From 1d3de04b11b5385f1f6f0c17acf95decd1421738 Mon Sep 17 00:00:00 2001 From: Collin Funk Date: Thu, 17 Jul 2025 20:33:37 -0700 Subject: [PATCH] Add SECURE_* and SECBIT_* macros added in Linux 6.14. The following macros were added in Linux 6.14 [1]. [1] https://github.com/torvalds/linux/commit/a0623b2a1d595341971c189b90a6b06f42cd209d --- libc-test/semver/linux.txt | 8 ++++++++ src/unix/linux_like/linux/mod.rs | 21 +++++++++++++++++++-- 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/libc-test/semver/linux.txt b/libc-test/semver/linux.txt index f88769996e81b..6ac16fb13e460 100644 --- a/libc-test/semver/linux.txt +++ b/libc-test/semver/linux.txt @@ -2776,6 +2776,10 @@ SCTP_STATUS SCTP_STREAM_RESET_INCOMING SCTP_STREAM_RESET_OUTGOING SCTP_UNORDERED +SECBIT_EXEC_DENY_INTERACTIVE +SECBIT_EXEC_DENY_INTERACTIVE_LOCKED +SECBIT_EXEC_RESTRICT_FILE +SECBIT_EXEC_RESTRICT_FILE_LOCKED SECBIT_KEEP_CAPS SECBIT_KEEP_CAPS_LOCKED SECBIT_NOROOT @@ -2815,6 +2819,10 @@ SECCOMP_USER_NOTIF_FLAG_CONTINUE SECUREBITS_DEFAULT SECURE_ALL_BITS SECURE_ALL_LOCKS +SECURE_EXEC_DENY_INTERACTIVE +SECURE_EXEC_DENY_INTERACTIVE_LOCKED +SECURE_EXEC_RESTRICT_FILE +SECURE_EXEC_RESTRICT_FILE_LOCKED SEEK_DATA SEEK_HOLE SELFMAG diff --git a/src/unix/linux_like/linux/mod.rs b/src/unix/linux_like/linux/mod.rs index 436244b0ecf6d..723a98d00cbd8 100644 --- a/src/unix/linux_like/linux/mod.rs +++ b/src/unix/linux_like/linux/mod.rs @@ -4750,9 +4750,26 @@ pub const SECBIT_NO_CAP_AMBIENT_RAISE: c_int = issecure_mask(SECURE_NO_CAP_AMBIE pub const SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED: c_int = issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE_LOCKED); +pub const SECURE_EXEC_RESTRICT_FILE: c_int = 8; +pub const SECURE_EXEC_RESTRICT_FILE_LOCKED: c_int = 9; + +pub const SECBIT_EXEC_RESTRICT_FILE: c_int = issecure_mask(SECURE_EXEC_RESTRICT_FILE); +pub const SECBIT_EXEC_RESTRICT_FILE_LOCKED: c_int = issecure_mask(SECURE_EXEC_RESTRICT_FILE_LOCKED); + +pub const SECURE_EXEC_DENY_INTERACTIVE: c_int = 10; +pub const SECURE_EXEC_DENY_INTERACTIVE_LOCKED: c_int = 11; + +pub const SECBIT_EXEC_DENY_INTERACTIVE: c_int = issecure_mask(SECURE_EXEC_DENY_INTERACTIVE); +pub const SECBIT_EXEC_DENY_INTERACTIVE_LOCKED: c_int = + issecure_mask(SECURE_EXEC_DENY_INTERACTIVE_LOCKED); + pub const SECUREBITS_DEFAULT: c_int = 0x00000000; -pub const SECURE_ALL_BITS: c_int = - SECBIT_NOROOT | SECBIT_NO_SETUID_FIXUP | SECBIT_KEEP_CAPS | SECBIT_NO_CAP_AMBIENT_RAISE; +pub const SECURE_ALL_BITS: c_int = SECBIT_NOROOT + | SECBIT_NO_SETUID_FIXUP + | SECBIT_KEEP_CAPS + | SECBIT_NO_CAP_AMBIENT_RAISE + | SECBIT_EXEC_RESTRICT_FILE + | SECBIT_EXEC_DENY_INTERACTIVE; pub const SECURE_ALL_LOCKS: c_int = SECURE_ALL_BITS << 1; const fn issecure_mask(x: c_int) -> c_int {