€•t      Œsphinx.addnodes”Œdocument”“”)”}”(Œ	rawsource”Œ ”Œchildren”]”(Œtranslations”ŒLanguagesNode”“”)”}”(hhh]”(h Œpending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ
attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ	refdomain”Œstd”Œreftype”Œdoc”Œ	reftarget”Œ,/translations/zh_CN/userspace-api/check_exec”Œmodname”NŒ	classname”NŒrefexplicit”ˆuŒtagname”hhhubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ,/translations/zh_TW/userspace-api/check_exec”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ,/translations/it_IT/userspace-api/check_exec”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ,/translations/ja_JP/userspace-api/check_exec”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ,/translations/ko_KR/userspace-api/check_exec”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒSpanish”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ,/translations/sp_SP/userspace-api/check_exec”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h
hhŒ	_document”hŒsource”NŒline”NubhŒcomment”“”)”}”(hŒ SPDX-License-Identifier: GPL-2.0”h]”hŒ SPDX-License-Identifier: GPL-2.0”…””}”hh£sbah}”(h]”h ]”h"]”h$]”h&]”Œ	xml:space”Œpreserve”uh1h¡hhhžhhŸŒF/var/lib/git/docbuild/linux/Documentation/userspace-api/check_exec.rst”h Kubh¢)”}”(hŒ'Copyright Â© 2024 Microsoft Corporation”h]”hŒ'Copyright Â© 2024 Microsoft Corporation”…””}”hh´sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1h¡hhhžhhŸh³h KubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒExecutability check”h]”hŒExecutability check”…””}”(hhÉhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÇhhÄhžhhŸh³h KubhŒ	paragraph”“”)”}”(hX:  The ``AT_EXECVE_CHECK`` :manpage:`execveat(2)` flag, and the
``SECBIT_EXEC_RESTRICT_FILE`` and ``SECBIT_EXEC_DENY_INTERACTIVE`` securebits
are intended for script interpreters and dynamic linkers to enforce a
consistent execution security policy handled by the kernel.  See the
`samples/check-exec/inc.c`_ example.”h]”(hŒThe ”…””}”(hhÙhžhhŸNh NubhŒliteral”“”)”}”(hŒ``AT_EXECVE_CHECK``”h]”hŒAT_EXECVE_CHECK”…””}”(hhãhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1háhhÙubhŒ ”…””}”(hhÙhžhhŸNh Nubh Œmanpage”“”)”}”(hŒ:manpage:`execveat(2)`”h]”hŒexecveat(2)”…””}”(hh÷hžhhŸNh Nubah}”(h]”h ]”hõah"]”h$]”h&]”h±h²Œpath”Œexecveat(2)”Œpage”Œexecveat”Œsection”Œ2”uh1hõhhÙubhŒ flag, and the
”…””}”(hhÙhžhhŸNh Nubhâ)”}”(hŒ``SECBIT_EXEC_RESTRICT_FILE``”h]”hŒSECBIT_EXEC_RESTRICT_FILE”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1háhhÙubhŒ and ”…””}”(hhÙhžhhŸNh Nubhâ)”}”(hŒ ``SECBIT_EXEC_DENY_INTERACTIVE``”h]”hŒSECBIT_EXEC_DENY_INTERACTIVE”…””}”(hj!  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1háhhÙubhŒ— securebits
are intended for script interpreters and dynamic linkers to enforce a
consistent execution security policy handled by the kernel.  See the
”…””}”(hhÙhžhhŸNh NubhŒ	reference”“”)”}”(hŒ`samples/check-exec/inc.c`_”h]”hŒsamples/check-exec/inc.c”…””}”(hj5  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œsamples/check-exec/inc.c”Œrefuri”Œ`https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/samples/check-exec/inc.c”uh1j3  hhÙŒresolved”KubhŒ	 example.”…””}”(hhÙhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KhhÄhžhubhØ)”}”(hXK  Whether an interpreter should check these securebits or not depends on the
security risk of running malicious scripts with respect to the execution
environment, and whether the kernel can check if a script is trustworthy or
not.  For instance, Python scripts running on a server can use arbitrary
syscalls and access arbitrary files.  Such interpreters should then be
enlighten to use these securebits and let users define their security policy.
