[RFC PATCH v19 1/5] exec: Add a new AT_CHECK flag to execveat(2)
Florian Weimer
fweimer at redhat.com
Mon Jul 8 17:33:03 UTC 2024
* Jeff Xu:
> On Mon, Jul 8, 2024 at 9:26 AM Florian Weimer <fweimer at redhat.com> wrote:
>>
>> * Jeff Xu:
>>
>> > Will dynamic linkers use the execveat(AT_CHECK) to check shared
>> > libraries too ? or just the main executable itself.
>>
>> I expect that dynamic linkers will have to do this for everything they
>> map.
> Then all the objects (.so, .sh, etc.) will go through the check from
> execveat's main to security_bprm_creds_for_exec(), some of them might
> be specific for the main executable ?
If we want to avoid that, we could have an agreed-upon error code which
the LSM can signal that it'll never fail AT_CHECK checks, so we only
have to perform the extra system call once.
Thanks,
Florian
More information about the Linux-security-module-archive
mailing list