git/linux-nf
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git synced 2026-04-05 00:08:32 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge tag 'AT_EXECVE_CHECK-v6.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux

Browse Source 
Pull AT_EXECVE_CHECK from Kees Cook:

 - Implement AT_EXECVE_CHECK flag to execveat(2) (Mickaël Salaün)

 - Implement EXEC_RESTRICT_FILE and EXEC_DENY_INTERACTIVE securebits
   (Mickaël Salaün)

 - Add selftests and samples for AT_EXECVE_CHECK (Mickaël Salaün)

* tag 'AT_EXECVE_CHECK-v6.14-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
  ima: instantiate the bprm_creds_for_exec() hook
  samples/check-exec: Add an enlighten "inc" interpreter and 28 tests
  selftests: ktap_helpers: Fix uninitialized variable
  samples/check-exec: Add set-exec
  selftests/landlock: Add tests for execveat + AT_EXECVE_CHECK
  selftests/exec: Add 32 tests for AT_EXECVE_CHECK and exec securebits
  security: Add EXEC_RESTRICT_FILE and EXEC_DENY_INTERACTIVE securebits
  exec: Add a new AT_EXECVE_CHECK flag to execveat(2)
This commit is contained in:
Linus Torvalds
2025-01-22 20:34:42 -08:00
parent 5ab889facc 95b3cdafd7
commit 21266b8df5
29 changed files with 1341 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
security/security.c
View File

@@ -1248,6 +1248,12 @@ int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
* to 1 if AT_SECURE should be set to request libc enable secure mode. @bprm
* contains the linux_binprm structure.
*
* If execveat(2) is called with the AT_EXECVE_CHECK flag, bprm->is_check is
* set. The result must be the same as without this flag even if the execution
* will never really happen and @bprm will always be dropped.
*
* This hook must not change current->cred, only @bprm->cred.
*
* Return: Returns 0 if the hook is successful and permission is granted.
*/
int security_bprm_creds_for_exec(struct linux_binprm *bprm)
@@ -3097,6 +3103,10 @@ int security_file_receive(struct file *file)
* Save open-time permission checking state for later use upon file_permission,
* and recheck access if anything has changed since inode_permission.
*
* We can check if a file is opened for execution (e.g. execve(2) call), either
* directly or indirectly (e.g. ELF's ld.so) by checking file->f_flags &
* __FMODE_EXEC .
*
* Return: Returns 0 if permission is granted.
*/
int security_file_open(struct file *file)