On Sun, 2016-08-21 at 21:01 -0700, Josh Max wrote: > This patch allows binfmt_misc to select the interpeter for arbitrary > binaries by comparing a specified registered keyword with the value > of a specified binary's extended attribute (user.binfmt.interp), > and then launching the program with the registered interpreter. > > This is useful when wanting to launch a collection of binaries under > the same interpreter, even when they do not necessarily share a > common extension or magic bits, or when their magic conflics with the > operation of binfmt_elf. Some examples of its use would be to launch > some executables of various different architectures in a directory, > or for running some native binaries under a sandbox (like firejail) > automatically during their launch. Could you expand on the use cases? The patch set looks OK; the issue with extended attributes is lack of universal support on filesystems, but that may not be a problem because they're definitely supported on all the standard ones. I think the current F flag solves the foreign binary in chroot or container. Self sandboxing sounds reasonable, but if this is a security feature, doesn't having the label under the user. EAs mean that the confined binary can simply remove the label and unconfine itself? James -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
