Script execution control on Linux

[l0kod]

This is a recap of yesterday's meeting (see #1382) about script execution control on Linux, and how it compares to #1364 (see nodejs/node#54364). @RafaelGSS, @mhdawson, @rdw-msft, and I were attending.

LWN published an article about this new feature: Restricting execution of scripts — the third approach

I gave a talk last week that explains the goal, the challenges, and the current approach: Closing the script execution control gap

The changes required for Node.js would be:

• To check all files containing code with execveat(2) + AT_CHECK
• To restrict according to 2 complementary securebits: SECBIT_EXEC_RESTRICT_FILE and SECBIT_EXEC_DENY_INTERACTIVE

Here is a proof of concept for Python (using the original securebits): zooba/spython#12

Latest kernel patch series: https://lore.kernel.org/all/20240704190137.696169-1-mic@digikod.net/

I'll update this issue with the next patches (which will include an enlighten toy script interpreter).

[mhdawson]

@l0kod thanks for createing the issue and the links to additional info.

[github-actions]

This issue has been inactive for 90 days. It will be closed in 14 days unless there is further activity or the stale label is taken off.

[l0kod]

The kernel changes to support control of script execution has been merged (6 years after the first version) 🥳
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=21266b8df5224c4f677acf9f353eecc9094731f0

It provides tests, examples, and documentation.