samples/check-exec: Add an enlighten "inc" interpreter and 28 tests

Add a very simple script interpreter called "inc" that can evaluate two
different commands (one per line):
- "?" to initialize a c

samples/check-exec: Add an enlighten "inc" interpreter and 28 tests

Add a very simple script interpreter called "inc" that can evaluate two
different commands (one per line):
- "?" to initialize a counter from user's input;
- "+" to increment the counter (which is set to 0 by default).

It is enlighten to only interpret executable files according to
AT_EXECVE_CHECK and the related securebits:

# Executing a script with RESTRICT_FILE is only allowed if the script
# is executable:
./set-exec -f -- ./inc script-exec.inc # Allowed
./set-exec -f -- ./inc script-noexec.inc # Denied

# Executing stdin with DENY_INTERACTIVE is only allowed if stdin is an
# executable regular file:
./set-exec -i -- ./inc -i < script-exec.inc # Allowed
./set-exec -i -- ./inc -i < script-noexec.inc # Denied

# However, a pipe is not executable and it is then denied:
cat script-noexec.inc | ./set-exec -i -- ./inc -i # Denied

# Executing raw data (e.g. command argument) with DENY_INTERACTIVE is
# always denied.
./set-exec -i -- ./inc -c "+" # Denied
./inc -c "$(<script-ask.inc)" # Allowed

# To directly execute a script, we can update $PATH (used by `env`):
PATH="${PATH}:." ./script-exec.inc

# To execute several commands passed as argument:

Add a complete test suite to check the script interpreter against all
possible execution cases:

make TARGETS=exec kselftest-install
./tools/testing/selftests/kselftest_install/run_kselftest.sh

Cc: Al Viro <[email protected]>
Cc: Christian Brauner <[email protected]>
Cc: Kees Cook <[email protected]>
Cc: Paul Moore <[email protected]>
Cc: Serge Hallyn <[email protected]>
Signed-off-by: Mickaël Salaün <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Kees Cook <[email protected]>

show more ...