From: mcpain@altlinux.org
To: devel-kernel@lists.altlinux.org
Subject: [d-kernel] [PATCH 2/2] kiosk: add secureexec parameter
Date: Wed, 6 Aug 2025 16:18:23 +0300
Message-ID: <ad4ef69a74c4c90077700265ea386254df964fe8.1754485062.git.mcpain@altlinux.org> (raw)
In-Reply-To: <cover.1754485062.git.mcpain@altlinux.org>
From: Oleg Solovyov <mcpain@altlinux.org>
if set to 0, secureexec will not be set, defaults to 1
---
security/kiosk/kiosk_lsm.c | 21 +++++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
diff --git a/security/kiosk/kiosk_lsm.c b/security/kiosk/kiosk_lsm.c
index 20635af4936f..de92321dcd13 100644
--- a/security/kiosk/kiosk_lsm.c
+++ b/security/kiosk/kiosk_lsm.c
@@ -24,6 +24,7 @@
#define MAX_PATH 1024
struct kiosk_list_struct {
+ int secureexec;
struct path path;
struct list_head list;
};
@@ -62,6 +63,7 @@ enum kiosk_attrs {
KIOSK_NOATTR = 0,
KIOSK_ACTION,
KIOSK_DATA,
+ KIOSK_SECUREEXEC,
__KIOSK_MAX_ATTR,
KIOSK_MAX_ATTR = __KIOSK_MAX_ATTR - 1,
};
@@ -74,10 +76,13 @@ static struct nla_policy kiosk_policy[KIOSK_MAX_ATTR + 1] = {
.type = NLA_STRING,
.len = sizeof(pathbuf) - 1
},
+ [KIOSK_SECUREEXEC] = {
+ .type = NLA_S16,
+ },
};
static int kiosk_add_item(struct list_head *list, char *filename,
- struct rw_semaphore *sem)
+ int secureexec, struct rw_semaphore *sem)
{
struct kiosk_list_struct *item, *tmp;
int mode;
@@ -106,12 +111,16 @@ static int kiosk_add_item(struct list_head *list, char *filename,
down_write(sem);
list_for_each_entry(tmp, list, list) {
if (item->path.dentry == tmp->path.dentry) {
+ if (tmp->secureexec != secureexec) {
+ tmp->secureexec = secureexec;
+ }
up_write(sem);
path_put(&item->path);
kfree(item);
return 0;
}
}
+ item->secureexec = secureexec;
list_add_tail(&item->list, list);
up_write(sem);
@@ -244,12 +253,16 @@ static int kiosk_list_items(struct list_head *list, struct rw_semaphore *sem,
static int kiosk_genl_doit(struct sk_buff *skb, struct genl_info *info)
{
int action;
+ int secureexec;
if (info->attrs[KIOSK_DATA])
strscpy(pathbuf, nla_data(info->attrs[KIOSK_DATA]), sizeof(pathbuf));
else
pathbuf[0] = '\0';
+ secureexec = info->attrs[KIOSK_SECUREEXEC] ?
+ nla_get_s16(info->attrs[KIOSK_SECUREEXEC]) : 1;
+
action = info->attrs[KIOSK_ACTION] ?
nla_get_s16(info->attrs[KIOSK_ACTION]) : -1;
@@ -275,7 +288,7 @@ static int kiosk_genl_doit(struct sk_buff *skb, struct genl_info *info)
return 0;
}
case KIOSK_USERLIST_ADD:
- return kiosk_add_item(&user_list, pathbuf, &user_sem);
+ return kiosk_add_item(&user_list, pathbuf, secureexec, &user_sem);
case KIOSK_USERLIST_DEL:
return kiosk_remove_item(&user_list, pathbuf,
&user_sem);
@@ -329,6 +342,10 @@ static int kiosk_bprm_check_security(struct linux_binprm *bprm)
down_read(&user_sem);
list_for_each_entry(node, &user_list, list) {
if (bprm->file->f_path.dentry == node->path.dentry) {
+ if (node->secureexec == 0) {
+ bprm->secureexec = 0;
+ pr_notice_ratelimited("Kiosk: %s will not be treated securely\n", bprm->filename);
+ }
up_read(&user_sem);
return 0;
}
--
2.50.1
next prev parent reply other threads:[~2025-08-06 13:18 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-06 13:18 [d-kernel] [PATCH 0/2] Kiosk: turn off secureexec for allowed executables mcpain
2025-08-06 13:18 ` [d-kernel] [PATCH 1/2] kiosk: split kiosk_nl_send_* mcpain
2025-08-06 13:57 ` Vitaly Chikunov
2025-08-06 14:26 ` Oleg Solovyov
2025-08-06 13:18 ` mcpain [this message]
2025-08-06 14:06 ` [d-kernel] [PATCH 0/2] Kiosk: turn off secureexec for allowed executables Vitaly Chikunov
2025-08-06 14:39 ` [d-kernel] " Oleg Solovyov
2025-08-06 22:40 ` [d-kernel] " Vitaly Chikunov
2025-08-07 8:03 ` [d-kernel] " Oleg Solovyov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ad4ef69a74c4c90077700265ea386254df964fe8.1754485062.git.mcpain@altlinux.org \
--to=mcpain@altlinux.org \
--cc=devel-kernel@lists.altlinux.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
ALT Linux kernel packages development
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/devel-kernel/0 devel-kernel/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 devel-kernel devel-kernel/ http://lore.altlinux.org/devel-kernel \
devel-kernel@altlinux.org devel-kernel@altlinux.ru devel-kernel@altlinux.com
public-inbox-index devel-kernel
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.devel-kernel
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git