|
Message-ID: <20240704190137.696169-6-mic@digikod.net> Date: Thu, 4 Jul 2024 21:01:37 +0200 From: Mickaël Salaün <mic@...ikod.net> To: Al Viro <viro@...iv.linux.org.uk>, Christian Brauner <brauner@...nel.org>, Kees Cook <keescook@...omium.org>, Linus Torvalds <torvalds@...ux-foundation.org>, Paul Moore <paul@...l-moore.com>, Theodore Ts'o <tytso@....edu> Cc: Mickaël Salaün <mic@...ikod.net>, Alejandro Colomar <alx.manpages@...il.com>, Aleksa Sarai <cyphar@...har.com>, Andrew Morton <akpm@...ux-foundation.org>, Andy Lutomirski <luto@...nel.org>, Arnd Bergmann <arnd@...db.de>, Casey Schaufler <casey@...aufler-ca.com>, Christian Heimes <christian@...hon.org>, Dmitry Vyukov <dvyukov@...gle.com>, Eric Biggers <ebiggers@...nel.org>, Eric Chiang <ericchiang@...gle.com>, Fan Wu <wufan@...ux.microsoft.com>, Florian Weimer <fweimer@...hat.com>, Geert Uytterhoeven <geert@...ux-m68k.org>, James Morris <jamorris@...ux.microsoft.com>, Jan Kara <jack@...e.cz>, Jann Horn <jannh@...gle.com>, Jeff Xu <jeffxu@...gle.com>, Jonathan Corbet <corbet@....net>, Jordan R Abrahams <ajordanr@...gle.com>, Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>, Luca Boccassi <bluca@...ian.org>, Luis Chamberlain <mcgrof@...nel.org>, "Madhavan T . Venkataraman" <madvenka@...ux.microsoft.com>, Matt Bobrowski <mattbobrowski@...gle.com>, Matthew Garrett <mjg59@...f.ucam.org>, Matthew Wilcox <willy@...radead.org>, Miklos Szeredi <mszeredi@...hat.com>, Mimi Zohar <zohar@...ux.ibm.com>, Nicolas Bouchinet <nicolas.bouchinet@....gouv.fr>, Scott Shell <scottsh@...rosoft.com>, Shuah Khan <shuah@...nel.org>, Stephen Rothwell <sfr@...b.auug.org.au>, Steve Dower <steve.dower@...hon.org>, Steve Grubb <sgrubb@...hat.com>, Thibaut Sautereau <thibaut.sautereau@....gouv.fr>, Vincent Strubel <vincent.strubel@....gouv.fr>, Xiaoming Ni <nixiaoming@...wei.com>, Yin Fengwei <fengwei.yin@...el.com>, kernel-hardening@...ts.openwall.com, linux-api@...r.kernel.org, linux-fsdevel@...r.kernel.org, linux-integrity@...r.kernel.org, linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org Subject: [RFC PATCH v19 5/5] samples/should-exec: Add set-should-exec Add a simple tool to set SECBIT_SHOULD_EXEC_CHECK, SECBIT_SHOULD_EXEC_RESTRICT, and their lock counterparts before executing a command. This should be useful to easily test against script interpreters. Cc: Al Viro <viro@...iv.linux.org.uk> Cc: Christian Brauner <brauner@...nel.org> Cc: Kees Cook <keescook@...omium.org> Cc: Paul Moore <paul@...l-moore.com> Signed-off-by: Mickaël Salaün <mic@...ikod.net> Link: https://lore.kernel.org/r/20240704190137.696169-6-mic@digikod.net --- samples/Kconfig | 7 +++ samples/Makefile | 1 + samples/should-exec/.gitignore | 1 + samples/should-exec/Makefile | 13 ++++ samples/should-exec/set-should-exec.c | 88 +++++++++++++++++++++++++++ 5 files changed, 110 insertions(+) create mode 100644 samples/should-exec/.gitignore create mode 100644 samples/should-exec/Makefile create mode 100644 samples/should-exec/set-should-exec.c diff --git a/samples/Kconfig b/samples/Kconfig index b288d9991d27..d8f2639bc830 100644 --- a/samples/Kconfig +++ b/samples/Kconfig @@ -180,6 +180,13 @@ config SAMPLE_SECCOMP Build samples of seccomp filters using various methods of BPF filter construction. +config SAMPLE_SHOULD_EXEC + bool "Should-exec secure bits examples" + depends on CC_CAN_LINK && HEADERS_INSTALL + help + Build a tool to easily configure SECBIT_SHOULD_EXEC_CHECK, + SECBIT_SHOULD_EXEC_RESTRICT and their lock counterparts. + config SAMPLE_TIMER bool "Timer sample" depends on CC_CAN_LINK && HEADERS_INSTALL diff --git a/samples/Makefile b/samples/Makefile index b85fa64390c5..0e7a97fb222d 100644 --- a/samples/Makefile +++ b/samples/Makefile @@ -19,6 +19,7 @@ subdir-$(CONFIG_SAMPLE_PIDFD) += pidfd obj-$(CONFIG_SAMPLE_QMI_CLIENT) += qmi/ obj-$(CONFIG_SAMPLE_RPMSG_CLIENT) += rpmsg/ subdir-$(CONFIG_SAMPLE_SECCOMP) += seccomp +subdir-$(CONFIG_SAMPLE_SHOULD_EXEC) += should-exec subdir-$(CONFIG_SAMPLE_TIMER) += timers obj-$(CONFIG_SAMPLE_TRACE_EVENTS) += trace_events/ obj-$(CONFIG_SAMPLE_TRACE_CUSTOM_EVENTS) += trace_events/ diff --git a/samples/should-exec/.gitignore b/samples/should-exec/.gitignore new file mode 100644 index 000000000000..ac46c614ec80 --- /dev/null +++ b/samples/should-exec/.gitignore @@ -0,0 +1 @@ +/set-should-exec diff --git a/samples/should-exec/Makefile b/samples/should-exec/Makefile new file mode 100644 index 000000000000..c4294278dd07 --- /dev/null +++ b/samples/should-exec/Makefile @@ -0,0 +1,13 @@ +# SPDX-License-Identifier: BSD-3-Clause + +userprogs-always-y := set-should-exec + +userccflags += -I usr/include + +.PHONY: all clean + +all: + $(MAKE) -C ../.. samples/should-exec/ + +clean: + $(MAKE) -C ../.. M=samples/should-exec/ clean diff --git a/samples/should-exec/set-should-exec.c b/samples/should-exec/set-should-exec.c new file mode 100644 index 000000000000..b3c31106d916 --- /dev/null +++ b/samples/should-exec/set-should-exec.c @@ -0,0 +1,88 @@ +// SPDX-License-Identifier: BSD-3-Clause +/* + * Simple tool to set SECBIT_SHOULD_EXEC_CHECK, SECBIT_SHOULD_EXEC_RESTRICT, + * and their lock counterparts before executing a command. + * + * Copyright © 2024 Microsoft Corporation + */ + +#define _GNU_SOURCE +#define __SANE_USERSPACE_TYPES__ +#include <errno.h> +#include <linux/prctl.h> +#include <linux/securebits.h> +#include <stdbool.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/prctl.h> +#include <unistd.h> + +static void print_usage(const char *argv0) +{ + fprintf(stderr, "usage: %s -c|-r [-l] -- <cmd> [args]...\n\n", argv0); + fprintf(stderr, "Execute a command with\n"); + fprintf(stderr, "- SECBIT_SHOULD_EXEC_CHECK set: -c\n"); + fprintf(stderr, "- SECBIT_SHOULD_EXEC_RESTRICT set: -r\n"); + fprintf(stderr, "- SECBIT_SHOULD_EXEC_*_LOCKED set: -l\n"); +} + +int main(const int argc, char *const argv[], char *const *const envp) +{ + const char *cmd_path; + char *const *cmd_argv; + int opt, secbits, err; + bool has_policy = false; + + secbits = prctl(PR_GET_SECUREBITS); + + while ((opt = getopt(argc, argv, "crl")) != -1) { + switch (opt) { + case 'c': + secbits |= SECBIT_SHOULD_EXEC_CHECK; + has_policy = true; + break; + case 'r': + secbits |= SECBIT_SHOULD_EXEC_RESTRICT; + has_policy = true; + break; + case 'l': + secbits |= SECBIT_SHOULD_EXEC_CHECK_LOCKED; + secbits |= SECBIT_SHOULD_EXEC_RESTRICT_LOCKED; + break; + default: + print_usage(argv[0]); + return 1; + } + } + + if (!argv[optind] || !has_policy) { + print_usage(argv[0]); + return 1; + } + + err = prctl(PR_SET_SECUREBITS, secbits); + if (err) { + perror("Failed to set secure bit(s)."); + fprintf(stderr, + "Hint: The running kernel may not support this feature.\n"); + return 1; + } + + fprintf(stderr, "SECBIT_SHOULD_EXEC_CHECK: %d\n", + !!(secbits & SECBIT_SHOULD_EXEC_CHECK)); + fprintf(stderr, "SECBIT_SHOULD_EXEC_CHECK_LOCKED: %d\n", + !!(secbits & SECBIT_SHOULD_EXEC_CHECK_LOCKED)); + fprintf(stderr, "SECBIT_SHOULD_EXEC_RESTRICT: %d\n", + !!(secbits & SECBIT_SHOULD_EXEC_RESTRICT)); + fprintf(stderr, "SECBIT_SHOULD_EXEC_RESTRICT_LOCKED: %d\n", + !!(secbits & SECBIT_SHOULD_EXEC_RESTRICT_LOCKED)); + + cmd_path = argv[optind]; + cmd_argv = argv + optind; + fprintf(stderr, "Executing command...\n"); + execvpe(cmd_path, cmd_argv, envp); + fprintf(stderr, "Failed to execute \"%s\": %s\n", cmd_path, + strerror(errno)); + return 1; +} -- 2.45.2
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.