dasharo/systemd
0
0
Fork 0
mirror of https://github.com/Dasharo/systemd.git synced 2026-03-06 15:02:31 -08:00
Code Issues Packages Projects Releases Wiki Activity

New directives NoExecPaths= ExecPaths=

Browse Source 
Implement directives `NoExecPaths=` and `ExecPaths=` to control `MS_NOEXEC`
mount flag for the file system tree. This can be used to implement file system
W^X policies, and for example with allow-listing mode (NoExecPaths=/) a
compromised service would not be able to execute a shell, if that was not
explicitly allowed.

Example:
[Service]
NoExecPaths=/
ExecPaths=/usr/bin/daemon /usr/lib64 /usr/lib

Closes: #17942.
This commit is contained in:
Topi Miettinen
2021-01-16 13:49:32 +02:00
committed by Topi Miettinen
parent 78dff3f3d7
commit ddc155b2fd
15 changed files with 240 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
test/test-execute/exec-noexecpaths-simple.service Normal file
View File

@@ -0,0 +1,10 @@
[Unit]
Description=Test for NoExecPaths=
[Service]
Type=oneshot
# This should work, as we explicitly disable the effect of NoExecPaths=
ExecStart=+/bin/sh -c '/bin/cat /dev/null'
# This should also work, as we do not disable the effect of NoExecPaths= but invert the exit code
ExecStart=/bin/sh -x -c '! /bin/cat /dev/null'
NoExecPaths=/bin/cat