From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on sa.local.altlinux.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=unavailable autolearn_force=no version=3.4.1 From: mcpain@altlinux.org To: devel-kernel@lists.altlinux.org Date: Wed, 6 Aug 2025 16:18:23 +0300 Message-ID: X-Mailer: git-send-email 2.50.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [d-kernel] [PATCH 2/2] kiosk: add secureexec parameter X-BeenThere: devel-kernel@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: ALT Linux kernel packages development List-Id: ALT Linux kernel packages development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Aug 2025 13:18:38 -0000 Archived-At: List-Archive: List-Post: From: Oleg Solovyov if set to 0, secureexec will not be set, defaults to 1 --- security/kiosk/kiosk_lsm.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/security/kiosk/kiosk_lsm.c b/security/kiosk/kiosk_lsm.c index 20635af4936f..de92321dcd13 100644 --- a/security/kiosk/kiosk_lsm.c +++ b/security/kiosk/kiosk_lsm.c @@ -24,6 +24,7 @@ #define MAX_PATH 1024 struct kiosk_list_struct { + int secureexec; struct path path; struct list_head list; }; @@ -62,6 +63,7 @@ enum kiosk_attrs { KIOSK_NOATTR = 0, KIOSK_ACTION, KIOSK_DATA, + KIOSK_SECUREEXEC, __KIOSK_MAX_ATTR, KIOSK_MAX_ATTR = __KIOSK_MAX_ATTR - 1, }; @@ -74,10 +76,13 @@ static struct nla_policy kiosk_policy[KIOSK_MAX_ATTR + 1] = { .type = NLA_STRING, .len = sizeof(pathbuf) - 1 }, + [KIOSK_SECUREEXEC] = { + .type = NLA_S16, + }, }; static int kiosk_add_item(struct list_head *list, char *filename, - struct rw_semaphore *sem) + int secureexec, struct rw_semaphore *sem) { struct kiosk_list_struct *item, *tmp; int mode; @@ -106,12 +111,16 @@ static int kiosk_add_item(struct list_head *list, char *filename, down_write(sem); list_for_each_entry(tmp, list, list) { if (item->path.dentry == tmp->path.dentry) { + if (tmp->secureexec != secureexec) { + tmp->secureexec = secureexec; + } up_write(sem); path_put(&item->path); kfree(item); return 0; } } + item->secureexec = secureexec; list_add_tail(&item->list, list); up_write(sem); @@ -244,12 +253,16 @@ static int kiosk_list_items(struct list_head *list, struct rw_semaphore *sem, static int kiosk_genl_doit(struct sk_buff *skb, struct genl_info *info) { int action; + int secureexec; if (info->attrs[KIOSK_DATA]) strscpy(pathbuf, nla_data(info->attrs[KIOSK_DATA]), sizeof(pathbuf)); else pathbuf[0] = '\0'; + secureexec = info->attrs[KIOSK_SECUREEXEC] ? + nla_get_s16(info->attrs[KIOSK_SECUREEXEC]) : 1; + action = info->attrs[KIOSK_ACTION] ? nla_get_s16(info->attrs[KIOSK_ACTION]) : -1; @@ -275,7 +288,7 @@ static int kiosk_genl_doit(struct sk_buff *skb, struct genl_info *info) return 0; } case KIOSK_USERLIST_ADD: - return kiosk_add_item(&user_list, pathbuf, &user_sem); + return kiosk_add_item(&user_list, pathbuf, secureexec, &user_sem); case KIOSK_USERLIST_DEL: return kiosk_remove_item(&user_list, pathbuf, &user_sem); @@ -329,6 +342,10 @@ static int kiosk_bprm_check_security(struct linux_binprm *bprm) down_read(&user_sem); list_for_each_entry(node, &user_list, list) { if (bprm->file->f_path.dentry == node->path.dentry) { + if (node->secureexec == 0) { + bprm->secureexec = 0; + pr_notice_ratelimited("Kiosk: %s will not be treated securely\n", bprm->filename); + } up_read(&user_sem); return 0; } -- 2.50.1