1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
|
// SPDX-License-Identifier: BSD-3-Clause
/*
* Simple tool to set SECBIT_EXEC_RESTRICT_FILE, SECBIT_EXEC_DENY_INTERACTIVE,
* before executing a command.
*
* Copyright © 2024 Microsoft Corporation
*/
#define _GNU_SOURCE
#define __SANE_USERSPACE_TYPES__
#include <errno.h>
#include <linux/prctl.h>
#include <linux/securebits.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
#include <unistd.h>
static void print_usage(const char *argv0)
{
fprintf(stderr, "usage: %s -f|-i -- <cmd> [args]...\n\n", argv0);
fprintf(stderr, "Execute a command with\n");
fprintf(stderr, "- SECBIT_EXEC_RESTRICT_FILE set: -f\n");
fprintf(stderr, "- SECBIT_EXEC_DENY_INTERACTIVE set: -i\n");
}
int main(const int argc, char *const argv[], char *const *const envp)
{
const char *cmd_path;
char *const *cmd_argv;
int opt, secbits_cur, secbits_new;
bool has_policy = false;
secbits_cur = prctl(PR_GET_SECUREBITS);
if (secbits_cur == -1) {
/*
* This should never happen, except with a buggy seccomp
* filter.
*/
perror("ERROR: Failed to get securebits");
return 1;
}
secbits_new = secbits_cur;
while ((opt = getopt(argc, argv, "fi")) != -1) {
switch (opt) {
case 'f':
secbits_new |= SECBIT_EXEC_RESTRICT_FILE |
SECBIT_EXEC_RESTRICT_FILE_LOCKED;
has_policy = true;
break;
case 'i':
secbits_new |= SECBIT_EXEC_DENY_INTERACTIVE |
SECBIT_EXEC_DENY_INTERACTIVE_LOCKED;
has_policy = true;
break;
default:
print_usage(argv[0]);
return 1;
}
}
if (!argv[optind] || !has_policy) {
print_usage(argv[0]);
return 1;
}
if (secbits_cur != secbits_new &&
prctl(PR_SET_SECUREBITS, secbits_new)) {
perror("Failed to set secure bit(s).");
fprintf(stderr,
"Hint: The running kernel may not support this feature.\n");
return 1;
}
cmd_path = argv[optind];
cmd_argv = argv + optind;
fprintf(stderr, "Executing command...\n");
execvpe(cmd_path, cmd_argv, envp);
fprintf(stderr, "Failed to execute \"%s\": %s\n", cmd_path,
strerror(errno));
return 1;
}
|
