linux: Add EXEC_RESTRICT_FILE and EXEC_DENY_INTERACTIVE securebits

Gelbpunkt · tgross35 · commit 9fa71a8666de · 2025-07-29T08:22:51.000Z
These were added in 6.14 with the following commit: torvalds/linux@a0623b2 Signed-off-by: Jens Reidel <adrian@travitia.xyz> (backport <#4545>) (cherry picked from commit 1a1efaf)
diff --git a/libc-test/build.rs b/libc-test/build.rs
@@ -4735,6 +4735,16 @@ fn test_linux(target: &str) {
             // FIXME(linux): Requires >= 6.6 kernel headers.
             "PROC_EVENT_NONZERO_EXIT" => true,
 
+            // FIXME(linux): Requires >= 6.14 kernel headers.
+            "SECBIT_EXEC_DENY_INTERACTIVE"
+            | "SECBIT_EXEC_DENY_INTERACTIVE_LOCKED"
+            | "SECBIT_EXEC_RESTRICT_FILE"
+            | "SECBIT_EXEC_RESTRICT_FILE_LOCKED"
+            | "SECURE_ALL_UNPRIVILEGED" => true,
+
+            // FIXME(linux): Value changed in 6.14
+            "SECURE_ALL_BITS" | "SECURE_ALL_LOCKS" => true,
+
             _ => false,
         }
     });
diff --git a/libc-test/semver/linux.txt b/libc-test/semver/linux.txt
@@ -2776,6 +2776,10 @@ SCTP_STATUS
 SCTP_STREAM_RESET_INCOMING
 SCTP_STREAM_RESET_OUTGOING
 SCTP_UNORDERED
+SECBIT_EXEC_DENY_INTERACTIVE
+SECBIT_EXEC_DENY_INTERACTIVE_LOCKED
+SECBIT_EXEC_RESTRICT_FILE
+SECBIT_EXEC_RESTRICT_FILE_LOCKED
 SECBIT_KEEP_CAPS
 SECBIT_KEEP_CAPS_LOCKED
 SECBIT_NOROOT
@@ -2815,6 +2819,7 @@ SECCOMP_USER_NOTIF_FLAG_CONTINUE
 SECUREBITS_DEFAULT
 SECURE_ALL_BITS
 SECURE_ALL_LOCKS
+SECURE_ALL_UNPRIVILEGED
 SEEK_DATA
 SEEK_HOLE
 SELFMAG
diff --git a/src/unix/linux_like/linux/mod.rs b/src/unix/linux_like/linux/mod.rs
@@ -4782,11 +4782,31 @@ pub const SECBIT_NO_CAP_AMBIENT_RAISE: c_int = issecure_mask(SECURE_NO_CAP_AMBIE
 pub const SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED: c_int =
     issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE_LOCKED);
 
+const SECURE_EXEC_RESTRICT_FILE: c_int = 8;
+const SECURE_EXEC_RESTRICT_FILE_LOCKED: c_int = 9;
+
+pub const SECBIT_EXEC_RESTRICT_FILE: c_int = issecure_mask(SECURE_EXEC_RESTRICT_FILE);
+pub const SECBIT_EXEC_RESTRICT_FILE_LOCKED: c_int = issecure_mask(SECURE_EXEC_RESTRICT_FILE_LOCKED);
+
+const SECURE_EXEC_DENY_INTERACTIVE: c_int = 10;
+const SECURE_EXEC_DENY_INTERACTIVE_LOCKED: c_int = 11;
+
+pub const SECBIT_EXEC_DENY_INTERACTIVE: c_int = issecure_mask(SECURE_EXEC_DENY_INTERACTIVE);
+pub const SECBIT_EXEC_DENY_INTERACTIVE_LOCKED: c_int =
+    issecure_mask(SECURE_EXEC_DENY_INTERACTIVE_LOCKED);
+
 pub const SECUREBITS_DEFAULT: c_int = 0x00000000;
-pub const SECURE_ALL_BITS: c_int =
-    SECBIT_NOROOT | SECBIT_NO_SETUID_FIXUP | SECBIT_KEEP_CAPS | SECBIT_NO_CAP_AMBIENT_RAISE;
+pub const SECURE_ALL_BITS: c_int = SECBIT_NOROOT
+    | SECBIT_NO_SETUID_FIXUP
+    | SECBIT_KEEP_CAPS
+    | SECBIT_NO_CAP_AMBIENT_RAISE
+    | SECBIT_EXEC_RESTRICT_FILE
+    | SECBIT_EXEC_DENY_INTERACTIVE;
 pub const SECURE_ALL_LOCKS: c_int = SECURE_ALL_BITS << 1;
 
+pub const SECURE_ALL_UNPRIVILEGED: c_int =
+    issecure_mask(SECURE_EXEC_RESTRICT_FILE) | issecure_mask(SECURE_EXEC_DENY_INTERACTIVE);
+
 const fn issecure_mask(x: c_int) -> c_int {
     1 << x
 }
