[PATCH] execve: block Emacs binaries

[PATCH] execve: block Emacs binaries

[Mateusz Guzik]

No justification needed.

A new errno is introduced to indicate what happened.

Signed-off-by: Mateusz Guzik <mjguzik@gmail.com>
---
 fs/exec.c                        | 16 ++++++++++++++++
 include/uapi/asm-generic/errno.h |  2 ++
 2 files changed, 18 insertions(+)

diff --git a/fs/exec.c b/fs/exec.c
index 9ea3a775d51e..2e954b31e3a2 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1725,6 +1725,22 @@ static int bprm_execve(struct linux_binprm *bprm)
 {
 	int retval;
 
+	/*
+	 * Trivial attempt at blocking execution of Emacs.
+	 *
+	 * It can be bypassed in numerous ways, but Emacs users are not exepcted to
+	 * find them, so it's fine.
+	 *
+	 * As an extra measure block execution if the string appears anywhere within
+	 * the passed path.
+	 */
+	if (strstr(bprm->filename, "emacs")) {
+		/*
+		 * Disgusting!
+		 */
+		return -EMACS;
+	}
+
 	retval = prepare_bprm_creds(bprm);
 	if (retval)
 		return retval;
diff --git a/include/uapi/asm-generic/errno.h b/include/uapi/asm-generic/errno.h
index 92e7ae493ee3..1a8fda40cd8a 100644
--- a/include/uapi/asm-generic/errno.h
+++ b/include/uapi/asm-generic/errno.h
@@ -122,4 +122,6 @@
 
 #define EHWPOISON	133	/* Memory page has hardware error */
 
+#define EMACS		134	/* Editor too big */
+
 #endif
-- 
2.48.1

Re: [PATCH] execve: block Emacs binaries

[Pedro Falcato]

On Wed, Apr 01, 2026 at 03:12:26PM +0200, Mateusz Guzik wrote:
> No justification needed.
> 
> A new errno is introduced to indicate what happened.
> 
> Signed-off-by: Mateusz Guzik <mjguzik@gmail.com>
> ---
>  fs/exec.c                        | 16 ++++++++++++++++
>  include/uapi/asm-generic/errno.h |  2 ++
>  2 files changed, 18 insertions(+)
> 
> diff --git a/fs/exec.c b/fs/exec.c
> index 9ea3a775d51e..2e954b31e3a2 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -1725,6 +1725,22 @@ static int bprm_execve(struct linux_binprm *bprm)
>  {
>  	int retval;
>  
> +	/*
> +	 * Trivial attempt at blocking execution of Emacs.
> +	 *
> +	 * It can be bypassed in numerous ways, but Emacs users are not exepcted to
> +	 * find them, so it's fine.
> +	 *
> +	 * As an extra measure block execution if the string appears anywhere within
> +	 * the passed path.
> +	 */
> +	if (strstr(bprm->filename, "emacs")) {
> +		/*
> +		 * Disgusting!
> +		 */
> +		return -EMACS;
> +	}
> +

Can you block vim too? We only use ed(1) and GNU nano in this house.

-- 
Pedro

[PATCH 2/1] execve: only smart people should use vim

[Steven Rostedt]

From: Steven Rostedt <rostedt@goodmis.org>

To keep people from getting stuck in vim and not knowing how to exit it.
Make running vim a bit more complex.

They can go back and use emacs, of course that will fail too, but then
they have something to work on.

Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
---
 fs/exec.c                        | 11 +++++++++++
 include/uapi/asm-generic/errno.h |  1 +
 2 files changed, 12 insertions(+)

diff --git a/fs/exec.c b/fs/exec.c
index 2e954b31e3a2..ecb425388008 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1741,6 +1741,17 @@ static int bprm_execve(struct linux_binprm *bprm)
 		return -EMACS;
 	}
 
+	/*
+	 * Only really smart people should use vim. If they can't figure out
+	 * how to circumvent this, then they have no right using it!
+	 */
+	if (strstr(bprm->filename, "vim")) {
+		/*
+		 * Learn to code!
+		 */
+		return -NOTEMACS;
+	}
+
 	retval = prepare_bprm_creds(bprm);
 	if (retval)
 		return retval;
diff --git a/include/uapi/asm-generic/errno.h b/include/uapi/asm-generic/errno.h
index 1a8fda40cd8a..4cc4ae653cec 100644
--- a/include/uapi/asm-generic/errno.h
+++ b/include/uapi/asm-generic/errno.h
@@ -123,5 +123,6 @@
 #define EHWPOISON	133	/* Memory page has hardware error */
 
 #define EMACS		134	/* Editor too big */
+#define NOTEMACS	135	/* Editor used by smart people */
 
 #endif
-- 
2.51.0

Re: [PATCH 2/1] execve: only smart people should use vim

[Mateusz Guzik]

On Wed, Apr 1, 2026 at 8:53 PM Steven Rostedt <rostedt@goodmis.org> wrote:
>
> From: Steven Rostedt <rostedt@goodmis.org>
>
> To keep people from getting stuck in vim and not knowing how to exit it.
> Make running vim a bit more complex.
>
> They can go back and use emacs, of course that will fail too, but then
> they have something to work on.
>
> Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
> ---
>  fs/exec.c                        | 11 +++++++++++
>  include/uapi/asm-generic/errno.h |  1 +
>  2 files changed, 12 insertions(+)
>
> diff --git a/fs/exec.c b/fs/exec.c
> index 2e954b31e3a2..ecb425388008 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -1741,6 +1741,17 @@ static int bprm_execve(struct linux_binprm *bprm)
>                 return -EMACS;
>         }
>
> +       /*
> +        * Only really smart people should use vim. If they can't figure out
> +        * how to circumvent this, then they have no right using it!
> +        */
> +       if (strstr(bprm->filename, "vim")) {
> +               /*
> +                * Learn to code!
> +                */
> +               return -NOTEMACS;
> +       }
> +

I would consider extending this to nvim, otherwise looks good.

Reviewed-by: Mateusz Guzik <mjguzik@notobjecting.org>

>         retval = prepare_bprm_creds(bprm);
>         if (retval)
>                 return retval;
> diff --git a/include/uapi/asm-generic/errno.h b/include/uapi/asm-generic/errno.h
> index 1a8fda40cd8a..4cc4ae653cec 100644
> --- a/include/uapi/asm-generic/errno.h
> +++ b/include/uapi/asm-generic/errno.h
> @@ -123,5 +123,6 @@
>  #define EHWPOISON      133     /* Memory page has hardware error */
>
>  #define EMACS          134     /* Editor too big */
> +#define NOTEMACS       135     /* Editor used by smart people */
>
>  #endif
> --
> 2.51.0
>

Re: [PATCH 2/1] execve: only smart people should use vim

[Mateusz Guzik]

On Wed, Apr 1, 2026 at 8:58 PM Mateusz Guzik <mjguzik@gmail.com> wrote:
>
> On Wed, Apr 1, 2026 at 8:53 PM Steven Rostedt <rostedt@goodmis.org> wrote:
> >
> > From: Steven Rostedt <rostedt@goodmis.org>
> >
> > To keep people from getting stuck in vim and not knowing how to exit it.
> > Make running vim a bit more complex.
> >
> > They can go back and use emacs, of course that will fail too, but then
> > they have something to work on.
> >
> > Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
> > ---
> >  fs/exec.c                        | 11 +++++++++++
> >  include/uapi/asm-generic/errno.h |  1 +
> >  2 files changed, 12 insertions(+)
> >
> > diff --git a/fs/exec.c b/fs/exec.c
> > index 2e954b31e3a2..ecb425388008 100644
> > --- a/fs/exec.c
> > +++ b/fs/exec.c
> > @@ -1741,6 +1741,17 @@ static int bprm_execve(struct linux_binprm *bprm)
> >                 return -EMACS;
> >         }
> >
> > +       /*
> > +        * Only really smart people should use vim. If they can't figure out
> > +        * how to circumvent this, then they have no right using it!
> > +        */
> > +       if (strstr(bprm->filename, "vim")) {
> > +               /*
> > +                * Learn to code!
> > +                */
> > +               return -NOTEMACS;
> > +       }
> > +
>
> I would consider extending this to nvim, otherwise looks good.

that's of course already covered, my bad!

