On Mon, Jul 08, 2024 at 09:40:45AM -0700, Jeff Xu wrote: > On Mon, Jul 8, 2024 at 9:26 AM Florian Weimer <fweimer@xxxxxxxxxx> wrote: > > > > * Jeff Xu: > > > > > Will dynamic linkers use the execveat(AT_CHECK) to check shared > > > libraries too ? or just the main executable itself. > > > > I expect that dynamic linkers will have to do this for everything they > > map. Correct, that would enable to safely handle LD_PRELOAD for instance. > Then all the objects (.so, .sh, etc.) will go through the check from > execveat's main to security_bprm_creds_for_exec(), some of them might > be specific for the main executable ? > e.g. ChromeOS uses security_bprm_creds_for_exec to block executable > memfd [1], applying this means automatically extending the block to > the .so object. That's a good example of how this AT_CHECK check makes sense. Landlock will probably get a similar (optional) restriction too: https://github.com/landlock-lsm/linux/issues/37 > > I'm not sure if other LSMs need to be updated ? e.g. will SELINUX > check for .so with its process transaction policy ? LSM should not need to be updated with this patch series. However, systems/components/containers enabling this new check should make sure it works with their current policy. > > [1] https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/3834992 > > -Jeff > > > > Usually, that does not include the maim program, but this can > > happen with explicit loader invocations (“ld.so /bin/true”). > > > > Thanks, > > Florian > >
