[GIT PULL] AT_EXECVE_CHECK introduction for v6.14-rc1
From: Kees Cook
Date: Wed Jan 15 2025 - 19:18:34 EST
Hi Linus,
Please pull the AT_EXECVE_CHECK introduction for v6.14-rc1. I split
this series from the core execve tree since it's had a life of its own
as it has progressed from O_MAY_EXEC. :) This provides userspace with
a way to opt in to performing "execability" checks for things that are
executable but don't pass through execve(2) (e.g. scripts, dlopen libs,
etc). It's seen quite a bit of discussion and review, and has lived in
-next for the entire dev cycle. Included is documentation, samples, and
extensive selftests.
Thanks!
-Kees
The following changes since commit fac04efc5c793dccbd07e2d59af9f90b7fc0dca4:
Linux 6.13-rc2 (2024-12-08 14:03:39 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/AT_EXECVE_CHECK-v6.14-rc1
for you to fetch changes up to 95b3cdafd7cb74414070893445a9b731793f7b55:
ima: instantiate the bprm_creds_for_exec() hook (2024-12-18 17:00:29 -0800)
----------------------------------------------------------------
AT_EXECVE_CHECK introduction for v6.14-rc1
- Implement AT_EXECVE_CHECK flag to execveat(2) (Mickaël Salaün)
- Implement EXEC_RESTRICT_FILE and EXEC_DENY_INTERACTIVE securebits
(Mickaël Salaün)
- Add selftests and samples for AT_EXECVE_CHECK (Mickaël Salaün)
----------------------------------------------------------------
Mickaël Salaün (7):
exec: Add a new AT_EXECVE_CHECK flag to execveat(2)
security: Add EXEC_RESTRICT_FILE and EXEC_DENY_INTERACTIVE securebits
selftests/exec: Add 32 tests for AT_EXECVE_CHECK and exec securebits
selftests/landlock: Add tests for execveat + AT_EXECVE_CHECK
samples/check-exec: Add set-exec
selftests: ktap_helpers: Fix uninitialized variable
samples/check-exec: Add an enlighten "inc" interpreter and 28 tests
Mimi Zohar (1):
ima: instantiate the bprm_creds_for_exec() hook
Documentation/userspace-api/check_exec.rst | 144 +++++++
Documentation/userspace-api/index.rst | 1 +
fs/exec.c | 20 +-
include/linux/binfmts.h | 7 +-
include/uapi/linux/audit.h | 1 +
include/uapi/linux/fcntl.h | 4 +
include/uapi/linux/securebits.h | 24 +-
samples/Kconfig | 9 +
samples/Makefile | 1 +
samples/check-exec/.gitignore | 2 +
samples/check-exec/Makefile | 15 +
samples/check-exec/inc.c | 205 ++++++++++
samples/check-exec/run-script-ask.inc | 9 +
samples/check-exec/script-ask.inc | 5 +
samples/check-exec/script-exec.inc | 4 +
samples/check-exec/script-noexec.inc | 4 +
samples/check-exec/set-exec.c | 85 ++++
security/commoncap.c | 29 +-
security/integrity/ima/ima_appraise.c | 27 +-
security/integrity/ima/ima_main.c | 29 ++
security/security.c | 10 +
tools/testing/selftests/exec/.gitignore | 4 +
tools/testing/selftests/exec/Makefile | 19 +-
tools/testing/selftests/exec/check-exec-tests.sh | 205 ++++++++++
tools/testing/selftests/exec/check-exec.c | 456 ++++++++++++++++++++++
tools/testing/selftests/exec/config | 2 +
tools/testing/selftests/exec/false.c | 5 +
tools/testing/selftests/kselftest/ktap_helpers.sh | 2 +-
tools/testing/selftests/landlock/fs_test.c | 27 ++
29 files changed, 1341 insertions(+), 14 deletions(-)
create mode 100644 Documentation/userspace-api/check_exec.rst
create mode 100644 samples/check-exec/.gitignore
create mode 100644 samples/check-exec/Makefile
create mode 100644 samples/check-exec/inc.c
create mode 100755 samples/check-exec/run-script-ask.inc
create mode 100755 samples/check-exec/script-ask.inc
create mode 100755 samples/check-exec/script-exec.inc
create mode 100644 samples/check-exec/script-noexec.inc
create mode 100644 samples/check-exec/set-exec.c
create mode 100755 tools/testing/selftests/exec/check-exec-tests.sh
create mode 100644 tools/testing/selftests/exec/check-exec.c
create mode 100644 tools/testing/selftests/exec/config
create mode 100644 tools/testing/selftests/exec/false.c
--
Kees Cook