From nobody Wed Nov 27 08:37:12 2024 Received: from smtp-42ac.mail.infomaniak.ch (smtp-42ac.mail.infomaniak.ch [84.16.66.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BBFCF1D015A for ; Fri, 11 Oct 2024 18:44:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=84.16.66.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728672289; cv=none; b=b7nGNjv3htcuCNQDUdmCHxHy2dPzLesltiaHd1mt0/w3Yit/qVwmoAy22lzgt1aVBm02OgqecyP6cPRvDGjlm0BlBMsDnC8fnLFE6x92F8sNawjgASHXfBwejH4/xhJgPwQEcr50dqrnE6YPddTihrZdjVQBQaXld5Ii4B2ipmI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1728672289; c=relaxed/simple; bh=8KqYUKrMWdBGixKfVAYznH9ZbRRmasgxiQ7itI4rciQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=c0s1RsY7zkv/PO1/BDCXx09qscyxeAxx/t57b/5yKOw5uwgc1amDHSAQJswzpX9saA64LgNqJegE2jrpuQWsCf0U62JS9fEaPAndiWTjPntpLFbRDWswAejgiHgTmFBnm7LQV7HTjPwWluASxlZLT8jtNSX9pO3qypJULjhxh6Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net; spf=pass smtp.mailfrom=digikod.net; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b=NlTtbYK4; arc=none smtp.client-ip=84.16.66.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=digikod.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=digikod.net Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=digikod.net header.i=@digikod.net header.b="NlTtbYK4" Received: from smtp-3-0000.mail.infomaniak.ch (unknown [IPv6:2001:1600:4:17::246b]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4XQFsn1GZbzWVC; Fri, 11 Oct 2024 20:44:45 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digikod.net; s=20191114; t=1728672285; bh=Vvpf/UPrBwKGmfMqasK4l/LdMnZXKnPj6UGDBFOAmqg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=NlTtbYK4lDvb+pENr+AbJiY8Yn4KASa7LchXBZvKoo3qWbvQ3tSgFvrX91Mcoez+N HHtkx8JaWfz2X2Xe8bmmeMxhRo8ztKooQnoSai1icwGlw6vzFrtmYaI/smBs1P6s5A iiGZPvFOuT22JUitbCLOVIqHCK5694jeW+/qapr0= Received: from unknown by smtp-3-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4XQFsl5rK0z5Ld; Fri, 11 Oct 2024 20:44:43 +0200 (CEST) From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= To: Al Viro , Christian Brauner , Kees Cook , Linus Torvalds , Paul Moore , Serge Hallyn , Theodore Ts'o Cc: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , Adhemerval Zanella Netto , Alejandro Colomar , Aleksa Sarai , Andrew Morton , Andy Lutomirski , Arnd Bergmann , Casey Schaufler , Christian Heimes , Dmitry Vyukov , Elliott Hughes , Eric Biggers , Eric Chiang , Fan Wu , Florian Weimer , Geert Uytterhoeven , James Morris , Jan Kara , Jann Horn , Jeff Xu , Jonathan Corbet , Jordan R Abrahams , Lakshmi Ramasubramanian , Luca Boccassi , Luis Chamberlain , "Madhavan T . Venkataraman" , Matt Bobrowski , Matthew Garrett , Matthew Wilcox , Miklos Szeredi , Mimi Zohar , Nicolas Bouchinet , Scott Shell , Shuah Khan , Stephen Rothwell , Steve Dower , Steve Grubb , Thibaut Sautereau , Vincent Strubel , Xiaoming Ni , Yin Fengwei , kernel-hardening@lists.openwall.com, linux-api@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v20 5/6] samples/check-exec: Add set-exec Date: Fri, 11 Oct 2024 20:44:21 +0200 Message-ID: <20241011184422.977903-6-mic@digikod.net> In-Reply-To: <20241011184422.977903-1-mic@digikod.net> References: <20241011184422.977903-1-mic@digikod.net> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Infomaniak-Routing: alpha Add a simple tool to set SECBIT_EXEC_RESTRICT_FILE or SECBIT_EXEC_DENY_INTERACTIVE before executing a command. This is useful to easily test against enlighten script interpreters. Cc: Al Viro Cc: Christian Brauner Cc: Kees Cook Cc: Paul Moore Cc: Serge Hallyn Signed-off-by: Micka=C3=ABl Sala=C3=BCn Link: https://lore.kernel.org/r/20241011184422.977903-6-mic@digikod.net --- Changes since v19: * Rename file and directory. * Update securebits and related arguments. * Remove useless call to prctl() when securebits are unchanged. --- samples/Kconfig | 7 +++ samples/Makefile | 1 + samples/check-exec/.gitignore | 1 + samples/check-exec/Makefile | 14 ++++++ samples/check-exec/set-exec.c | 85 +++++++++++++++++++++++++++++++++++ 5 files changed, 108 insertions(+) create mode 100644 samples/check-exec/.gitignore create mode 100644 samples/check-exec/Makefile create mode 100644 samples/check-exec/set-exec.c diff --git a/samples/Kconfig b/samples/Kconfig index b288d9991d27..efa28ceadc42 100644 --- a/samples/Kconfig +++ b/samples/Kconfig @@ -291,6 +291,13 @@ config SAMPLE_CGROUP help Build samples that demonstrate the usage of the cgroup API. =20 +config SAMPLE_CHECK_EXEC + bool "Exec secure bits examples" + depends on CC_CAN_LINK && HEADERS_INSTALL + help + Build a tool to easily configure SECBIT_EXEC_RESTRICT_FILE and + SECBIT_EXEC_DENY_INTERACTIVE. + source "samples/rust/Kconfig" =20 endif # SAMPLES diff --git a/samples/Makefile b/samples/Makefile index b85fa64390c5..f988202f3a30 100644 --- a/samples/Makefile +++ b/samples/Makefile @@ -3,6 +3,7 @@ =20 subdir-$(CONFIG_SAMPLE_AUXDISPLAY) +=3D auxdisplay subdir-$(CONFIG_SAMPLE_ANDROID_BINDERFS) +=3D binderfs +subdir-$(CONFIG_SAMPLE_CHECK_EXEC) +=3D check-exec subdir-$(CONFIG_SAMPLE_CGROUP) +=3D cgroup obj-$(CONFIG_SAMPLE_CONFIGFS) +=3D configfs/ obj-$(CONFIG_SAMPLE_CONNECTOR) +=3D connector/ diff --git a/samples/check-exec/.gitignore b/samples/check-exec/.gitignore new file mode 100644 index 000000000000..3f8119112ccf --- /dev/null +++ b/samples/check-exec/.gitignore @@ -0,0 +1 @@ +/set-exec diff --git a/samples/check-exec/Makefile b/samples/check-exec/Makefile new file mode 100644 index 000000000000..d9f976e3ff98 --- /dev/null +++ b/samples/check-exec/Makefile @@ -0,0 +1,14 @@ +# SPDX-License-Identifier: BSD-3-Clause + +userprogs-always-y :=3D \ + set-exec + +userccflags +=3D -I usr/include + +.PHONY: all clean + +all: + $(MAKE) -C ../.. samples/check-exec/ + +clean: + $(MAKE) -C ../.. M=3Dsamples/check-exec/ clean diff --git a/samples/check-exec/set-exec.c b/samples/check-exec/set-exec.c new file mode 100644 index 000000000000..ba86a60a20dd --- /dev/null +++ b/samples/check-exec/set-exec.c @@ -0,0 +1,85 @@ +// SPDX-License-Identifier: BSD-3-Clause +/* + * Simple tool to set SECBIT_EXEC_RESTRICT_FILE, SECBIT_EXEC_DENY_INTERACT= IVE, + * before executing a command. + * + * Copyright =C2=A9 2024 Microsoft Corporation + */ + +#define _GNU_SOURCE +#define __SANE_USERSPACE_TYPES__ +#include +#include +#include +#include +#include +#include +#include +#include +#include + +static void print_usage(const char *argv0) +{ + fprintf(stderr, "usage: %s -f|-i -- [args]...\n\n", argv0); + fprintf(stderr, "Execute a command with\n"); + fprintf(stderr, "- SECBIT_EXEC_RESTRICT_FILE set: -f\n"); + fprintf(stderr, "- SECBIT_EXEC_DENY_INTERACTIVE set: -i\n"); +} + +int main(const int argc, char *const argv[], char *const *const envp) +{ + const char *cmd_path; + char *const *cmd_argv; + int opt, secbits_cur, secbits_new; + bool has_policy =3D false; + + secbits_cur =3D prctl(PR_GET_SECUREBITS); + if (secbits_cur =3D=3D -1) { + /* + * This should never happen, except with a buggy seccomp + * filter. + */ + perror("ERROR: Failed to get securebits"); + return 1; + } + + secbits_new =3D secbits_cur; + while ((opt =3D getopt(argc, argv, "fi")) !=3D -1) { + switch (opt) { + case 'f': + secbits_new |=3D SECBIT_EXEC_RESTRICT_FILE | + SECBIT_EXEC_RESTRICT_FILE_LOCKED; + has_policy =3D true; + break; + case 'i': + secbits_new |=3D SECBIT_EXEC_DENY_INTERACTIVE | + SECBIT_EXEC_DENY_INTERACTIVE_LOCKED; + has_policy =3D true; + break; + default: + print_usage(argv[0]); + return 1; + } + } + + if (!argv[optind] || !has_policy) { + print_usage(argv[0]); + return 1; + } + + if (secbits_cur !=3D secbits_new && + prctl(PR_SET_SECUREBITS, secbits_new)) { + perror("Failed to set secure bit(s)."); + fprintf(stderr, + "Hint: The running kernel may not support this feature.\n"); + return 1; + } + + cmd_path =3D argv[optind]; + cmd_argv =3D argv + optind; + fprintf(stderr, "Executing command...\n"); + execvpe(cmd_path, cmd_argv, envp); + fprintf(stderr, "Failed to execute \"%s\": %s\n", cmd_path, + strerror(errno)); + return 1; +} --=20 2.46.1