
208
+
}
209
+
210
+
static void test_exec_fd(struct __test_metadata *_metadata, const int fd,
211
+
const int err_code)
212
+
{
213
+
char *const argv[] = { "", NULL };
214
+
int access_ret, access_errno;
215
+
216
+
/*
217
+
* If we really execute fd, filled with the "false" binary, the current
218
+
* thread will exits with an error, which will be interpreted by the
219
+
* test framework as an error. With AT_EXECVE_CHECK, we only check a
220
+
* potential successful execution.
221
+
*/
222
+
access_ret =
223
+
execveat(fd, "", argv, NULL, AT_EMPTY_PATH | AT_EXECVE_CHECK);
224
+
access_errno = errno;
225
+
if (err_code) {
226
+
EXPECT_EQ(-1, access_ret);
227
+
EXPECT_EQ(err_code, access_errno)
228
+
{
229
+
TH_LOG("Wrong error for execveat(2): %s (%d)",
230
+
strerror(access_errno), errno);
231
+
}
232
+
} else {
233
+
EXPECT_EQ(0, access_ret)
234
+
{
235
+
TH_LOG("Access denied: %s", strerror(access_errno));
236
+
}
237
+
}
238
+
}
239
+
240
+
static void test_exec_path(struct __test_metadata *_metadata,
241
+
const char *const path, const int err_code)
242
+
{
243
+
int flags = O_CLOEXEC;
244
+
int fd;
245
+
246
+
/* Do not block on pipes. */
247
+
if (path == fifo_path)
248
+
flags |= O_NONBLOCK;
249
+
250
+
fd = open(path, flags | O_RDONLY);
251
+
ASSERT_LE(0, fd)
252
+
{
253
+
TH_LOG("Failed to open %s: %s", path, strerror(errno));
254
+
}
255
+
test_exec_fd(_metadata, fd, err_code);
256
+
EXPECT_EQ(0, close(fd));
257
+
}
258
+
259
+
/* Tests that we don't get ENOEXEC. */
260
+
TEST_F(access, regular_file_empty)
261
+
{
262
+
const int exec = variant->mount_exec && variant->file_exec;
263
+
264
+
test_exec_path(_metadata, reg_file_path, exec ? 0 : EACCES);
265
+
266
+
drop_privileges(_metadata);
267
+
test_exec_path(_metadata, reg_file_path, exec ? 0 : EACCES);
268
+
}
269
+
270
+
TEST_F(access, regular_file_elf)
271
+
{
272
+
const int exec = variant->mount_exec && variant->file_exec;
273
+
274
+
fill_exec_path(_metadata, reg_file_path);
275
+
276
+
test_exec_path(_metadata, reg_file_path, exec ? 0 : EACCES);
277
+
278
+
drop_privileges(_metadata);
279
+
test_exec_path(_metadata, reg_file_path, exec ? 0 : EACCES);
280
+
}
281
+
282
+
/* Tests that we don't get ENOEXEC. */
283
+
TEST_F(access, memfd_empty)
284
+
{
285
+
const int exec = variant->file_exec;
286
+
287
+
test_exec_fd(_metadata, self->memfd, exec ? 0 : EACCES);
288
+
289
+
drop_privileges(_metadata);
290
+
test_exec_fd(_metadata, self->memfd, exec ? 0 : EACCES);
291
+
}
292
+
293
+
TEST_F(access, memfd_elf)
294
+
{
295
+
const int exec = variant->file_exec;
296
+
297
+
fill_exec_fd(_metadata, self->memfd);
298
+
299
+
test_exec_fd(_metadata, self->memfd, exec ? 0 : EACCES);
300
+
301
+
drop_privileges(_metadata);
302
+
test_exec_fd(_metadata, self->memfd, exec ? 0 : EACCES);
303
+
}
304
+
305
+
TEST_F(access, non_regular_files)
306
+
{
307
+
test_exec_path(_metadata, dir_path, EACCES);
308
+
test_exec_path(_metadata, block_dev_path, EACCES);
309
+
test_exec_path(_metadata, char_dev_path, EACCES);
310
+
test_exec_path(_metadata, fifo_path, EACCES);
311
+
test_exec_fd(_metadata, self->socket_fds[0], EACCES);
312
+
test_exec_fd(_metadata, self->pipefd, EACCES);
313
+
}
314
+
315
+
/* clang-format off */
316
+
FIXTURE(secbits) {};
