Changes in Makefile en Copyright 2015 Java 2a69962b - samples/check-exec: Add an enlighten "inc" interpreter and 28 tests http://172.16.0.5:8080/history/linux-6.15/samples/check-exec/Makefile#2a69962b samples/check-exec: Add an enlighten "inc" interpreter and 28 testsAdd a very simple script interpreter called "inc" that can evaluate twodifferent commands (one per line):- "?" to initialize a counter from user's input;- "+" to increment the counter (which is set to 0 by default).It is enlighten to only interpret executable files according toAT_EXECVE_CHECK and the related securebits: # Executing a script with RESTRICT_FILE is only allowed if the script # is executable: ./set-exec -f -- ./inc script-exec.inc # Allowed ./set-exec -f -- ./inc script-noexec.inc # Denied # Executing stdin with DENY_INTERACTIVE is only allowed if stdin is an # executable regular file: ./set-exec -i -- ./inc -i < script-exec.inc # Allowed ./set-exec -i -- ./inc -i < script-noexec.inc # Denied # However, a pipe is not executable and it is then denied: cat script-noexec.inc | ./set-exec -i -- ./inc -i # Denied # Executing raw data (e.g. command argument) with DENY_INTERACTIVE is # always denied. ./set-exec -i -- ./inc -c "+" # Denied ./inc -c "$(<script-ask.inc)" # Allowed # To directly execute a script, we can update $PATH (used by `env`): PATH="${PATH}:." ./script-exec.inc # To execute several commands passed as argument:Add a complete test suite to check the script interpreter against allpossible execution cases: make TARGETS=exec kselftest-install ./tools/testing/selftests/kselftest_install/run_kselftest.shCc: Al Viro <viro@zeniv.linux.org.uk>Cc: Christian Brauner <brauner@kernel.org>Cc: Kees Cook <keescook@chromium.org>Cc: Paul Moore <paul@paul-moore.com>Cc: Serge Hallyn <serge@hallyn.com>Signed-off-by: Mickaël Salaün <mic@digikod.net>Link: https://lore.kernel.org/r/20241212174223.389435-8-mic@digikod.netSigned-off-by: Kees Cook <kees@kernel.org> List of files: /linux-6.15/samples/check-exec/Makefile Thu, 12 Dec 2024 17:42:22 +0000 Mickaël Salaün <mic@digikod.net> faf2d88e - samples/check-exec: Add set-exec http://172.16.0.5:8080/history/linux-6.15/samples/check-exec/Makefile#faf2d88e samples/check-exec: Add set-execAdd a simple tool to set SECBIT_EXEC_RESTRICT_FILE orSECBIT_EXEC_DENY_INTERACTIVE before executing a command. This is usefulto easily test against enlighten script interpreters.Cc: Al Viro <viro@zeniv.linux.org.uk>Cc: Christian Brauner <brauner@kernel.org>Cc: Kees Cook <keescook@chromium.org>Cc: Paul Moore <paul@paul-moore.com>Cc: Serge Hallyn <serge@hallyn.com>Signed-off-by: Mickaël Salaün <mic@digikod.net>Link: https://lore.kernel.org/r/20241212174223.389435-6-mic@digikod.netSigned-off-by: Kees Cook <kees@kernel.org> List of files: /linux-6.15/samples/check-exec/Makefile Thu, 12 Dec 2024 17:42:20 +0000 Mickaël Salaün <mic@digikod.net>