Re: [RFC PATCH v19 2/5] security: Add new SHOULD_EXEC_CHECK and SHOULD_EXEC_RESTRICT securebits

From: Steve Dower
Date: Wed Jul 10 2024 - 12:37:04 EST


On 10/07/2024 10:58, Mickaël Salaün wrote:
On Tue, Jul 09, 2024 at 02:57:43PM -0700, Jeff Xu wrote:
Hmm, I'm not sure this "CHECK=0, RESTRICT=1" configuration would make
sense for a dynamic linker except maybe if we want to only allow static
binaries?

The CHECK and RESTRICT securebits are designed to make it possible a
"permissive mode" and an enforcement mode with the related locked
securebits. This is why this "CHECK=0, RESTRICT=1" combination looks a
bit weird. We can replace these securebits with others but I didn't
find a better (and simple) option. I don't think this is an issue
because with any security policy we can create unusable combinations.
The three other combinations makes a lot of sense though.

If we need only handle 3 combinations, I would think something like
below is easier to understand, and don't have wield state like
CHECK=0, RESTRICT=1

The "CHECK=0, RESTRICT=1" is useful for script interpreter instances
that should not interpret any command from users e.g., but only execute
script files.

I see this case as being most relevant to something that doesn't usually need any custom scripts, but may have it. For example, macros in a document, or pre/post-install scripts for a package manager.

For something whose sole purpose is to execute scripts, it doesn't make much sense. But there are other cases that can be reasonably controlled with this option.

Cheers,
Steve