[PATCH v21 6/6] samples/check-exec: Add an enlighten "inc" interpreter and 28 tests
Mickaël Salaün
mic at digikod.net
Fri Nov 22 14:50:56 UTC 2024
On Thu, Nov 21, 2024 at 03:34:47PM -0500, Mimi Zohar wrote:
> Hi Mickaël,
>
> On Tue, 2024-11-12 at 20:18 +0100, Mickaël Salaün wrote:
> >
> > +
> > +/* Returns 1 on error, 0 otherwise. */
> > +static int interpret_stream(FILE *script, char *const script_name,
> > + char *const *const envp, const bool restrict_stream)
> > +{
> > + int err;
> > + char *const script_argv[] = { script_name, NULL };
> > + char buf[128] = {};
> > + size_t buf_size = sizeof(buf);
> > +
> > + /*
> > + * We pass a valid argv and envp to the kernel to emulate a native
> > + * script execution. We must use the script file descriptor instead of
> > + * the script path name to avoid race conditions.
> > + */
> > + err = execveat(fileno(script), "", script_argv, envp,
> > + AT_EMPTY_PATH | AT_EXECVE_CHECK);
>
> At least with v20, the AT_CHECK always was being set, independent of whether
> set-exec.c set it. I'll re-test with v21.
AT_EXECVE_CEHCK should always be set, only the interpretation of the
result should be relative to securebits. This is highlighted in the
documentation.
>
> thanks,
>
> Mimi
>
> > + if (err && restrict_stream) {
> > + perror("ERROR: Script execution check");
> > + return 1;
> > + }
> > +
> > + /* Reads script. */
> > + buf_size = fread(buf, 1, buf_size - 1, script);
> > + return interpret_buffer(buf, buf_size);
> > +}
> > +
>
>
More information about the Linux-security-module-archive
mailing list