Skip to content

Implement support for NOEXEC (take 2) #1124

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jun 2, 2025
Merged

Implement support for NOEXEC (take 2) #1124

merged 5 commits into from
Jun 2, 2025

Conversation

bjorn3
Copy link
Collaborator

@bjorn3 bjorn3 commented May 9, 2025
edited
Loading

This is using seccomp syscall filtering of the execve and execveat syscalls. Unlike the original sudo this does not depend on using LD_PRELOAD. Instead SECCOMP_RET_USER_NOTIF is used combined with a thread which allows the first exec (as done by sudo itself) and denies all further execs. This makes it robust against both statically linked executables and executables compiled for a different libc than sudo-rs itself. Sudo-rs just like original sudo does not protect against malicious programs with NOEXEC. It doesn't prevent mapping memory as executable, nor does it protect against future syscalls that do an exec like the planned io_uring exec opcode 1. And it also doesn't protect against honest programs that intentionally or not allow the user to write to /proc/self/mem for the same reasons as that it doesn't protect against malicious programs.

Fixes #1071
Fixes #1072

This is a revival of #1073. It now spawns the handler thread after doing a fork.

Footnotes

  1. https://lwn.net/Articles/1002371/

@bjorn3 bjorn3 changed the title Implement support for NOEXEC (try 2) Implement support for NOEXEC (take 2) May 9, 2025
@bjorn3 bjorn3 requested a review from squell May 9, 2025 12:55
@squell squell added C-exec Execution component (interfacing with OS) ubuntu labels May 9, 2025
@squell squell added this to the NOEXEC milestone May 9, 2025
squell
squell approved these changes May 12, 2025
View reviewed changes
@squell
Copy link
Member

squell commented May 12, 2025
edited
Loading

Note: I've merged the changes from close_range into this branch locally, so once you have brought it up to date by rebasing or merging I can quickly re-review if we agree on how the merge conflicts should have been resolved (but I'd prefer you do it so we also have two pairs of eyes on that)

@squell
Copy link
Member

squell commented May 15, 2025
edited
Loading

As an informational note: io_uring has more drawbacks: https://www.schneier.com/blog/archives/2025/04/new-linux-rootkit.html

There are two possibilities: either Linux will add some seccomp filtering for io_uring at some point or NOEXEC will have to imply “NOIOURING”.

@squell squell enabled auto-merge June 2, 2025 14:20
@squell squell merged commit 7a09f25 into trifectatechfoundation:main Jun 2, 2025
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@squell squell squell approved these changes

Assignees
No one assigned
Labels
C-exec Execution component (interfacing with OS) ubuntu
Projects
None yet
Milestone
NOEXEC
Development

Successfully merging this pull request may close these issues.

Add NOEXEC support to exec Investigate NOEXEC loading
2 participants
@bjorn3 @squell