[RFC PATCH v19 1/5] exec: Add a new AT_CHECK flag to execveat(2)
Mickaël Salaün
mic at digikod.net
Mon Jul 8 17:05:39 UTC 2024
On Mon, Jul 08, 2024 at 09:40:45AM -0700, Jeff Xu wrote:
> On Mon, Jul 8, 2024 at 9:26 AM Florian Weimer <fweimer at redhat.com> wrote:
> >
> > * Jeff Xu:
> >
> > > Will dynamic linkers use the execveat(AT_CHECK) to check shared
> > > libraries too ? or just the main executable itself.
> >
> > I expect that dynamic linkers will have to do this for everything they
> > map.
Correct, that would enable to safely handle LD_PRELOAD for instance.
> Then all the objects (.so, .sh, etc.) will go through the check from
> execveat's main to security_bprm_creds_for_exec(), some of them might
> be specific for the main executable ?
> e.g. ChromeOS uses security_bprm_creds_for_exec to block executable
> memfd [1], applying this means automatically extending the block to
> the .so object.
That's a good example of how this AT_CHECK check makes sense.
Landlock will probably get a similar (optional) restriction too:
https://github.com/landlock-lsm/linux/issues/37
>
> I'm not sure if other LSMs need to be updated ? e.g. will SELINUX
> check for .so with its process transaction policy ?
LSM should not need to be updated with this patch series. However,
systems/components/containers enabling this new check should make sure
it works with their current policy.
>
> [1] https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/3834992
>
> -Jeff
>
>
> > Usually, that does not include the maim program, but this can
> > happen with explicit loader invocations (“ld.so /bin/true”).
> >
> > Thanks,
> > Florian
> >
More information about the Linux-security-module-archive
mailing list