317
+
/* clang-format on */
318
+
319
+
FIXTURE_VARIANT(secbits)
320
+
{
321
+
const bool is_privileged;
322
+
const int error;
323
+
};
324
+
325
+
/* clang-format off */
326
+
FIXTURE_VARIANT_ADD(secbits, priv) {
327
+
/* clang-format on */
328
+
.is_privileged = true,
329
+
.error = 0,
330
+
};
331
+
332
+
/* clang-format off */
333
+
FIXTURE_VARIANT_ADD(secbits, unpriv) {
334
+
/* clang-format on */
335
+
.is_privileged = false,
336
+
.error = EPERM,
337
+
};
338
+
339
+
FIXTURE_SETUP(secbits)
340
+
{
341
+
/* Makes sure no exec bits are set. */
342
+
EXPECT_EQ(0, test_secbits_set(0));
343
+
EXPECT_EQ(0, prctl(PR_GET_SECUREBITS));
344
+
345
+
if (!variant->is_privileged)
346
+
drop_privileges(_metadata);
347
+
}
348
+
349
+
FIXTURE_TEARDOWN(secbits)
350
+
{
351
+
}
352
+
353
+
TEST_F(secbits, legacy)
354
+
{
355
+
EXPECT_EQ(variant->error, test_secbits_set(0));
356
+
}
357
+
358
+
#define CHILD(...) \
359
+
do { \
360
+
pid_t child = vfork(); \
361
+
EXPECT_LE(0, child); \
362
+
if (child == 0) { \
363
+
__VA_ARGS__; \
364
+
_exit(0); \
365
+
} \
366
+
} while (0)
367
+
368
+
TEST_F(secbits, exec)
369
+
{
370
+
unsigned int secbits = prctl(PR_GET_SECUREBITS);
371
+
372
+
secbits |= SECBIT_EXEC_RESTRICT_FILE;
373
+
EXPECT_EQ(0, test_secbits_set(secbits));
374
+
EXPECT_EQ(secbits, prctl(PR_GET_SECUREBITS));
375
+
CHILD(EXPECT_EQ(secbits, prctl(PR_GET_SECUREBITS)));
376
+
377
+
secbits |= SECBIT_EXEC_DENY_INTERACTIVE;
378
+
EXPECT_EQ(0, test_secbits_set(secbits));
379
+
EXPECT_EQ(secbits, prctl(PR_GET_SECUREBITS));
380
+
CHILD(EXPECT_EQ(secbits, prctl(PR_GET_SECUREBITS)));
381
+
382
+
secbits &= ~(SECBIT_EXEC_RESTRICT_FILE | SECBIT_EXEC_DENY_INTERACTIVE);
383
+
EXPECT_EQ(0, test_secbits_set(secbits));
384
+
EXPECT_EQ(secbits, prctl(PR_GET_SECUREBITS));
385
+
CHILD(EXPECT_EQ(secbits, prctl(PR_GET_SECUREBITS)));
386
+
}
387
+
388
+
TEST_F(secbits, check_locked_set)
389
+
{
390
+
unsigned int secbits = prctl(PR_GET_SECUREBITS);
391
+
392
+
secbits |= SECBIT_EXEC_RESTRICT_FILE;
393
+
EXPECT_EQ(0, test_secbits_set(secbits));
394
+
secbits |= SECBIT_EXEC_RESTRICT_FILE_LOCKED;
395
+
EXPECT_EQ(0, test_secbits_set(secbits));
396
+
397
+
/* Checks lock set but unchanged. */
398
+
EXPECT_EQ(variant->error, test_secbits_set(secbits));
399
+
CHILD(EXPECT_EQ(variant->error, test_secbits_set(secbits)));
400
+
401
+
secbits &= ~SECBIT_EXEC_RESTRICT_FILE;
402
+
EXPECT_EQ(EPERM, test_secbits_set(0));
403
+
CHILD(EXPECT_EQ(EPERM, test_secbits_set(0)));
404
+
}
405
+
406
+
TEST_F(secbits, check_locked_unset)
407
+
{
408
+
unsigned int secbits = prctl(PR_GET_SECUREBITS);
409
+
410
+
secbits |= SECBIT_EXEC_RESTRICT_FILE_LOCKED;
411
+
EXPECT_EQ(0, test_secbits_set(secbits));
412
+
413
+
/* Checks lock unset but unchanged. */
414
+
EXPECT_EQ(variant->error, test_secbits_set(secbits));
415
+
CHILD(EXPECT_EQ(variant->error, test_secbits_set(secbits)));
416
+
417
+
secbits &= ~SECBIT_EXEC_RESTRICT_FILE;
418
+
EXPECT_EQ(EPERM, test_secbits_set(0));
419
+
CHILD(EXPECT_EQ(EPERM, test_secbits_set(0)));
420
+
}
421
+
422
+
TEST_F(secbits, restrict_locked_set)
423
+
{
424
+
unsigned int secbits = prctl(PR_GET_SECUREBITS);
425
+
426
+
secbits |= SECBIT_EXEC_DENY_INTERACTIVE;
427
+
EXPECT_EQ(0, test_secbits_set(secbits));