However, a JavaScript engine running in a web browser should already be
sandboxed and then should not be able to harm the user's environment.”h]”hXM  Whether an interpreter should check these securebits or not depends on the
security risk of running malicious scripts with respect to the execution
environment, and whether the kernel can check if a script is trustworthy or
not.  For instance, Python scripts running on a server can use arbitrary
syscalls and access arbitrary files.  Such interpreters should then be
enlighten to use these securebits and let users define their security policy.
However, a JavaScript engine running in a web browser should already be
sandboxed and then should not be able to harm the userâ€™s environment.”…””}”(hjR  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KhhÄhžhubhØ)”}”(hX™  Script interpreters or dynamic linkers built for tailored execution environments
(e.g. hardened Linux distributions or hermetic container images) could use
``AT_EXECVE_CHECK`` without checking the related securebits if backward
compatibility is handled by something else (e.g. atomic update ensuring that
all legitimate libraries are allowed to be executed).  It is then recommended
for script interpreters and dynamic linkers to check the securebits at run time
by default, but also to provide the ability for custom builds to behave like if
``SECBIT_EXEC_RESTRICT_FILE`` or ``SECBIT_EXEC_DENY_INTERACTIVE`` were always
set to 1 (i.e. always enforce restrictions).”h]”(hŒœScript interpreters or dynamic linkers built for tailored execution environments
(e.g. hardened Linux distributions or hermetic container images) could use
”…””}”(hj`  hžhhŸNh Nubhâ)”}”(hŒ``AT_EXECVE_CHECK``”h]”hŒAT_EXECVE_CHECK”…””}”(hjh  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1háhj`  ubhXp   without checking the related securebits if backward
compatibility is handled by something else (e.g. atomic update ensuring that
all legitimate libraries are allowed to be executed).  It is then recommended
for script interpreters and dynamic linkers to check the securebits at run time
by default, but also to provide the ability for custom builds to behave like if
”…””}”(hj`  hžhhŸNh Nubhâ)”}”(hŒ``SECBIT_EXEC_RESTRICT_FILE``”h]”hŒSECBIT_EXEC_RESTRICT_FILE”…””}”(hjz  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1háhj`  ubhŒ or ”…””}”(hj`  hžhhŸNh Nubhâ)”}”(hŒ ``SECBIT_EXEC_DENY_INTERACTIVE``”h]”hŒSECBIT_EXEC_DENY_INTERACTIVE”…””}”(hjŒ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1háhj`  ubhŒ9 were always
set to 1 (i.e. always enforce restrictions).”…””}”(hj`  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KhhÄhžhubhÃ)”}”(hhh]”(hÈ)”}”(hŒAT_EXECVE_CHECK”h]”hŒAT_EXECVE_CHECK”…””}”(hj§  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÇhj¤  hžhhŸh³h K"ubhØ)”}”(hX  Passing the ``AT_EXECVE_CHECK`` flag to :manpage:`execveat(2)` only performs a
check on a regular file and returns 0 if execution of this file would be
allowed, ignoring the file format and then the related interpreter dependencies
(e.g. ELF libraries, script's shebang).”h]”(hŒPassing the ”…””}”(hjµ  hžhhŸNh Nubhâ)”}”(hŒ``AT_EXECVE_CHECK``”h]”hŒAT_EXECVE_CHECK”…””}”(hj½  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1háhjµ  ubhŒ	 flag to ”…””}”(hjµ  hžhhŸNh Nubhö)”}”(hŒ:manpage:`execveat(2)`”h]”hŒexecveat(2)”…””}”(hjÏ  hžhhŸNh Nubah}”(h]”h ]”hõah"]”h$]”h&]”h±h²j  Œexecveat(2)”j  Œexecveat”j	  j
