New directives NoExecPaths= ExecPaths=

Implement directives `NoExecPaths=` and `ExecPaths=` to control `MS_NOEXEC` mount flag for the file system tree. This can be used to implement file system W^X policies, and for example with allow-listing mode (NoExecPaths=/) a compromised service would not be able to execute a shell, if that was not explicitly allowed. Example: [Service] NoExecPaths=/ ExecPaths=/usr/bin/daemon /usr/lib64 /usr/lib Closes: #17942.
author: Topi Miettinen <toiwoton@gmail.com> 2021-01-16 13:49:32 +0200
committer: Topi Miettinen <topimiettinen@users.noreply.github.com> 2021-01-29 12:40:52 +0000
commit: ddc155b2fd7807cda088c437dc836eebbcf79cea (patch)
tree: 512024b3042da520bffd77e1b7e0e64e0405df68 /test/test-execute
parent: 78dff3f3d72c62357543fe1716da3886cff54a10 (diff)
download: systemd-ddc155b2fd7807cda088c437dc836eebbcf79cea.tar.gz
1 files changed, 10 insertions, 0 deletions
diff --git a/test/test-execute/exec-noexecpaths-simple.service b/test/test-execute/exec-noexecpaths-simple.service
new file mode 100644
index 0000000000..45152a26f0
--- /dev/null
+++ b/test/test-execute/exec-noexecpaths-simple.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Test for NoExecPaths=
+
+[Service]
+Type=oneshot
+# This should work, as we explicitly disable the effect of NoExecPaths=
+ExecStart=+/bin/sh -c '/bin/cat /dev/null'
+# This should also work, as we do not disable the effect of NoExecPaths= but invert the exit code
+ExecStart=/bin/sh -x -c '! /bin/cat /dev/null'
+NoExecPaths=/bin/cat
author	Topi Miettinen <toiwoton@gmail.com>	2021-01-16 13:49:32 +0200
committer	Topi Miettinen <topimiettinen@users.noreply.github.com>	2021-01-29 12:40:52 +0000
commit	ddc155b2fd7807cda088c437dc836eebbcf79cea (patch)
tree	512024b3042da520bffd77e1b7e0e64e0405df68 /test/test-execute
parent	78dff3f3d72c62357543fe1716da3886cff54a10 (diff)
download	systemd-ddc155b2fd7807cda088c437dc836eebbcf79cea.tar.gz