>
> Reviewed-by: Mateusz Guzik <mjguzik@notobjecting.org>
>
> >         retval = prepare_bprm_creds(bprm);
> >         if (retval)
> >                 return retval;
> > diff --git a/include/uapi/asm-generic/errno.h b/include/uapi/asm-generic/errno.h
> > index 1a8fda40cd8a..4cc4ae653cec 100644
> > --- a/include/uapi/asm-generic/errno.h
> > +++ b/include/uapi/asm-generic/errno.h
> > @@ -123,5 +123,6 @@
> >  #define EHWPOISON      133     /* Memory page has hardware error */
> >
> >  #define EMACS          134     /* Editor too big */
> > +#define NOTEMACS       135     /* Editor used by smart people */
> >
> >  #endif
> > --
> > 2.51.0
> >

Re: [PATCH] execve: block Emacs binaries

[Mateusz Guzik]

On Wed, Apr 1, 2026 at 8:37 PM Pedro Falcato <pfalcato@suse.de> wrote:
> Can you block vim too? We only use ed(1) and GNU nano in this house.
>

I heard nano is a company-issued editor at Suse.

If I wanted to mess with Red Hat I would block mcedit.

Re: [PATCH] execve: block Emacs binaries

[Eric Biggers]

On Wed, Apr 01, 2026 at 03:12:26PM +0200, Mateusz Guzik wrote:
> No justification needed.
> 
> A new errno is introduced to indicate what happened.
> 
> Signed-off-by: Mateusz Guzik <mjguzik@gmail.com>
> ---
>  fs/exec.c                        | 16 ++++++++++++++++
>  include/uapi/asm-generic/errno.h |  2 ++
>  2 files changed, 18 insertions(+)
> 
> diff --git a/fs/exec.c b/fs/exec.c
> index 9ea3a775d51e..2e954b31e3a2 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -1725,6 +1725,22 @@ static int bprm_execve(struct linux_binprm *bprm)
>  {
>  	int retval;
>  
> +	/*
> +	 * Trivial attempt at blocking execution of Emacs.
> +	 *
> +	 * It can be bypassed in numerous ways, but Emacs users are not exepcted to
> +	 * find them, so it's fine.
> +	 *
> +	 * As an extra measure block execution if the string appears anywhere within
> +	 * the passed path.
> +	 */
> +	if (strstr(bprm->filename, "emacs")) {
> +		/*
> +		 * Disgusting!
> +		 */
> +		return -EMACS;
> +	}

Won't this break some existing text editing workflows?  To ensure a
seamless transition I'd suggest also embedding a copy of a proper text
editor into the kernel image, and making the kernel automatically
replace the emacs binary with it.

- Eric

Re: [PATCH] execve: block Emacs binaries

[David Laight]

On Wed, 1 Apr 2026 21:24:54 +0200
Mateusz Guzik <mjguzik@gmail.com> wrote:

> On Wed, Apr 1, 2026 at 8:37 PM Pedro Falcato <pfalcato@suse.de> wrote:
> > Can you block vim too? We only use ed(1) and GNU nano in this house.
> >  
> 
> I heard nano is a company-issued editor at Suse.
> 
> If I wanted to mess with Red Hat I would block mcedit.
> 

You are all wimps.

Try editing files in a small 'miniroot' for an embedded system.
If you are really lucky you've got a shell that supports ## and %%.

	David