* Jeff Xu: > On Mon, Jul 8, 2024 at 9:26 AM Florian Weimer <fweimer@xxxxxxxxxx> wrote: >> >> * Jeff Xu: >> >> > Will dynamic linkers use the execveat(AT_CHECK) to check shared >> > libraries too ? or just the main executable itself. >> >> I expect that dynamic linkers will have to do this for everything they >> map. > Then all the objects (.so, .sh, etc.) will go through the check from > execveat's main to security_bprm_creds_for_exec(), some of them might > be specific for the main executable ? If we want to avoid that, we could have an agreed-upon error code which the LSM can signal that it'll never fail AT_CHECK checks, so we only have to perform the extra system call once. Thanks, Florian
