On Mon, Jul 8, 2024 at 9:26 AM Florian Weimer <fweimer@xxxxxxxxxx> wrote: > > * Jeff Xu: > > > Will dynamic linkers use the execveat(AT_CHECK) to check shared > > libraries too ? or just the main executable itself. > > I expect that dynamic linkers will have to do this for everything they > map. Then all the objects (.so, .sh, etc.) will go through the check from execveat's main to security_bprm_creds_for_exec(), some of them might be specific for the main executable ? e.g. ChromeOS uses security_bprm_creds_for_exec to block executable memfd [1], applying this means automatically extending the block to the .so object. I'm not sure if other LSMs need to be updated ? e.g. will SELINUX check for .so with its process transaction policy ? [1] https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/3834992 -Jeff > Usually, that does not include the maim program, but this can > happen with explicit loader invocations (“ld.so /bin/true”). > > Thanks, > Florian >