  uh1hõhjµ  ubhŒÓ only performs a
check on a regular file and returns 0 if execution of this file would be
allowed, ignoring the file format and then the related interpreter dependencies
(e.g. ELF libraries, scriptâ€™s shebang).”…””}”(hjµ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K$hj¤  hžhubhØ)”}”(hX£  Programs should always perform this check to apply kernel-level checks against
files that are not directly executed by the kernel but passed to a user space
interpreter instead.  All files that contain executable code, from the point of
view of the interpreter, should be checked.  However the result of this check
should only be enforced according to ``SECBIT_EXEC_RESTRICT_FILE`` or
``SECBIT_EXEC_DENY_INTERACTIVE.``.”h]”(hX`  Programs should always perform this check to apply kernel-level checks against
files that are not directly executed by the kernel but passed to a user space
interpreter instead.  All files that contain executable code, from the point of
view of the interpreter, should be checked.  However the result of this check
should only be enforced according to ”…””}”(hjé  hžhhŸNh Nubhâ)”}”(hŒ``SECBIT_EXEC_RESTRICT_FILE``”h]”hŒSECBIT_EXEC_RESTRICT_FILE”…””}”(hjñ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1háhjé  ubhŒ or
”…””}”(hjé  hžhhŸNh Nubhâ)”}”(hŒ!``SECBIT_EXEC_DENY_INTERACTIVE.``”h]”hŒSECBIT_EXEC_DENY_INTERACTIVE.”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1háhjé  ubhŒ.”…””}”(hjé  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K)hj¤  hžhubhØ)”}”(hXV  The main purpose of this flag is to improve the security and consistency of an
execution environment to ensure that direct file execution (e.g.
``./script.sh``) and indirect file execution (e.g. ``sh script.sh``) lead to
the same result.  For instance, this can be used to check if a file is
trustworthy according to the caller's environment.”h]”(hŒThe main purpose of this flag is to improve the security and consistency of an
execution environment to ensure that direct file execution (e.g.
”…””}”(hj  hžhhŸNh Nubhâ)”}”(hŒ``./script.sh``”h]”hŒ./script.sh”…””}”(hj#  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1háhj  ubhŒ$) and indirect file execution (e.g. ”…””}”(hj  hžhhŸNh Nubhâ)”}”(hŒ``sh script.sh``”h]”hŒsh script.sh”…””}”(hj5  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1háhj  ubhŒ…) lead to
the same result.  For instance, this can be used to check if a file is
trustworthy according to the callerâ€™s environment.”…””}”(hj  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K0hj¤  hžhubhØ)”}”(hXs  In a secure environment, libraries and any executable dependencies should also
be checked.  For instance, dynamic linking should make sure that all libraries
are allowed for execution to avoid trivial bypass (e.g. using ``LD_PRELOAD``).
For such secure execution environment to make sense, only trusted code should
be executable, which also requires integrity guarantees.”h]”(hŒÜIn a secure environment, libraries and any executable dependencies should also
be checked.  For instance, dynamic linking should make sure that all libraries
are allowed for execution to avoid trivial bypass (e.g. using ”…””}”(hjM  hžhhŸNh Nubhâ)”}”(hŒ``LD_PRELOAD``”h]”hŒ
LD_PRELOAD”…””}”(hjU  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1háhjM  ubhŒ‰).
