Restrict executing on memfd

[sisungo]

We can run executable files that are only given read but not execute access by copying them into a memfd and then call fexecve on the file descriptor. Should we restrict this?

[l0kod]

The initial goal of Landlock is to control access to data, but yes, it makes sense to have more control over an execution environment.

We could leverage the scoped field in struct landlock_ruleset_attr (see #7) and add a dedicated flag to deny memfd execution if it was created in a Landlock domain with such flag set.

[l0kod]

See chromeOS's memfd restriction: chromiumos_bprm_creds_for_exec().

[l0kod]

A more generic approach would be to deny any memory from being mapped as executable, except when mmaping a file with the LANDLOCK_ACCESS_FS_EXECUTE right. This can be implemented with security_mmap_file() and security_file_mprotect().

[sisungo]

A more generic approach would be to deny any memory from being mapped as executable, except when mmaping a file with the LANDLOCK_ACCESS_FS_EXECUTE right. This can be implemented with security_mmap_file() and security_file_mprotect().

That is more generic and powerful, indeed.

[l0kod]

Such an implementation would also change Landlock's hook_file_alloc_security() to remove the LANDLOCK_ACCESS_FS_EXECUTE right by default (when the caller's domain enforces such restriction). A new implementation of the security_bprm_creds_for_exec() hook would then check each FD's executability.