> Introduce a pluggable framework for ELF binary loading to allow dynamic
> resolution and redirection of program interpreters (PT_INTERP). This is
> primarily designed to support hermetic path resolution like NixOS $ORIGIN
> relative dynamic linkers without bloating the core ELF loader or compromising
> system execution security.
>
> Introduce a new registration interface for kernel modules to register
> open_interpreter callbacks. Standard ELF loading queries this registry; if a
> plugin resolves a custom segment type (like PT_INTERP_NIX), it returns a file
> descriptor for the resolved interpreter. Secure execution environments
> (bprm->secureexec) bypass relative resolution for safety.
>
> Signed-off-by: Farid Zakaria <[email protected]>
>
> diff --git a/fs/Kconfig.binfmt b/fs/Kconfig.binfmt
> index 1949e25c7741..ef4277fd8050 100644
> --- a/fs/Kconfig.binfmt
> +++ b/fs/Kconfig.binfmt
> @@ -38,6 +38,21 @@ config BINFMT_ELF_KUNIT_TEST
> only needed for debugging. Note that with CONFIG_COMPAT=y, the
> compat_binfmt_elf KUnit test is also created.
>
> +config BINFMT_ELF_PLUGINS
> + bool "Enable plugin support for ELF interpreter loading"
> + depends on BINFMT_ELF
> + help
> + This option allows kernel modules to register handlers to dynamically
> + resolve and override the ELF program interpreter (e.g. supporting
> relative
> + interpreter paths with $ORIGIN).
> +
> +config BINFMT_ELF_NIX
> + tristate "ELF interpreter plugin for NixOS ($ORIGIN support)"
> + depends on BINFMT_ELF_PLUGINS
> + help
> + This builds the NixOS ELF interpreter plugin. It intercepts
> PT_INTERP_NIX
> + headers to resolve relative and $ORIGIN interpreter paths.
> +
> config COMPAT_BINFMT_ELF
> def_bool y
> depends on COMPAT && BINFMT_ELF
> diff --git a/fs/Makefile b/fs/Makefile
> index 89a8a9d207d1..bd81e7ff64f3 100644
> --- a/fs/Makefile
> +++ b/fs/Makefile
> @@ -35,6 +35,7 @@ obj-$(CONFIG_FILE_LOCKING) += locks.o
> obj-$(CONFIG_BINFMT_MISC) += binfmt_misc.o
> obj-$(CONFIG_BINFMT_SCRIPT) += binfmt_script.o
> obj-$(CONFIG_BINFMT_ELF) += binfmt_elf.o
> +obj-$(CONFIG_BINFMT_ELF_NIX) += binfmt_elf_nix.o
> obj-$(CONFIG_COMPAT_BINFMT_ELF) += compat_binfmt_elf.o
> obj-$(CONFIG_BINFMT_ELF_FDPIC) += binfmt_elf_fdpic.o
> obj-$(CONFIG_BINFMT_FLAT) += binfmt_flat.o
> diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
> index 16a56b6b3f6c..53fa2681555a 100644
> --- a/fs/binfmt_elf.c
> +++ b/fs/binfmt_elf.c
> @@ -35,6 +35,7 @@
> #include <linux/random.h>
> #include <linux/elf.h>
> #include <linux/elf-randomize.h>
> +#include <linux/elf_plugins.h>
> #include <linux/utsname.h>
> #include <linux/coredump.h>
> #include <linux/sched.h>
> @@ -870,6 +871,12 @@ static int load_elf_binary(struct linux_binprm *bprm)
> if (!elf_phdata)
> goto out;
>
> + interpreter = elf_plugin_open_interpreter(bprm, elf_ex, elf_phdata);
> + if (IS_ERR(interpreter)) {
> + retval = PTR_ERR(interpreter);
> + goto out_free_ph;
> + }
> +
> elf_ppnt = elf_phdata;
> for (i = 0; i < elf_ex->e_phnum; i++, elf_ppnt++) {
> char *elf_interpreter;
> @@ -882,6 +889,9 @@ static int load_elf_binary(struct linux_binprm *bprm)
> if (elf_ppnt->p_type != PT_INTERP)
> continue;
>
> + if (interpreter)
> + continue;
> +
> /*
> * This is the program interpreter used for shared libraries -
> * for now assume that this is an a.out format binary.