For such secure execution environment to make sense, only trusted code should
be executable, which also requires integrity guarantees.”…””}”(hjM  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K6hj¤  hžhubhØ)”}”(hŒ¸To avoid race conditions leading to time-of-check to time-of-use issues,
``AT_EXECVE_CHECK`` should be used with ``AT_EMPTY_PATH`` to check against a
file descriptor instead of a path.”h]”(hŒITo avoid race conditions leading to time-of-check to time-of-use issues,
”…””}”(hjm  hžhhŸNh Nubhâ)”}”(hŒ``AT_EXECVE_CHECK``”h]”hŒAT_EXECVE_CHECK”…””}”(hju  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1háhjm  ubhŒ should be used with ”…””}”(hjm  hžhhŸNh Nubhâ)”}”(hŒ``AT_EMPTY_PATH``”h]”hŒAT_EMPTY_PATH”…””}”(hj‡  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1háhjm  ubhŒ6 to check against a
file descriptor instead of a path.”…””}”(hjm  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K<hj¤  hžhubeh}”(h]”Œat-execve-check”ah ]”h"]”Œat_execve_check”ah$]”h&]”uh1hÂhhÄhžhhŸh³h K"ubhÃ)”}”(hhh]”(hÈ)”}”(hŒ:SECBIT_EXEC_RESTRICT_FILE and SECBIT_EXEC_DENY_INTERACTIVE”h]”hŒ:SECBIT_EXEC_RESTRICT_FILE and SECBIT_EXEC_DENY_INTERACTIVE”…””}”(hjª  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÇhj§  hžhhŸh³h KAubhØ)”}”(hŒËWhen ``SECBIT_EXEC_RESTRICT_FILE`` is set, a process should only interpret or
execute a file if a call to :manpage:`execveat(2)` with the related file
descriptor and the ``AT_EXECVE_CHECK`` flag succeed.”h]”(hŒWhen ”…””}”(hj¸  hžhhŸNh Nubhâ)”}”(hŒ``SECBIT_EXEC_RESTRICT_FILE``”h]”hŒSECBIT_EXEC_RESTRICT_FILE”…””}”(hjÀ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1háhj¸  ubhŒH is set, a process should only interpret or
execute a file if a call to ”…””}”(hj¸  hžhhŸNh Nubhö)”}”(hŒ:manpage:`execveat(2)`”h]”hŒexecveat(2)”…””}”(hjÒ  hžhhŸNh Nubah}”(h]”h ]”hõah"]”h$]”h&]”h±h²j  Œexecveat(2)”j  Œexecveat”j	  j
  uh1hõhj¸  ubhŒ* with the related file
descriptor and the ”…””}”(hj¸  hžhhŸNh Nubhâ)”}”(hŒ``AT_EXECVE_CHECK``”h]”hŒAT_EXECVE_CHECK”…””}”(hjæ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1háhj¸  ubhŒ flag succeed.”…””}”(hj¸  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KChj§  hžhubhØ)”}”(hŒÕThis secure bit may be set by user session managers, service managers,
container runtimes, sandboxer tools...  Except for test environments, the
related ``SECBIT_EXEC_RESTRICT_FILE_LOCKED`` bit should also be set.”h]”(hŒ™This secure bit may be set by user session managers, service managers,
container runtimes, sandboxer tools...  Except for test environments, the
related ”…””}”(hjþ  hžhhŸNh Nubhâ)”}”(hŒ$``SECBIT_EXEC_RESTRICT_FILE_LOCKED``”h]”hŒ SECBIT_EXEC_RESTRICT_FILE_LOCKED”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1háhjþ  ubhŒ bit should also be set.”…””}”(hjþ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KGhj§  hžhubhØ)”}”(hXc  Programs should only enforce consistent restrictions according to the
securebits but without relying on any other user-controlled configuration.
Indeed, the use case for these securebits is to only trust executable code
vetted by the system configuration (through the kernel), so we should be
careful to not let untrusted users control this configuration.”h]”hXc  Programs should only enforce consistent restrictions according to the
securebits but without relying on any other user-controlled configuration.
