From ddc155b2fd7807cda088c437dc836eebbcf79cea Mon Sep 17 00:00:00 2001
From: Topi Miettinen <toiwoton@gmail.com>
Date: Sat, 16 Jan 2021 13:49:32 +0200
Subject: New directives NoExecPaths= ExecPaths=

Implement directives `NoExecPaths=` and `ExecPaths=` to control `MS_NOEXEC`
mount flag for the file system tree. This can be used to implement file system
W^X policies, and for example with allow-listing mode (NoExecPaths=/) a
compromised service would not be able to execute a shell, if that was not
explicitly allowed.

Example:
[Service]
NoExecPaths=/
ExecPaths=/usr/bin/daemon /usr/lib64 /usr/lib

Closes: #17942.
---
 test/test-execute/exec-noexecpaths-simple.service | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 test/test-execute/exec-noexecpaths-simple.service

(limited to 'test/test-execute')

diff --git a/test/test-execute/exec-noexecpaths-simple.service b/test/test-execute/exec-noexecpaths-simple.service
new file mode 100644
index 0000000000..45152a26f0
--- /dev/null
+++ b/test/test-execute/exec-noexecpaths-simple.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Test for NoExecPaths=
+
+[Service]
+Type=oneshot
+# This should work, as we explicitly disable the effect of NoExecPaths=
+ExecStart=+/bin/sh -c '/bin/cat /dev/null'
+# This should also work, as we do not disable the effect of NoExecPaths= but invert the exit code
+ExecStart=/bin/sh -x -c '! /bin/cat /dev/null'
+NoExecPaths=/bin/cat
-- 
cgit v1.2.1