New directives NoExecPaths= ExecPaths=

Implement directives `NoExecPaths=` and `ExecPaths=` to control `MS_NOEXEC` mount flag for the file system tree. This can be used to implement file system W^X policies, and for example with allow-listing mode (NoExecPaths=/) a compromised service would not be able to execute a shell, if that was not explicitly allowed. Example: [Service] NoExecPaths=/ ExecPaths=/usr/bin/daemon /usr/lib64 /usr/lib Closes: #17942.
author: Topi Miettinen <toiwoton@gmail.com> 2021-01-16 13:49:32 +0200
committer: Topi Miettinen <topimiettinen@users.noreply.github.com> 2021-01-29 12:40:52 +0000
commit: ddc155b2fd7807cda088c437dc836eebbcf79cea (patch)
tree: 512024b3042da520bffd77e1b7e0e64e0405df68 /src/core/execute.h
parent: 78dff3f3d72c62357543fe1716da3886cff54a10 (diff)
download: systemd-ddc155b2fd7807cda088c437dc836eebbcf79cea.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/src/core/execute.h b/src/core/execute.h
index f8231ba773..d615af5109 100644
--- a/src/core/execute.h
+++ b/src/core/execute.h
@@ -243,7 +243,7 @@ struct ExecContext {
         char *apparmor_profile;
         char *smack_process_label;
 
-        char **read_write_paths, **read_only_paths, **inaccessible_paths;
+        char **read_write_paths, **read_only_paths, **inaccessible_paths, **exec_paths, **no_exec_paths;
         unsigned long mount_flags;
         BindMount *bind_mounts;
         size_t n_bind_mounts;
author	Topi Miettinen <toiwoton@gmail.com>	2021-01-16 13:49:32 +0200
committer	Topi Miettinen <topimiettinen@users.noreply.github.com>	2021-01-29 12:40:52 +0000
commit	ddc155b2fd7807cda088c437dc836eebbcf79cea (patch)
tree	512024b3042da520bffd77e1b7e0e64e0405df68 /src/core/execute.h
parent	78dff3f3d72c62357543fe1716da3886cff54a10 (diff)
download	systemd-ddc155b2fd7807cda088c437dc836eebbcf79cea.tar.gz