Indeed, the use case for these securebits is to only trust executable code
vetted by the system configuration (through the kernel), so we should be
careful to not let untrusted users control this configuration.”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KKhj§  hžhubhØ)”}”(hX  However, script interpreters may still use user configuration such as
environment variables as long as it is not a way to disable the securebits
checks.  For instance, the ``PATH`` and ``LD_PRELOAD`` variables can be set by
a script's caller.  Changing these variables may lead to unintended code
executions, but only from vetted executable programs, which is OK.  For this to
make sense, the system should provide a consistent security policy to avoid
arbitrary code execution e.g., by enforcing a write xor execute policy.”h]”(hŒ¬However, script interpreters may still use user configuration such as
environment variables as long as it is not a way to disable the securebits
checks.  For instance, the ”…””}”(hj,  hžhhŸNh Nubhâ)”}”(hŒ``PATH``”h]”hŒPATH”…””}”(hj4  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1háhj,  ubhŒ and ”…””}”(hj,  hžhhŸNh Nubhâ)”}”(hŒ``LD_PRELOAD``”h]”hŒ
LD_PRELOAD”…””}”(hjF  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1háhj,  ubhXG   variables can be set by
a scriptâ€™s caller.  Changing these variables may lead to unintended code
executions, but only from vetted executable programs, which is OK.  For this to
make sense, the system should provide a consistent security policy to avoid
arbitrary code execution e.g., by enforcing a write xor execute policy.”…””}”(hj,  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KQhj§  hžhubhØ)”}”(hXW  When ``SECBIT_EXEC_DENY_INTERACTIVE`` is set, a process should never interpret
interactive user commands (e.g. scripts).  However, if such commands are passed
through a file descriptor (e.g. stdin), its content should be interpreted if a
call to :manpage:`execveat(2)` with the related file descriptor and the
``AT_EXECVE_CHECK`` flag succeed.”h]”(hŒWhen ”…””}”(hj^  hžhhŸNh Nubhâ)”}”(hŒ ``SECBIT_EXEC_DENY_INTERACTIVE``”h]”hŒSECBIT_EXEC_DENY_INTERACTIVE”…””}”(hjf  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1háhj^  ubhŒÑ is set, a process should never interpret
interactive user commands (e.g. scripts).  However, if such commands are passed
through a file descriptor (e.g. stdin), its content should be interpreted if a
call to ”…””}”(hj^  hžhhŸNh Nubhö)”}”(hŒ:manpage:`execveat(2)`”h]”hŒexecveat(2)”…””}”(hjx  hžhhŸNh Nubah}”(h]”h ]”hõah"]”h$]”h&]”h±h²j  Œexecveat(2)”j  Œexecveat”j	  j
  uh1hõhj^  ubhŒ* with the related file descriptor and the
”…””}”(hj^  hžhhŸNh Nubhâ)”}”(hŒ``AT_EXECVE_CHECK``”h]”hŒAT_EXECVE_CHECK”…””}”(hjŒ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1háhj^  ubhŒ flag succeed.”…””}”(hj^  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KYhj§  hžhubhØ)”}”(hŒ˜For instance, script interpreters called with a script snippet as argument
should always deny such execution if ``SECBIT_EXEC_DENY_INTERACTIVE`` is set.”h]”(hŒpFor instance, script interpreters called with a script snippet as argument
should always deny such execution if ”…””}”(hj¤  hžhhŸNh Nubhâ)”}”(hŒ ``SECBIT_EXEC_DENY_INTERACTIVE``”h]”hŒSECBIT_EXEC_DENY_INTERACTIVE”…””}”(hj¬  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1háhj¤  ubhŒ is set.”…””}”(hj¤  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K_hj§  hžhubhØ)”}”(hŒØThis secure bit may be set by user session managers, service managers,
container runtimes, sandboxer tools...  Except for test environments, the
related ``SECBIT_EXEC_DENY_INTERACTIVE_LOCKED`` bit should also be set.”h]”(hŒ™This secure bit may be set by user session managers, service managers,
container runtimes, sandboxer tools...  Except for test environments, the
related ”…””}”(hjÄ  hžhhŸNh Nubhâ)”}”(hŒ'``SECBIT_EXEC_DENY_INTERACTIVE_LOCKED``”h]”hŒ#SECBIT_EXEC_DENY_INTERACTIVE_LOCKED”…””}”(hjÌ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1háhjÄ  ubhŒ bit should also be set.”…””}”(hjÄ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Kbhj§  hžhubhØ)”}”(hŒgHere is the expected behavior for a script interpreter according to combination
of any exec securebits:”h]”hŒgHere is the expected behavior for a script interpreter according to combination
of any exec securebits:”…””}”(hjä  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Kfhj§  hžhubhŒenumerated_list”“”)”}”(hhh]”(hŒ	list_item”“”)”}”(hX  ``SECBIT_EXEC_RESTRICT_FILE=0`` and ``SECBIT_EXEC_DENY_INTERACTIVE=0``

Always interpret scripts, and allow arbitrary user commands (default).

