commit bdd4f86c97e60b748027bdf6f6a3729c8a12da15 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Merge tag 'AT_EXECVE_CHECK-v6.14-rc1-fix1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux

Pull AT_EXECVE_CHECK selftest fix from Kees Cook:
"Fixes the AT_EXECVE_CHECK selftests which didn't run on old versions
of glibc"

* tag 'AT_EXECVE_CHECK-v6.14-rc1-fix1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
selftests: Handle old glibc without execveat(2)

Linus Torvalds 11 months ago bdd4f86c 73512f2a

+26 -6

3 changed files

expand all

unified split

samples

check-exec

inc.c

tools

testing

selftests

exec

check-exec.c

landlock

fs_test.c

+9 -2

samples/check-exec/inc.c

··· 21 21 #include <stdlib.h> 22 22 #include <string.h> 23 23 #include <sys/prctl.h> 24 + #include <sys/syscall.h> 24 25 #include <unistd.h> 26 + 27 + static int sys_execveat(int dirfd, const char *pathname, char *const argv[], 28 + char *const envp[], int flags) 29 + { 30 + return syscall(__NR_execveat, dirfd, pathname, argv, envp, flags); 31 + } 25 32 26 33 /* Returns 1 on error, 0 otherwise. */ 27 34 static int interpret_buffer(char *buffer, size_t buffer_size) ··· 85 78 * script execution. We must use the script file descriptor instead of 86 79 * the script path name to avoid race conditions. 87 80 */ 88 - err = execveat(fileno(script), "", script_argv, envp, 89 - AT_EMPTY_PATH | AT_EXECVE_CHECK); 81 + err = sys_execveat(fileno(script), "", script_argv, envp, 82 + AT_EMPTY_PATH | AT_EXECVE_CHECK); 90 83 if (err && restrict_stream) { 91 84 perror("ERROR: Script execution check"); 92 85 return 1;

+9 -2

tools/testing/selftests/exec/check-exec.c

··· 22 22 #include <sys/prctl.h> 23 23 #include <sys/socket.h> 24 24 #include <sys/stat.h> 25 + #include <sys/syscall.h> 25 26 #include <sys/sysmacros.h> 26 27 #include <unistd.h> 27 28 ··· 31 30 #include <linux/fcntl.h> 32 31 33 32 #include "../kselftest_harness.h" 33 + 34 + static int sys_execveat(int dirfd, const char *pathname, char *const argv[], 35 + char *const envp[], int flags) 36 + { 37 + return syscall(__NR_execveat, dirfd, pathname, argv, envp, flags); 38 + } 34 39 35 40 static void drop_privileges(struct __test_metadata *const _metadata) 36 41 { ··· 226 219 * test framework as an error. With AT_EXECVE_CHECK, we only check a 227 220 * potential successful execution. 228 221 */ 229 - access_ret = 230 - execveat(fd, "", argv, NULL, AT_EMPTY_PATH | AT_EXECVE_CHECK); 222 + access_ret = sys_execveat(fd, "", argv, NULL, 223 + AT_EMPTY_PATH | AT_EXECVE_CHECK); 231 224 access_errno = errno; 232 225 if (err_code) { 233 226 EXPECT_EQ(-1, access_ret);

+8 -2

tools/testing/selftests/landlock/fs_test.c

··· 59 59 } 60 60 #endif 61 61 62 + static int sys_execveat(int dirfd, const char *pathname, char *const argv[], 63 + char *const envp[], int flags) 64 + { 65 + return syscall(__NR_execveat, dirfd, pathname, argv, envp, flags); 66 + } 67 + 62 68 #ifndef RENAME_EXCHANGE 63 69 #define RENAME_EXCHANGE (1 << 1) 64 70 #endif ··· 2030 2024 int ret; 2031 2025 char *const argv[] = { (char *)path, NULL }; 2032 2026 2033 - ret = execveat(AT_FDCWD, path, argv, NULL, 2034 - AT_EMPTY_PATH | AT_EXECVE_CHECK); 2027 + ret = sys_execveat(AT_FDCWD, path, argv, NULL, 2028 + AT_EMPTY_PATH | AT_EXECVE_CHECK); 2035 2029 if (err) { 2036 2030 EXPECT_EQ(-1, ret); 2037 2031 EXPECT_EQ(errno, err);