428
+
secbits |= SECBIT_EXEC_DENY_INTERACTIVE_LOCKED;
429
+
EXPECT_EQ(0, test_secbits_set(secbits));
430
+
431
+
/* Checks lock set but unchanged. */
432
+
EXPECT_EQ(variant->error, test_secbits_set(secbits));
433
+
CHILD(EXPECT_EQ(variant->error, test_secbits_set(secbits)));
434
+
435
+
secbits &= ~SECBIT_EXEC_DENY_INTERACTIVE;
436
+
EXPECT_EQ(EPERM, test_secbits_set(0));
437
+
CHILD(EXPECT_EQ(EPERM, test_secbits_set(0)));
438
+
}
439
+
440
+
TEST_F(secbits, restrict_locked_unset)
441
+
{
442
+
unsigned int secbits = prctl(PR_GET_SECUREBITS);
443
+
444
+
secbits |= SECBIT_EXEC_DENY_INTERACTIVE_LOCKED;
445
+
EXPECT_EQ(0, test_secbits_set(secbits));
446
+
447
+
/* Checks lock unset but unchanged. */
448
+
EXPECT_EQ(variant->error, test_secbits_set(secbits));
449
+
CHILD(EXPECT_EQ(variant->error, test_secbits_set(secbits)));
450
+
451
+
secbits &= ~SECBIT_EXEC_DENY_INTERACTIVE;
452
+
EXPECT_EQ(EPERM, test_secbits_set(0));
453
+
CHILD(EXPECT_EQ(EPERM, test_secbits_set(0)));
454
+
}
455
+
456
+
TEST_HARNESS_MAIN
+5
tools/testing/selftests/exec/false.c
+5
tools/testing/selftests/exec/false.c
+1
-1
tools/testing/selftests/kselftest/ktap_helpers.sh
+1
-1
tools/testing/selftests/kselftest/ktap_helpers.sh
+27
tools/testing/selftests/landlock/fs_test.c
+27
tools/testing/selftests/landlock/fs_test.c
···
37
37
#include <linux/fs.h>
38
38
#include <linux/mount.h>
39
39
40
+
/* Defines AT_EXECVE_CHECK without type conflicts. */
41
+
#define _ASM_GENERIC_FCNTL_H
42
+
#include <linux/fcntl.h>
43
+
40
44
#include "common.h"
41
45
42
46
#ifndef renameat2
···
2018
2014
};
2019
2015
}
2020
2016
2017
+
static void test_check_exec(struct __test_metadata *const _metadata,
2018
+
const int err, const char *const path)
2019
+
{
2020
+
int ret;
2021
+
char *const argv[] = { (char *)path, NULL };
2022
+
2023
+
ret = execveat(AT_FDCWD, path, argv, NULL,
2024
+
AT_EMPTY_PATH | AT_EXECVE_CHECK);
2025
+
if (err) {
2026
+
EXPECT_EQ(-1, ret);
2027
+
EXPECT_EQ(errno, err);
2028
+
} else {
2029
+
EXPECT_EQ(0, ret);
2030
+
}
2031
+
}
2032
+
2021
2033
TEST_F_FORK(layout1, execute)
2022
2034
{
2023
2035
const struct rule rules[] = {
···
2051
2031
copy_file(_metadata, bin_true, file1_s1d2);
2052
2032
copy_file(_metadata, bin_true, file1_s1d3);
2053
2033
2034
+
/* Checks before file1_s1d1 being denied. */
2035
+
test_execute(_metadata, 0, file1_s1d1);
2036
+
test_check_exec(_metadata, 0, file1_s1d1);
2037
+
2054
2038
enforce_ruleset(_metadata, ruleset_fd);
2055
2039
ASSERT_EQ(0, close(ruleset_fd));
2056
2040
2057
2041
ASSERT_EQ(0, test_open(dir_s1d1, O_RDONLY));
2058
2042
ASSERT_EQ(0, test_open(file1_s1d1, O_RDONLY));
2059
2043
test_execute(_metadata, EACCES, file1_s1d1);
2044
+
test_check_exec(_metadata, EACCES, file1_s1d1);
2060
2045
2061
2046
ASSERT_EQ(0, test_open(dir_s1d2, O_RDONLY));
2062
2047
ASSERT_EQ(0, test_open(file1_s1d2, O_RDONLY));
2063
2048
test_execute(_metadata, 0, file1_s1d2);
2049
+
test_check_exec(_metadata, 0, file1_s1d2);
2064
2050
2065
2051
ASSERT_EQ(0, test_open(dir_s1d3, O_RDONLY));
2066
2052
ASSERT_EQ(0, test_open(file1_s1d3, O_RDONLY));
2067
2053
test_execute(_metadata, 0, file1_s1d3);
2054
+
test_check_exec(_metadata, 0, file1_s1d3);
2068
2055
}
2069
2056
2070
2057
TEST_F_FORK(layout1, umount_sandboxer)