Implement support for NOEXEC

[bjorn3]

This is using seccomp syscall filtering of the execve and execveat syscalls. Unlike the original sudo this does not depend on using LD_PRELOAD. Instead SECCOMP_RET_USER_NOTIF is used combined with a thread which allows the first exec (as done by sudo itself) and denies all further execs. This makes it robust against both statically linked executables and executables compiled for a different libc than sudo-rs itself. Sudo-rs just like original sudo does not protect against malicious programs with NOEXEC. It doesn't prevent mapping memory as executable, nor does it protect against future syscalls that do an exec like the planned io_uring exec opcode ¹. And it also doesn't protect against honest programs that intentionally or not allow the user to write to /proc/self/mem for the same reasons as that it doesn't protect against malicious programs.

Fixes #1071
Fixes #1072

Footnotes

1. https://lwn.net/Articles/1002371/ ↩

[bjorn3]

Looks like our MSRV doesn't support offset_of!(). Can we raise the MSRV to 1.77? Debian Trixie will have rustc 1.85 and Debian Bookworm already doesn't have a new enough rustc for us.

[squell]

We can certainly consider that. How ugly is the workaround if we don't raise the MSRV to 1.77?

[bjorn3]

I believe it would be create a zeroed instance of seccomp_data, take the address of the start and the address of &val.nr and then subtract one from the other.

[squell]

Going to 1.77 would also allow taking a second look at #976 and #755, so I think the time has come.

The reason for fixing 1.70 was because at that time Debian testing and Ubuntu LTS were stuck at 1.66 for a long time.

[bjorn3]

Looks like Ubuntu LTS is still stuck at rustc 1.75.

[squell]

Two general questions:

• What would be the approach to take on FreeBSD? Presumable that would need the dynamic library trick? (This is not something that's in scope for merging this PR, but given that we have NOEXEC on Linux it just stands to reason we should want to have this on FreeBSD in the future)

• What's the minimum Linux version that is needed to support this implementation? I think we already looked into that and it was OK at leasts even for the Linux kernels used by oldstable and 20.04, but can we double-check?

[bjorn3]

What would be the approach to take on FreeBSD? Presumable that would need the dynamic library trick? (This is not something that's in scope for merging this PR, but given that we have NOEXEC on Linux it just stands to reason we should want to have this on FreeBSD in the future)

FreeBSD doesn't have seccomp support at all AFAIK (or at least I couldn't find any man page for it), so we would indeed need a dynamic library there.

What's the minimum Linux version that is needed to support this implementation? I think we already looked into that and it was OK at leasts even for the Linux kernels used by oldstable and 20.04, but can we double-check?

Should be 5.0, but I don't have a VM ready to check.

[squell]

What's the minimum Linux version that is needed to support this implementation? I think we already looked into that and it was OK at leasts even for the Linux kernels used by oldstable and 20.04, but can we double-check?

Should be 5.0, but I don't have a VM ready to check.

I recall that that was fine, nice!

[bjorn3]

Opened #1078 to track implementing NOEXEC on FreeBSD.

[squell]

Documentation is still missing, tracked in #1095

[squell]

Functionality LGTM, but I have left improvement suggestions on bjorn3#4 to make sure this code remains more understandable if we have to look at it again in the future.

Particular points to look at:

• Some separation of the fd handling / seccomp programming; there's a lot going on here.
• DRY'ing in handle_notifications: the business logic of this function is pretty simple and it would be nice if that is clearly visible