Skip to content

Commit 309c084

Browse files
tgross35tgross35
authored
Merge pull request #4545 from Gelbpunkt/new-secbits
linux: Add EXEC_RESTRICT_FILE and EXEC_DENY_INTERACTIVE securebits
2 parents 2ac0a79 + 1a1efaf commit 309c084

File tree

3 files changed

+37
-2
lines changed

3 files changed

+37
-2
lines changed

libc-test/build.rs

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4661,6 +4661,16 @@ fn test_linux(target: &str) {
46614661
// FIXME(linux): Requires >= 6.6 kernel headers.
46624662
"PROC_EVENT_NONZERO_EXIT" => true,
46634663

4664+
// FIXME(linux): Requires >= 6.14 kernel headers.
4665+
"SECBIT_EXEC_DENY_INTERACTIVE"
4666+
| "SECBIT_EXEC_DENY_INTERACTIVE_LOCKED"
4667+
| "SECBIT_EXEC_RESTRICT_FILE"
4668+
| "SECBIT_EXEC_RESTRICT_FILE_LOCKED"
4669+
| "SECURE_ALL_UNPRIVILEGED" => true,
4670+
4671+
// FIXME(linux): Value changed in 6.14
4672+
"SECURE_ALL_BITS" | "SECURE_ALL_LOCKS" => true,
4673+
46644674
_ => false,
46654675
}
46664676
});

libc-test/semver/linux.txt

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2776,6 +2776,10 @@ SCTP_STATUS
27762776
SCTP_STREAM_RESET_INCOMING
27772777
SCTP_STREAM_RESET_OUTGOING
27782778
SCTP_UNORDERED
2779+
SECBIT_EXEC_DENY_INTERACTIVE
2780+
SECBIT_EXEC_DENY_INTERACTIVE_LOCKED
2781+
SECBIT_EXEC_RESTRICT_FILE
2782+
SECBIT_EXEC_RESTRICT_FILE_LOCKED
27792783
SECBIT_KEEP_CAPS
27802784
SECBIT_KEEP_CAPS_LOCKED
27812785
SECBIT_NOROOT
@@ -2815,6 +2819,7 @@ SECCOMP_USER_NOTIF_FLAG_CONTINUE
28152819
SECUREBITS_DEFAULT
28162820
SECURE_ALL_BITS
28172821
SECURE_ALL_LOCKS
2822+
SECURE_ALL_UNPRIVILEGED
28182823
SEEK_DATA
28192824
SEEK_HOLE
28202825
SELFMAG

src/unix/linux_like/linux/mod.rs

Lines changed: 22 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4750,11 +4750,31 @@ pub const SECBIT_NO_CAP_AMBIENT_RAISE: c_int = issecure_mask(SECURE_NO_CAP_AMBIE
47504750
pub const SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED: c_int =
47514751
issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE_LOCKED);
47524752

4753+
const SECURE_EXEC_RESTRICT_FILE: c_int = 8;
4754+
const SECURE_EXEC_RESTRICT_FILE_LOCKED: c_int = 9;
4755+
4756+
pub const SECBIT_EXEC_RESTRICT_FILE: c_int = issecure_mask(SECURE_EXEC_RESTRICT_FILE);
4757+
pub const SECBIT_EXEC_RESTRICT_FILE_LOCKED: c_int = issecure_mask(SECURE_EXEC_RESTRICT_FILE_LOCKED);
4758+
4759+
const SECURE_EXEC_DENY_INTERACTIVE: c_int = 10;
4760+
const SECURE_EXEC_DENY_INTERACTIVE_LOCKED: c_int = 11;
4761+
4762+
pub const SECBIT_EXEC_DENY_INTERACTIVE: c_int = issecure_mask(SECURE_EXEC_DENY_INTERACTIVE);
4763+
pub const SECBIT_EXEC_DENY_INTERACTIVE_LOCKED: c_int =
4764+
issecure_mask(SECURE_EXEC_DENY_INTERACTIVE_LOCKED);
4765+
47534766
pub const SECUREBITS_DEFAULT: c_int = 0x00000000;
4754-
pub const SECURE_ALL_BITS: c_int =
4755-
SECBIT_NOROOT | SECBIT_NO_SETUID_FIXUP | SECBIT_KEEP_CAPS | SECBIT_NO_CAP_AMBIENT_RAISE;
4767+
pub const SECURE_ALL_BITS: c_int = SECBIT_NOROOT
4768+
| SECBIT_NO_SETUID_FIXUP
4769+
| SECBIT_KEEP_CAPS
4770+
| SECBIT_NO_CAP_AMBIENT_RAISE
4771+
| SECBIT_EXEC_RESTRICT_FILE
4772+
| SECBIT_EXEC_DENY_INTERACTIVE;
47564773
pub const SECURE_ALL_LOCKS: c_int = SECURE_ALL_BITS << 1;
47574774

4775+
pub const SECURE_ALL_UNPRIVILEGED: c_int =
4776+
issecure_mask(SECURE_EXEC_RESTRICT_FILE) | issecure_mask(SECURE_EXEC_DENY_INTERACTIVE);
4777+
47584778
const fn issecure_mask(x: c_int) -> c_int {
47594779
1 << x
47604780
}

0 commit comments

Comments
 (0)