This is a recap of yesterday's meeting (see #1382) about script execution control on Linux, and how it compares to #1364 (see nodejs/node#54364). @RafaelGSS, @mhdawson, @rdw-msft, and I were attending.
LWN published an article about this new feature: Restricting execution of scripts — the third approach
I gave a talk last week that explains the goal, the challenges, and the current approach: Closing the script execution control gap
The changes required for Node.js would be:
- To check all files containing code with execveat(2) + AT_CHECK
- To restrict according to 2 complementary securebits: SECBIT_EXEC_RESTRICT_FILE and SECBIT_EXEC_DENY_INTERACTIVE
Here is a proof of concept for Python (using the original securebits): zooba/spython#12
Latest kernel patch series: https://lore.kernel.org/all/20240704190137.696169-1-mic@digikod.net/
I'll update this issue with the next patches (which will include an enlighten toy script interpreter).
This is a recap of yesterday's meeting (see #1382) about script execution control on Linux, and how it compares to #1364 (see nodejs/node#54364). @RafaelGSS, @mhdawson, @rdw-msft, and I were attending.
LWN published an article about this new feature: Restricting execution of scripts — the third approach
I gave a talk last week that explains the goal, the challenges, and the current approach: Closing the script execution control gap
The changes required for Node.js would be:
Here is a proof of concept for Python (using the original securebits): zooba/spython#12
Latest kernel patch series: https://lore.kernel.org/all/20240704190137.696169-1-mic@digikod.net/
I'll update this issue with the next patches (which will include an enlighten toy script interpreter).