From 1a1efaf8d6873a4d00f0a3329adbf4bc7703b0ee Mon Sep 17 00:00:00 2001 From: Jens Reidel Date: Thu, 10 Jul 2025 14:30:59 +0000 Subject: [PATCH] linux: Add EXEC_RESTRICT_FILE and EXEC_DENY_INTERACTIVE securebits These were added in 6.14 with the following commit: https://github.com/torvalds/linux/commit/a0623b2a1d595341971c189b90a6b06f42cd209d Signed-off-by: Jens Reidel --- libc-test/build.rs | 12 +++++++++++- libc-test/semver/linux.txt | 5 +++++ src/unix/linux_like/linux/mod.rs | 24 ++++++++++++++++++++++-- 3 files changed, 38 insertions(+), 3 deletions(-) diff --git a/libc-test/build.rs b/libc-test/build.rs index d3af5e5db1e7a..1be19127265fb 100644 --- a/libc-test/build.rs +++ b/libc-test/build.rs @@ -3513,7 +3513,7 @@ fn test_neutrino(target: &str) { ) }); - cfg.skip_static(move |name| (name == "__dso_handle")); + cfg.skip_static(move |name| name == "__dso_handle"); cfg.generate(src_hotfix_dir().join("lib.rs"), "main.rs"); } @@ -4661,6 +4661,16 @@ fn test_linux(target: &str) { // FIXME(linux): Requires >= 6.6 kernel headers. "PROC_EVENT_NONZERO_EXIT" => true, + // FIXME(linux): Requires >= 6.14 kernel headers. + "SECBIT_EXEC_DENY_INTERACTIVE" + | "SECBIT_EXEC_DENY_INTERACTIVE_LOCKED" + | "SECBIT_EXEC_RESTRICT_FILE" + | "SECBIT_EXEC_RESTRICT_FILE_LOCKED" + | "SECURE_ALL_UNPRIVILEGED" => true, + + // FIXME(linux): Value changed in 6.14 + "SECURE_ALL_BITS" | "SECURE_ALL_LOCKS" => true, + _ => false, } }); diff --git a/libc-test/semver/linux.txt b/libc-test/semver/linux.txt index f88769996e81b..a8806a36f4600 100644 --- a/libc-test/semver/linux.txt +++ b/libc-test/semver/linux.txt @@ -2776,6 +2776,10 @@ SCTP_STATUS SCTP_STREAM_RESET_INCOMING SCTP_STREAM_RESET_OUTGOING SCTP_UNORDERED +SECBIT_EXEC_DENY_INTERACTIVE +SECBIT_EXEC_DENY_INTERACTIVE_LOCKED +SECBIT_EXEC_RESTRICT_FILE +SECBIT_EXEC_RESTRICT_FILE_LOCKED SECBIT_KEEP_CAPS SECBIT_KEEP_CAPS_LOCKED SECBIT_NOROOT @@ -2815,6 +2819,7 @@ SECCOMP_USER_NOTIF_FLAG_CONTINUE SECUREBITS_DEFAULT SECURE_ALL_BITS SECURE_ALL_LOCKS +SECURE_ALL_UNPRIVILEGED SEEK_DATA SEEK_HOLE SELFMAG diff --git a/src/unix/linux_like/linux/mod.rs b/src/unix/linux_like/linux/mod.rs index 436244b0ecf6d..cbea6c796379b 100644 --- a/src/unix/linux_like/linux/mod.rs +++ b/src/unix/linux_like/linux/mod.rs @@ -4750,11 +4750,31 @@ pub const SECBIT_NO_CAP_AMBIENT_RAISE: c_int = issecure_mask(SECURE_NO_CAP_AMBIE pub const SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED: c_int = issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE_LOCKED); +const SECURE_EXEC_RESTRICT_FILE: c_int = 8; +const SECURE_EXEC_RESTRICT_FILE_LOCKED: c_int = 9; + +pub const SECBIT_EXEC_RESTRICT_FILE: c_int = issecure_mask(SECURE_EXEC_RESTRICT_FILE); +pub const SECBIT_EXEC_RESTRICT_FILE_LOCKED: c_int = issecure_mask(SECURE_EXEC_RESTRICT_FILE_LOCKED); + +const SECURE_EXEC_DENY_INTERACTIVE: c_int = 10; +const SECURE_EXEC_DENY_INTERACTIVE_LOCKED: c_int = 11; + +pub const SECBIT_EXEC_DENY_INTERACTIVE: c_int = issecure_mask(SECURE_EXEC_DENY_INTERACTIVE); +pub const SECBIT_EXEC_DENY_INTERACTIVE_LOCKED: c_int = + issecure_mask(SECURE_EXEC_DENY_INTERACTIVE_LOCKED); + pub const SECUREBITS_DEFAULT: c_int = 0x00000000; -pub const SECURE_ALL_BITS: c_int = - SECBIT_NOROOT | SECBIT_NO_SETUID_FIXUP | SECBIT_KEEP_CAPS | SECBIT_NO_CAP_AMBIENT_RAISE; +pub const SECURE_ALL_BITS: c_int = SECBIT_NOROOT + | SECBIT_NO_SETUID_FIXUP + | SECBIT_KEEP_CAPS + | SECBIT_NO_CAP_AMBIENT_RAISE + | SECBIT_EXEC_RESTRICT_FILE + | SECBIT_EXEC_DENY_INTERACTIVE; pub const SECURE_ALL_LOCKS: c_int = SECURE_ALL_BITS << 1; +pub const SECURE_ALL_UNPRIVILEGED: c_int = + issecure_mask(SECURE_EXEC_RESTRICT_FILE) | issecure_mask(SECURE_EXEC_DENY_INTERACTIVE); + const fn issecure_mask(x: c_int) -> c_int { 1 << x }