mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2024-12-28 16:52:18 +00:00
2a69962be4
Add a very simple script interpreter called "inc" that can evaluate two
different commands (one per line):
- "?" to initialize a counter from user's input;
- "+" to increment the counter (which is set to 0 by default).
It is enlighten to only interpret executable files according to
AT_EXECVE_CHECK and the related securebits:
# Executing a script with RESTRICT_FILE is only allowed if the script
# is executable:
./set-exec -f -- ./inc script-exec.inc # Allowed
./set-exec -f -- ./inc script-noexec.inc # Denied
# Executing stdin with DENY_INTERACTIVE is only allowed if stdin is an
# executable regular file:
./set-exec -i -- ./inc -i < script-exec.inc # Allowed
./set-exec -i -- ./inc -i < script-noexec.inc # Denied
# However, a pipe is not executable and it is then denied:
cat script-noexec.inc | ./set-exec -i -- ./inc -i # Denied
# Executing raw data (e.g. command argument) with DENY_INTERACTIVE is
# always denied.
./set-exec -i -- ./inc -c "+" # Denied
./inc -c "$(<script-ask.inc)" # Allowed
# To directly execute a script, we can update $PATH (used by `env`):
PATH="${PATH}:." ./script-exec.inc
# To execute several commands passed as argument:
Add a complete test suite to check the script interpreter against all
possible execution cases:
make TARGETS=exec kselftest-install
./tools/testing/selftests/kselftest_install/run_kselftest.sh
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Paul Moore <paul@paul-moore.com>
Cc: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Link: https://lore.kernel.org/r/20241212174223.389435-8-mic@digikod.net
Signed-off-by: Kees Cook <kees@kernel.org>
206 lines
5.1 KiB
C
206 lines
5.1 KiB
C
// SPDX-License-Identifier: BSD-3-Clause
|
|
/*
|
|
* Very simple script interpreter that can evaluate two different commands (one
|
|
* per line):
|
|
* - "?" to initialize a counter from user's input;
|
|
* - "+" to increment the counter (which is set to 0 by default).
|
|
*
|
|
* See tools/testing/selftests/exec/check-exec-tests.sh and
|
|
* Documentation/userspace-api/check_exec.rst
|
|
*
|
|
* Copyright © 2024 Microsoft Corporation
|
|
*/
|
|
|
|
#define _GNU_SOURCE
|
|
#include <errno.h>
|
|
#include <linux/fcntl.h>
|
|
#include <linux/prctl.h>
|
|
#include <linux/securebits.h>
|
|
#include <stdbool.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <sys/prctl.h>
|
|
#include <unistd.h>
|
|
|
|
/* Returns 1 on error, 0 otherwise. */
|
|
static int interpret_buffer(char *buffer, size_t buffer_size)
|
|
{
|
|
char *line, *saveptr = NULL;
|
|
long long number = 0;
|
|
|
|
/* Each command is the first character of a line. */
|
|
saveptr = NULL;
|
|
line = strtok_r(buffer, "\n", &saveptr);
|
|
while (line) {
|
|
if (*line != '#' && strlen(line) != 1) {
|
|
fprintf(stderr, "# ERROR: Unknown string\n");
|
|
return 1;
|
|
}
|
|
switch (*line) {
|
|
case '#':
|
|
/* Skips shebang and comments. */
|
|
break;
|
|
case '+':
|
|
/* Increments and prints the number. */
|
|
number++;
|
|
printf("%lld\n", number);
|
|
break;
|
|
case '?':
|
|
/* Reads integer from stdin. */
|
|
fprintf(stderr, "> Enter new number: \n");
|
|
if (scanf("%lld", &number) != 1) {
|
|
fprintf(stderr,
|
|
"# WARNING: Failed to read number from stdin\n");
|
|
}
|
|
break;
|
|
default:
|
|
fprintf(stderr, "# ERROR: Unknown character '%c'\n",
|
|
*line);
|
|
return 1;
|
|
}
|
|
line = strtok_r(NULL, "\n", &saveptr);
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
/* Returns 1 on error, 0 otherwise. */
|
|
static int interpret_stream(FILE *script, char *const script_name,
|
|
char *const *const envp, const bool restrict_stream)
|
|
{
|
|
int err;
|
|
char *const script_argv[] = { script_name, NULL };
|
|
char buf[128] = {};
|
|
size_t buf_size = sizeof(buf);
|
|
|
|
/*
|
|
* We pass a valid argv and envp to the kernel to emulate a native
|
|
* script execution. We must use the script file descriptor instead of
|
|
* the script path name to avoid race conditions.
