Skip to content

Commit e52d93f

Browse files
GelbpunktGelbpunkt
committed
linux: Add EXEC_RESTRICT_FILE and EXEC_DENY_INTERACTIVE securebits
These were added in 6.14 with the following commit: torvalds/linux@a0623b2 Signed-off-by: Jens Reidel <[email protected]>
1 parent 6e8350e commit e52d93f

File tree

2 files changed

+26
-2
lines changed

2 files changed

+26
-2
lines changed

libc-test/semver/linux.txt

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2784,6 +2784,10 @@ SECBIT_NO_CAP_AMBIENT_RAISE
27842784
SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED
27852785
SECBIT_NO_SETUID_FIXUP
27862786
SECBIT_NO_SETUID_FIXUP_LOCKED
2787+
SECBIT_EXEC_RESTRICT_FILE
2788+
SECBIT_EXEC_RESTRICT_FILE_LOCKED
2789+
SECBIT_EXEC_DENY_INTERACTIVE
2790+
SECBIT_EXEC_DENY_INTERACTIVE_LOCKED
27872791
SECCOMP_ADDFD_FLAG_SEND
27882792
SECCOMP_ADDFD_FLAG_SETFD
27892793
SECCOMP_FILTER_FLAG_LOG

src/unix/linux_like/linux/mod.rs

Lines changed: 22 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4750,11 +4750,31 @@ pub const SECBIT_NO_CAP_AMBIENT_RAISE: c_int = issecure_mask(SECURE_NO_CAP_AMBIE
47504750
pub const SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED: c_int =
47514751
issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE_LOCKED);
47524752

4753+
const SECURE_EXEC_RESTRICT_FILE: c_int = 8;
4754+
const SECURE_EXEC_RESTRICT_FILE_LOCKED: c_int = 9;
4755+
4756+
pub const SECBIT_EXEC_RESTRICT_FILE: c_int = issecure_mask(SECURE_EXEC_RESTRICT_FILE);
4757+
pub const SECBIT_EXEC_RESTRICT_FILE_LOCKED: c_int =
4758+
issecure_mask(SECURE_EXEC_RESTRICT_FILE_LOCKED);
4759+
4760+
const SECURE_EXEC_DENY_INTERACTIVE: c_int = 10;
4761+
const SECURE_EXEC_DENY_INTERACTIVE_LOCKED: c_int = 11;
4762+
4763+
pub const SECBIT_EXEC_DENY_INTERACTIVE: c_int = issecure_mask(SECURE_EXEC_DENY_INTERACTIVE);
4764+
pub const SECBIT_EXEC_DENY_INTERACTIVE_LOCKED: c_int =
4765+
issecure_mask(SECURE_EXEC_DENY_INTERACTIVE_LOCKED);
4766+
47534767
pub const SECUREBITS_DEFAULT: c_int = 0x00000000;
4754-
pub const SECURE_ALL_BITS: c_int =
4755-
SECBIT_NOROOT | SECBIT_NO_SETUID_FIXUP | SECBIT_KEEP_CAPS | SECBIT_NO_CAP_AMBIENT_RAISE;
4768+
pub const SECURE_ALL_BITS: c_int = SECBIT_NOROOT
4769+
| SECBIT_NO_SETUID_FIXUP
4770+
| SECBIT_KEEP_CAPS
4771+
| SECBIT_NO_CAP_AMBIENT_RAISE
4772+
| SECBIT_EXEC_RESTRICT_FILE
4773+
| SECBIT_EXEC_DENY_INTERACTIVE;
47564774
pub const SECURE_ALL_LOCKS: c_int = SECURE_ALL_BITS << 1;
47574775

4776+
pub const SECURE_ALL_UNPRIVILEGED: c_int = SECBIT_EXEC_RESTRICT_FILE | SECBIT_EXEC_DENY_INTERACTIVE;
4777+
47584778
const fn issecure_mask(x: c_int) -> c_int {
47594779
1 << x
47604780
}

0 commit comments

Comments
 (0)