No threat, everyone and everything is trusted, but we can get ahead of
potential issues thanks to the call to :manpage:`execveat(2)` with
``AT_EXECVE_CHECK`` which should always be performed but ignored by the
script interpreter.  Indeed, this check is still important to enable systems
administrators to verify requests (e.g. with audit) and prepare for
migration to a secure mode.
”h]”(hØ)”}”(hŒF``SECBIT_EXEC_RESTRICT_FILE=0`` and ``SECBIT_EXEC_DENY_INTERACTIVE=0``”h]”(hâ)”}”(hŒ``SECBIT_EXEC_RESTRICT_FILE=0``”h]”hŒSECBIT_EXEC_RESTRICT_FILE=0”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1háhjý  ubhŒ and ”…””}”(hjý  hžhhŸNh Nubhâ)”}”(hŒ"``SECBIT_EXEC_DENY_INTERACTIVE=0``”h]”hŒSECBIT_EXEC_DENY_INTERACTIVE=0”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1háhjý  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Kihjù  ubhØ)”}”(hŒFAlways interpret scripts, and allow arbitrary user commands (default).”h]”hŒFAlways interpret scripts, and allow arbitrary user commands (default).”…””}”(hj'  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Kkhjù  ubhØ)”}”(hX~  No threat, everyone and everything is trusted, but we can get ahead of
potential issues thanks to the call to :manpage:`execveat(2)` with
``AT_EXECVE_CHECK`` which should always be performed but ignored by the
script interpreter.  Indeed, this check is still important to enable systems
administrators to verify requests (e.g. with audit) and prepare for
migration to a secure mode.”h]”(hŒnNo threat, everyone and everything is trusted, but we can get ahead of
potential issues thanks to the call to ”…””}”(hj5  hžhhŸNh Nubhö)”}”(hŒ:manpage:`execveat(2)`”h]”hŒexecveat(2)”…””}”(hj=  hžhhŸNh Nubah}”(h]”h ]”hõah"]”h$]”h&]”h±h²j  Œexecveat(2)”j  Œexecveat”j	  j
  uh1hõhj5  ubhŒ with
”…””}”(hj5  hžhhŸNh Nubhâ)”}”(hŒ``AT_EXECVE_CHECK``”h]”hŒAT_EXECVE_CHECK”…””}”(hjQ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1háhj5  ubhŒá which should always be performed but ignored by the
script interpreter.  Indeed, this check is still important to enable systems
administrators to verify requests (e.g. with audit) and prepare for
migration to a secure mode.”…””}”(hj5  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Kmhjù  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j÷  hjô  hžhhŸh³h Nubjø  )”}”(hX}  ``SECBIT_EXEC_RESTRICT_FILE=1`` and ``SECBIT_EXEC_DENY_INTERACTIVE=0``

Deny script interpretation if they are not executable, but allow
arbitrary user commands.

The threat is (potential) malicious scripts run by trusted (and not fooled)
users.  That can protect against unintended script executions (e.g. ``sh
/tmp/*.sh``).  This makes sense for (semi-restricted) user sessions.
