Skip to content

linux: Add EXEC_RESTRICT_FILE and EXEC_DENY_INTERACTIVE securebits #4545

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 24, 2025
Merged

linux: Add EXEC_RESTRICT_FILE and EXEC_DENY_INTERACTIVE securebits #4545

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 11 additions & 1 deletion libc-test/build.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3513,7 +3513,7 @@ fn test_neutrino(target: &str) {
)
});

cfg.skip_static(move |name| (name == "__dso_handle"));
cfg.skip_static(move |name| name == "__dso_handle");

cfg.generate(src_hotfix_dir().join("lib.rs"), "main.rs");
}
Expand Down Expand Up @@ -4661,6 +4661,16 @@ fn test_linux(target: &str) {
// FIXME(linux): Requires >= 6.6 kernel headers.
"PROC_EVENT_NONZERO_EXIT" => true,

// FIXME(linux): Requires >= 6.14 kernel headers.
"SECBIT_EXEC_DENY_INTERACTIVE"
| "SECBIT_EXEC_DENY_INTERACTIVE_LOCKED"
| "SECBIT_EXEC_RESTRICT_FILE"
| "SECBIT_EXEC_RESTRICT_FILE_LOCKED"
| "SECURE_ALL_UNPRIVILEGED" => true,

// FIXME(linux): Value changed in 6.14
"SECURE_ALL_BITS" | "SECURE_ALL_LOCKS" => true,

_ => false,
}
});
Expand Down
5 changes: 5 additions & 0 deletions libc-test/semver/linux.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2776,6 +2776,10 @@ SCTP_STATUS
SCTP_STREAM_RESET_INCOMING
SCTP_STREAM_RESET_OUTGOING
SCTP_UNORDERED
SECBIT_EXEC_DENY_INTERACTIVE
SECBIT_EXEC_DENY_INTERACTIVE_LOCKED
SECBIT_EXEC_RESTRICT_FILE
SECBIT_EXEC_RESTRICT_FILE_LOCKED
SECBIT_KEEP_CAPS
SECBIT_KEEP_CAPS_LOCKED
SECBIT_NOROOT
Expand Down Expand Up @@ -2815,6 +2819,7 @@ SECCOMP_USER_NOTIF_FLAG_CONTINUE
SECUREBITS_DEFAULT
SECURE_ALL_BITS
SECURE_ALL_LOCKS
SECURE_ALL_UNPRIVILEGED
SEEK_DATA
SEEK_HOLE
SELFMAG
Expand Down
24 changes: 22 additions & 2 deletions src/unix/linux_like/linux/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4750,11 +4750,31 @@ pub const SECBIT_NO_CAP_AMBIENT_RAISE: c_int = issecure_mask(SECURE_NO_CAP_AMBIE
pub const SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED: c_int =
issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE_LOCKED);

const SECURE_EXEC_RESTRICT_FILE: c_int = 8;
const SECURE_EXEC_RESTRICT_FILE_LOCKED: c_int = 9;

pub const SECBIT_EXEC_RESTRICT_FILE: c_int = issecure_mask(SECURE_EXEC_RESTRICT_FILE);
pub const SECBIT_EXEC_RESTRICT_FILE_LOCKED: c_int = issecure_mask(SECURE_EXEC_RESTRICT_FILE_LOCKED);

const SECURE_EXEC_DENY_INTERACTIVE: c_int = 10;
const SECURE_EXEC_DENY_INTERACTIVE_LOCKED: c_int = 11;

pub const SECBIT_EXEC_DENY_INTERACTIVE: c_int = issecure_mask(SECURE_EXEC_DENY_INTERACTIVE);
pub const SECBIT_EXEC_DENY_INTERACTIVE_LOCKED: c_int =
issecure_mask(SECURE_EXEC_DENY_INTERACTIVE_LOCKED);

pub const SECUREBITS_DEFAULT: c_int = 0x00000000;
pub const SECURE_ALL_BITS: c_int =
SECBIT_NOROOT | SECBIT_NO_SETUID_FIXUP | SECBIT_KEEP_CAPS | SECBIT_NO_CAP_AMBIENT_RAISE;
pub const SECURE_ALL_BITS: c_int = SECBIT_NOROOT
| SECBIT_NO_SETUID_FIXUP
| SECBIT_KEEP_CAPS
| SECBIT_NO_CAP_AMBIENT_RAISE
| SECBIT_EXEC_RESTRICT_FILE
| SECBIT_EXEC_DENY_INTERACTIVE;
pub const SECURE_ALL_LOCKS: c_int = SECURE_ALL_BITS << 1;

pub const SECURE_ALL_UNPRIVILEGED: c_int =
issecure_mask(SECURE_EXEC_RESTRICT_FILE) | issecure_mask(SECURE_EXEC_DENY_INTERACTIVE);

const fn issecure_mask(x: c_int) -> c_int {
1 << x
}
Expand Down
Loading