I did a little more learning/experimentation and actually produced a somewhat useful LSM, which allows you to restrict command-execution via the use of a user-space helper:
- Whenever a user tries to run a command the LSM-hook receives the request.
- Then it executes a userspace binary to decide whether to allow that or not (!)
Because the detection is done in userspace writing your own custom rules is both safe and easy. No need to touch the kernel any further!
Yesterday I rebased all the modules so that they work against the latest stable kernel 5.4.22 in #7.
The last time I'd touched them they were built against 5.1, which was itself a big jump forwards from the 4.16.7 version I'd initially used.
Finally I updated the
can-exec module to make it gated, which means you can turn it on, but not turn it off without a reboot. That was an obvious omission from the initial implementation #11.
Anyway updated code is available here:
I'd kinda like to write more similar things, but I lack inspiration.