”h]”(hØ)”}”(hŒF``SECBIT_EXEC_RESTRICT_FILE=1`` and ``SECBIT_EXEC_DENY_INTERACTIVE=0``”h]”(hâ)”}”(hŒ``SECBIT_EXEC_RESTRICT_FILE=1``”h]”hŒSECBIT_EXEC_RESTRICT_FILE=1”…””}”(hjw  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1háhjs  ubhŒ and ”…””}”(hjs  hžhhŸNh Nubhâ)”}”(hŒ"``SECBIT_EXEC_DENY_INTERACTIVE=0``”h]”hŒSECBIT_EXEC_DENY_INTERACTIVE=0”…””}”(hj‰  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1háhjs  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Kthjo  ubhØ)”}”(hŒYDeny script interpretation if they are not executable, but allow
arbitrary user commands.”h]”hŒYDeny script interpretation if they are not executable, but allow
arbitrary user commands.”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Kvhjo  ubhØ)”}”(hŒÙThe threat is (potential) malicious scripts run by trusted (and not fooled)
users.  That can protect against unintended script executions (e.g. ``sh
/tmp/*.sh``).  This makes sense for (semi-restricted) user sessions.”h]”(hŒThe threat is (potential) malicious scripts run by trusted (and not fooled)
users.  That can protect against unintended script executions (e.g. ”…””}”(hj«  hžhhŸNh Nubhâ)”}”(hŒ``sh
/tmp/*.sh``”h]”hŒsh
/tmp/*.sh”…””}”(hj³  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1háhj«  ubhŒ9).  This makes sense for (semi-restricted) user sessions.”…””}”(hj«  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Kyhjo  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j÷  hjô  hžhhŸh³h Nubjø  )”}”(hX§  ``SECBIT_EXEC_RESTRICT_FILE=0`` and ``SECBIT_EXEC_DENY_INTERACTIVE=1``

Always interpret scripts, but deny arbitrary user commands.

This use case may be useful for secure services (i.e. without interactive
user session) where scripts' integrity is verified (e.g.  with IMA/EVM or
dm-verity/IPE) but where access rights might not be ready yet.  Indeed,
arbitrary interactive commands would be much more difficult to check.
”h]”(hØ)”}”(hŒF``SECBIT_EXEC_RESTRICT_FILE=0`` and ``SECBIT_EXEC_DENY_INTERACTIVE=1``”h]”(hâ)”}”(hŒ``SECBIT_EXEC_RESTRICT_FILE=0``”h]”hŒSECBIT_EXEC_RESTRICT_FILE=0”…””}”(hjÙ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1háhjÕ  ubhŒ and ”…””}”(hjÕ  hžhhŸNh Nubhâ)”}”(hŒ"``SECBIT_EXEC_DENY_INTERACTIVE=1``”h]”hŒSECBIT_EXEC_DENY_INTERACTIVE=1”…””}”(hjë  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1háhjÕ  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K}hjÑ  ubhØ)”}”(hŒ;Always interpret scripts, but deny arbitrary user commands.”h]”hŒ;Always interpret scripts, but deny arbitrary user commands.”…””}”(hjÿ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KhjÑ  ubhØ)”}”(hX!  This use case may be useful for secure services (i.e. without interactive
user session) where scripts' integrity is verified (e.g.  with IMA/EVM or
dm-verity/IPE) but where access rights might not be ready yet.  Indeed,
arbitrary interactive commands would be much more difficult to check.”h]”hX#  This use case may be useful for secure services (i.e. without interactive
user session) where scriptsâ€™ integrity is verified (e.g.  with IMA/EVM or
dm-verity/IPE) but where access rights might not be ready yet.  Indeed,
arbitrary interactive commands would be much more difficult to check.”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h KhjÑ  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j÷  hjô  hžhhŸh³h Nubjø  )”}”(hXB  ``SECBIT_EXEC_RESTRICT_FILE=1`` and ``SECBIT_EXEC_DENY_INTERACTIVE=1``

Deny script interpretation if they are not executable, and also deny
any arbitrary user commands.

The threat is malicious scripts run by untrusted users (but trusted code).
This makes sense for system services that may only execute trusted scripts.
