security-wg
security-wg copied to clipboard
nodejs
Script execution control on Linux
This is a recap of yesterday's meeting (see #1382) about script execution control on Linux, and how it compares to #1364 (see https://github.com/nodejs/node/pull/54364). @RafaelGSS, @mhdawson, @rdw-msft, and I were attending.
LWN published an article about this new feature: Restricting execution of scripts — the third approach
I gave a talk last week that explains the goal, the challenges, and the current approach: Closing the script execution control gap
The changes required for Node.js would be:
- To check all files containing code with execveat(2) + AT_CHECK
- To restrict according to 2 complementary securebits: SECBIT_EXEC_RESTRICT_FILE and SECBIT_EXEC_DENY_INTERACTIVE
Here is a proof of concept for Python (using the original securebits): https://github.com/zooba/spython/pull/12
Latest kernel patch series: https://lore.kernel.org/all/[email protected]/
I'll update this issue with the next patches (which will include an enlighten toy script interpreter).
This issue has been inactive for 90 days. It will be closed in 14 days unless there is further activity or the stale label is taken off.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
The kernel changes to support control of script execution has been merged (6 years after the first version) 🥳 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=21266b8df5224c4f677acf9f353eecc9094731f0
It provides tests, examples, and documentation.
This issue has been inactive for 90 days. It will be closed in 14 days unless there is further activity or the stale label is taken off.
This issue has been inactive for 90 days. It will be closed in 14 days unless there is further activity or the stale label is taken off.