Re: Help with LANDLOCK_ACCESS_FS_EXECUTE

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Mickaël Salaün" <mic@digikod.net>
To: Andrea Cervesato <andrea.cervesato@suse.com>
Cc: landlock@lists.linux.dev
Subject: Re: Help with LANDLOCK_ACCESS_FS_EXECUTE
Date: Mon, 1 Jul 2024 17:16:19 +0200	[thread overview]
Message-ID: <20240701.Pe4zeeph4epo@digikod.net> (raw)
In-Reply-To: <5dcec431-4089-4c73-93c6-eda0e0616ebc@suse.com>

Hi Andrea,

On Mon, Jul 01, 2024 at 04:25:53PM +0200, Andrea Cervesato wrote:
> Hi all,
> 
> I'm actually writing a test for LANDLOCK_ACCESS_FS_EXECUTE flag in LTP [1].
> The test is really simple: it applies the EXECUTE landlock rule inside a
> folder and it verifies that a binary inside it can be executed.
> A similar test applies the rule only to the specific binary and check again
> its execution.

Good to know you're working on that!

> 
> But while I was writing the test, I encountered an issue with the specific
> rule setup, since EACCES is raised unexpectedly during binary execution.
> So I wrote a reproducer, assuming that LTP might be the issue, but it's not.
> The reproducer actually shows that binary can't be executed after applying
> the EXECUTE rule.
> 
> I will attach the source code to this email. Can you please tell me if
> there's something wrong with it?

I guess the binary you're trying to execute is dynamically linked, which
means that the kernel needs to open the related .so files on behalf of
the calling (sandboxed) process, which means that
LANDLOCK_ACCESS_FS_READ_FILE needs to be allowed on these files.  You
can use a static binary to avoid this kind of issue, or just not handle
LANDLOCK_ACCESS_FS_READ_FILE.

> 
> Best regards,
> Andrea Cervesato
> 
> 
> [1] https://linux-test-project.readthedocs.io/en/latest/

next prev parent reply	other threads:[~2024-07-01 15:16 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-07-01 14:25 Help with LANDLOCK_ACCESS_FS_EXECUTE Andrea Cervesato
2024-07-01 15:16 ` Mickaël Salaün [this message]
2024-07-17  8:51   ` Günther Noack

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240701.Pe4zeeph4epo@digikod.net \
    --to=mic@digikod.net \
    --cc=andrea.cervesato@suse.com \
    --cc=landlock@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.