Executability check¶
The AT_EXECVE_CHECK execveat(2) flag, and the
SECBIT_EXEC_RESTRICT_FILE and SECBIT_EXEC_DENY_INTERACTIVE securebits
are intended for script interpreters and dynamic linkers to enforce a
consistent execution security policy handled by the kernel. See the
samples/check-exec/inc.c example.
Whether an interpreter should check these securebits or not depends on the security risk of running malicious scripts with respect to the execution environment, and whether the kernel can check if a script is trustworthy or not. For instance, Python scripts running on a server can use arbitrary syscalls and access arbitrary files. Such interpreters should then be enlighten to use these securebits and let users define their security policy. However, a JavaScript engine running in a web browser should already be sandboxed and then should not be able to harm the user’s environment.
Script interpreters or dynamic linkers built for tailored execution environments
(e.g. hardened Linux distributions or hermetic container images) could use
AT_EXECVE_CHECK without checking the related securebits if backward
compatibility is handled by something else (e.g. atomic update ensuring that
all legitimate libraries are allowed to be executed). It is then recommended
for script interpreters and dynamic linkers to check the securebits at run time
by default, but also to provide the ability for custom builds to behave like if
SECBIT_EXEC_RESTRICT_FILE or SECBIT_EXEC_DENY_INTERACTIVE were always
set to 1 (i.e. always enforce restrictions).
AT_EXECVE_CHECK¶
Passing the AT_EXECVE_CHECK flag to execveat(2) only performs a
check on a regular file and returns 0 if execution of this file would be
allowed, ignoring the file format and then the related interpreter dependencies
(e.g. ELF libraries, script’s shebang).
Programs should always perform this check to apply kernel-level checks against
files that are not directly executed by the kernel but passed to a user space
interpreter instead. All files that contain executable code, from the point of
view of the interpreter, should be checked. However the result of this check
should only be enforced according to SECBIT_EXEC_RESTRICT_FILE or
SECBIT_EXEC_DENY_INTERACTIVE..
The main purpose of this flag is to improve the security and consistency of an
execution environment to ensure that direct file execution (e.g.
./script.sh) and indirect file execution (e.g. sh script.sh) lead to
the same result. For instance, this can be used to check if a file is
trustworthy according to the caller’s environment.
In a secure environment, libraries and any executable dependencies should also
be checked. For instance, dynamic linking should make sure that all libraries
are allowed for execution to avoid trivial bypass (e.g. using LD_PRELOAD).
For such secure execution environment to make sense, only trusted code should
be executable, which also requires integrity guarantees.
To avoid race conditions leading to time-of-check to time-of-use issues,
AT_EXECVE_CHECK should be used with AT_EMPTY_PATH to check against a
file descriptor instead of a path.
SECBIT_EXEC_RESTRICT_FILE and SECBIT_EXEC_DENY_INTERACTIVE¶
When SECBIT_EXEC_RESTRICT_FILE is set, a process should only interpret or
execute a file if a call to execveat(2) with the related file
descriptor and the AT_EXECVE_CHECK flag succeed.
This secure bit may be set by user session managers, service managers,
container runtimes, sandboxer tools... Except for test environments, the
related SECBIT_EXEC_RESTRICT_FILE_LOCKED bit should also be set.
Programs should only enforce consistent restrictions according to the securebits but without relying on any other user-controlled configuration. Indeed, the use case for these securebits is to only trust executable code vetted by the system configuration (through the kernel), so we should be careful to not let untrusted users control this configuration.
However, script interpreters may still use user configuration such as
environment variables as long as it is not a way to disable the securebits
checks. For instance, the PATH and LD_PRELOAD variables can be set by
a script’s caller. Changing these variables may lead to unintended code
executions, but only from vetted executable programs, which is OK. For this to
make sense, the system should provide a consistent security policy to avoid
arbitrary code execution e.g., by enforcing a write xor execute policy.
When SECBIT_EXEC_DENY_INTERACTIVE is set, a process should never interpret
interactive user commands (e.g. scripts). However, if such commands are passed
through a file descriptor (e.g. stdin), its content should be interpreted if a
call to execveat(2) with the related file descriptor and the
AT_EXECVE_CHECK flag succeed.
For instance, script interpreters called with a script snippet as argument
should always deny such execution if SECBIT_EXEC_DENY_INTERACTIVE is set.
This secure bit may be set by user session managers, service managers,
container runtimes, sandboxer tools... Except for test environments, the
related SECBIT_EXEC_DENY_INTERACTIVE_LOCKED bit should also be set.
Here is the expected behavior for a script interpreter according to combination of any exec securebits:
SECBIT_EXEC_RESTRICT_FILE=0andSECBIT_EXEC_DENY_INTERACTIVE=0Always interpret scripts, and allow arbitrary user commands (default).
No threat, everyone and everything is trusted, but we can get ahead of potential issues thanks to the call to execveat(2) with
AT_EXECVE_CHECKwhich should always be performed but ignored by the script interpreter. Indeed, this check is still important to enable systems administrators to verify requests (e.g. with audit) and prepare for migration to a secure mode.SECBIT_EXEC_RESTRICT_FILE=1andSECBIT_EXEC_DENY_INTERACTIVE=0Deny script interpretation if they are not executable, but allow arbitrary user commands.
The threat is (potential) malicious scripts run by trusted (and not fooled) users. That can protect against unintended script executions (e.g.
sh /tmp/*.sh). This makes sense for (semi-restricted) user sessions.SECBIT_EXEC_RESTRICT_FILE=0andSECBIT_EXEC_DENY_INTERACTIVE=1Always interpret scripts, but deny arbitrary user commands.
This use case may be useful for secure services (i.e. without interactive user session) where scripts’ integrity is verified (e.g. with IMA/EVM or dm-verity/IPE) but where access rights might not be ready yet. Indeed, arbitrary interactive commands would be much more difficult to check.
SECBIT_EXEC_RESTRICT_FILE=1andSECBIT_EXEC_DENY_INTERACTIVE=1Deny script interpretation if they are not executable, and also deny any arbitrary user commands.
The threat is malicious scripts run by untrusted users (but trusted code). This makes sense for system services that may only execute trusted scripts.