|
|
*/
|
|
err = execveat(fileno(script), "", script_argv, envp,
|
|
AT_EMPTY_PATH | AT_EXECVE_CHECK);
|
|
if (err && restrict_stream) {
|
|
perror("ERROR: Script execution check");
|
|
return 1;
|
|
}
|
|
|
|
/* Reads script. */
|
|
buf_size = fread(buf, 1, buf_size - 1, script);
|
|
return interpret_buffer(buf, buf_size);
|
|
}
|
|
|
|
static void print_usage(const char *argv0)
|
|
{
|
|
fprintf(stderr, "usage: %s <script.inc> | -i | -c <command>\n\n",
|
|
argv0);
|
|
fprintf(stderr, "Example:\n");
|
|
fprintf(stderr, " ./set-exec -fi -- ./inc -i < script-exec.inc\n");
|
|
}
|
|
|
|
int main(const int argc, char *const argv[], char *const *const envp)
|
|
{
|
|
int opt;
|
|
char *cmd = NULL;
|
|
char *script_name = NULL;
|
|
bool interpret_stdin = false;
|
|
FILE *script_file = NULL;
|
|
int secbits;
|
|
bool deny_interactive, restrict_file;
|
|
size_t arg_nb;
|
|
|
|
secbits = prctl(PR_GET_SECUREBITS);
|
|
if (secbits == -1) {
|
|
/*
|
|
* This should never happen, except with a buggy seccomp
|
|
* filter.
|
|
*/
|
|
perror("ERROR: Failed to get securebits");
|
|
return 1;
|
|
}
|
|
|
|
deny_interactive = !!(secbits & SECBIT_EXEC_DENY_INTERACTIVE);
|
|
restrict_file = !!(secbits & SECBIT_EXEC_RESTRICT_FILE);
|
|
|
|
while ((opt = getopt(argc, argv, "c:i")) != -1) {
|
|
switch (opt) {
|
|
case 'c':
|
|
if (cmd) {
|
|
fprintf(stderr, "ERROR: Command already set");
|
|
return 1;
|
|
}
|
|
cmd = optarg;
|
|
break;
|
|
case 'i':
|
|
interpret_stdin = true;
|
|
break;
|
|
default:
|
|
print_usage(argv[0]);
|
|
return 1;
|
|
}
|
|
}
|
|
|
|
/* Checks that only one argument is used, or read stdin. */
|
|
arg_nb = !!cmd + !!interpret_stdin;
|
|
if (arg_nb == 0 && argc == 2) {
|
|
script_name = argv[1];
|
|
} else if (arg_nb != 1) {
|
|
print_usage(argv[0]);
|
|
return 1;
|
|
}
|
|
|
|
if (cmd) {
|
|
/*
|
|
* Other kind of interactive interpretations should be denied
|
|
* as well (e.g. CLI arguments passing script snippets,
|
|
* environment variables interpreted as script). However, any
|
|
* way to pass script files should only be restricted according
|
|
* to restrict_file.
|
|
*/
|
|
if (deny_interactive) {
|
|
fprintf(stderr,
|
|
"ERROR: Interactive interpretation denied.\n");
|
|
return 1;
|
|
}
|
|
|
|
return interpret_buffer(cmd, strlen(cmd));
|
|
}
|
|
|
|
if (interpret_stdin && !script_name) {
|
|
script_file = stdin;
|
|
/*
|
|
* As for any execve(2) call, this path may be logged by the
|
|
* kernel.
|
|
*/
|
|
script_name = "/proc/self/fd/0";
|
|
/*
|
|
* When stdin is used, it can point to a regular file or a
|
|
* pipe. Restrict stdin execution according to
|
|
* SECBIT_EXEC_DENY_INTERACTIVE but always allow executable
|
|
* files (which are not considered as interactive inputs).
|
|
*/
|
|
return interpret_stream(script_file, script_name, envp,
|
|
deny_interactive);
|
|
} else if (script_name && !interpret_stdin) {
|
|
/*
|
|
* In this sample, we don't pass any argument to scripts, but
|
|
* otherwise we would have to forge an argv with such
|
|
* arguments.
|
|
*/
|
|
script_file = fopen(script_name, "r");
|
|
if (!script_file) {
|
|
perror("ERROR: Failed to open script");
|
|
return 1;
|
|
}
|
|
/*
|
|
* Restricts file execution according to
|
|
* SECBIT_EXEC_RESTRICT_FILE.
|
|
*/
|
|
return interpret_stream(script_file, script_name, envp,
|
|
restrict_file);
|
|
}
|
|
|
|
print_usage(argv[0]);
|
|
return 1;
|
|
}
|