syscall: add Landlock support for execve() on Linux#20
Open
hbrooks wants to merge 2 commits into
Open
Conversation
* In forkAndExecInChild1() on Linux, when SysProcAttr.NoNewPrivs is set, call prctl(PR_SET_NO_NEW_PRIVS). * Define the necessary constant unexported as _PR_SET_NO_NEW_PRIVS. When the no_new_privs flag is set, execve() does not grant additional permissions through execve() (e.g., through the set-user-ID bit). The no_new_privs flag is a prerequisite for enabling a Landlock policy in an unprivileged (non-CAP_SYS_ADMIN) thread. The no_new_privs flag is described in PR_SET_NO_NEW_PRIVS(2const). Updates landlock-lsm/go-landlock#45 Updates golang#68595
* Extend SysProcAttr on Linux to optionally store the ruleset FD and flag arguments for landlock_restrict_self(2). * Extend forkAndExecInChild1() to invoke the system call. * The test case exercises the logic and demonstrates that it works (provided that the host Linux system has the Landlock LSM enabled). * Define the necessary unexported _SYS_landlock_restrict_self constant. As it is customary in forkAndExecInChild1(), system calls need to be invoked with RawSyscall(), and their system call numbers are defined in the same package. (Depending on internal/syscall/unix would create an import loop.) The Landlock API is described in https://docs.kernel.org/userspace-api/landlock.html Updates landlock-lsm/go-landlock#45 Fixes golang#68595
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Mirror of golang/go#77630 by @gnoack