”h]”(hØ)”}”(hŒF``SECBIT_EXEC_RESTRICT_FILE=1`` and ``SECBIT_EXEC_DENY_INTERACTIVE=1``”h]”(hâ)”}”(hŒ``SECBIT_EXEC_RESTRICT_FILE=1``”h]”hŒSECBIT_EXEC_RESTRICT_FILE=1”…””}”(hj)  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1háhj%  ubhŒ and ”…””}”(hj%  hžhhŸNh Nubhâ)”}”(hŒ"``SECBIT_EXEC_DENY_INTERACTIVE=1``”h]”hŒSECBIT_EXEC_DENY_INTERACTIVE=1”…””}”(hj;  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1háhj%  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K†hj!  ubhØ)”}”(hŒaDeny script interpretation if they are not executable, and also deny
any arbitrary user commands.”h]”hŒaDeny script interpretation if they are not executable, and also deny
any arbitrary user commands.”…””}”(hjO  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h Kˆhj!  ubhØ)”}”(hŒ–The threat is malicious scripts run by untrusted users (but trusted code).
This makes sense for system services that may only execute trusted scripts.”h]”hŒ–The threat is malicious scripts run by untrusted users (but trusted code).
This makes sense for system services that may only execute trusted scripts.”…””}”(hj]  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h×hŸh³h K‹hj!  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j÷  hjô  hžhhŸh³h Nubeh}”(h]”h ]”h"]”h$]”h&]”Œenumtype”Œarabic”Œprefix”hŒsuffix”Œ.”uh1jò  hj§  hžhhŸh³h Kiubh¢)”}”(hŒLinks”h]”hŒLinks”…””}”hj|  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1h¡hj§  hžhhŸh³h KŽubhŒtarget”“”)”}”(hŒ.. _samples/check-exec/inc.c:
   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/samples/check-exec/inc.c”h]”h}”(h]”Œsamples-check-exec-inc-c”ah ]”h"]”Œsamples/check-exec/inc.c”ah$]”h&]”jE  jF  uh1jŠ  h Khj§  hžhhŸh³Œ
referenced”Kubeh}”(h]”Œ:secbit-exec-restrict-file-and-secbit-exec-deny-interactive”ah ]”h"]”Œ:secbit_exec_restrict_file and secbit_exec_deny_interactive”ah$]”h&]”uh1hÂhhÄhžhhŸh³h KAubeh}”(h]”Œexecutability-check”ah ]”h"]”Œexecutability check”ah$]”h&]”uh1hÂhhhžhhŸh³h Kubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”h³uh1hŒcurrent_source”NŒcurrent_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(hÇNŒ	generator”NŒ	datestamp”NŒsource_link”NŒ
source_url”NŒtoc_backlinks”Œentry”Œfootnote_backlinks”KŒsectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒstrip_classes”NŒreport_level”KŒ
halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ	traceback”ˆŒinput_encoding”Œ	utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”jÌ  Œerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œlanguage_code”Œen”Œrecord_dependencies”NŒconfig”NŒ	id_prefix”hŒauto_id_prefix”Œid”Œdump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”h³Œ_destination”NŒ_config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒraw_enabled”KŒline_length_limit”M'Œpep_references”NŒpep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒrfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ	tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œsmart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œdocinfo_xform”KŒsectsubtitle_xform”‰Œimage_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”Œsamples/check-exec/inc.c”]”j5  asŒrefids”}”Œnameids”}”(j¦  j£  j¤  j¡  jž  j›  j•  j’  uŒ	nametypes”}”(j¦  ‰j¤  ‰jž  ‰j•  ˆuh}”(j£  hÄj¡  j¤  j›  j§  j’  jŒ  uŒfootnote_refs”}”Œcitation_refs”}”Œautofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ	footnotes”]”Œ	citations”]”Œautofootnote_start”KŒsymbol_footnote_start”K Œ
id_counter”Œcollections”ŒCounter”“”}”…”R”Œparse_messages”]”Œtransform_messages”]”Œtransformer”NŒinclude_log”]”Œ
decoration”Nhžhub.