> @@ -935,6 +945,20 @@ static int load_elf_binary(struct linux_binprm *bprm)
> goto out_free_ph;
> }
>
> + if (interpreter && !interp_elf_ex) {
> + interp_elf_ex = kmalloc_obj(*interp_elf_ex);
> + if (!interp_elf_ex) {
> + retval = -ENOMEM;
> + goto out_free_file;
> + }
> +
> + /* Get the exec headers */
> + retval = elf_read(interpreter, interp_elf_ex,
> + sizeof(*interp_elf_ex), 0);
> + if (retval < 0)
> + goto out_free_dentry;
> + }
> +
> elf_ppnt = elf_phdata;
> for (i = 0; i < elf_ex->e_phnum; i++, elf_ppnt++)
> switch (elf_ppnt->p_type) {
> diff --git a/fs/binfmt_elf_nix.c b/fs/binfmt_elf_nix.c
> new file mode 100644
> index 000000000000..d28b92c30939
> --- /dev/null
> +++ b/fs/binfmt_elf_nix.c
> @@ -0,0 +1,108 @@
> +// SPDX-License-Identifier: GPL-2.0-only
> +#include <linux/module.h>
> +#include <linux/kernel.h>
> +#include <linux/init.h>
> +#include <linux/fs.h>
> +#include <linux/path.h>
> +#include <linux/namei.h>
> +#include <linux/elf.h>
> +#include <linux/elf_plugins.h>
> +#include <linux/slab.h>
> +
> +MODULE_DESCRIPTION("ELF Interpreter plugin for NixOS / $ORIGIN");
> +MODULE_AUTHOR("Farid Zakaria");
> +MODULE_LICENSE("GPL");
> +
> +/* Mnemonic value for NixOS-specific program interpreter: 'N', 'I', 'X', 3 */
> +#define PT_INTERP_NIX (PT_LOOS + 0x4e49583)
> +
> +static struct file *nix_open_interpreter(struct linux_binprm *bprm,
> + struct elfhdr *elf_ex,
> + struct elf_phdr *elf_phdata)
> +{
> + struct elf_phdr *elf_ppnt;
> + struct file *interpreter = NULL;
> + char *elf_interpreter = NULL;
> + int i, retval;
> +
> + /* Find the custom Nix interpreter header */
> + elf_ppnt = elf_phdata;
> + for (i = 0; i < elf_ex->e_phnum; i++, elf_ppnt++) {
> + if (elf_ppnt->p_type == PT_INTERP_NIX)
> + break;
> + }
> +
> + if (i == elf_ex->e_phnum)
> + return NULL; /* Segment not present; fall back to others */
> +
> + /* Security check: refuse relative interp resolution on secure
> execution */
> + if (bprm->secureexec) {
> + pr_warn_once("binfmt_elf_nix: secureexec active, refusing
> custom interpreter lookup\n");
> + return NULL; /* Fallback to standard PT_INTERP */
> + }
> +
> + if (elf_ppnt->p_filesz > PATH_MAX || elf_ppnt->p_filesz < 2)
> + return ERR_PTR(-ENOEXEC);
> +
> + elf_interpreter = kmalloc(elf_ppnt->p_filesz, GFP_KERNEL);
> + if (!elf_interpreter)
> + return ERR_PTR(-ENOMEM);
> +
> + /* Read the interpreter path from the executable file */
> + retval = kernel_read(bprm->file, elf_interpreter, elf_ppnt->p_filesz,
> &elf_ppnt->p_offset);
> + if (retval != elf_ppnt->p_filesz) {
> + retval = (retval < 0) ? retval : -EIO;
> + goto out_free;
> + }
> +
> + if (elf_interpreter[elf_ppnt->p_filesz - 1] != '\0') {
> + retval = -ENOEXEC;
> + goto out_free;
> + }
> +
> + /* Path Resolution: Absolute vs. $ORIGIN */
> + if (elf_interpreter[0] == '/') {
> + interpreter = open_exec(elf_interpreter);
> + } else if (strncmp(elf_interpreter, "$ORIGIN/", 8) == 0 ||
> strncmp(elf_interpreter, "${ORIGIN}/", 10) == 0) {
> + const char *rel_path = (elf_interpreter[0] == '$') ?
> (elf_interpreter + 8) : (elf_interpreter + 10);
> + struct path parent_path;
> +
> + /* Reference parent directory of the executed file safely */
> + parent_path.mnt = mntget(bprm->file->f_path.mnt);
> + parent_path.dentry = dget_parent(bprm->file->f_path.dentry);
> +
> + /* Open relative to parent directory */
> + interpreter = file_open_root(&parent_path, rel_path, O_RDONLY,
> 0);
> +
> + path_put(&parent_path);
> + } else {
> + /* Naked relative paths are rejected for safety */
> + retval = -ENOEXEC;
> + goto out_free;
> + }
> +
> + kfree(elf_interpreter);
> + return interpreter;
> +
> +out_free:
> + kfree(elf_interpreter);
> + return ERR_PTR(retval);
> +}
> +
> +static struct elf_plugin nix_elf_plugin = {
> + .owner = THIS_MODULE,
> + .open_interpreter = nix_open_interpreter,
> +};
> +
> +static int __init binfmt_elf_nix_init(void)
> +{
> + return register_elf_plugin(&nix_elf_plugin);
> +}
> +
> +static void __exit binfmt_elf_nix_exit(void)
> +{
> + unregister_elf_plugin(&nix_elf_plugin);
> +}
> +
> +module_init(binfmt_elf_nix_init);
> +module_exit(binfmt_elf_nix_exit);
> diff --git a/fs/exec.c b/fs/exec.c
> index b92fe7db176c..45813bbce833 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -46,6 +46,7 @@
> #include <linux/key.h>
> #include <linux/personality.h>
> #include <linux/binfmts.h>
> +#include <linux/elf_plugins.h>
> #include <linux/utsname.h>
> #include <linux/pid_namespace.h>
> #include <linux/module.h>
> @@ -108,6 +109,52 @@ void unregister_binfmt(struct linux_binfmt * fmt)
>
> EXPORT_SYMBOL(unregister_binfmt);
>
> +#if IS_ENABLED(CONFIG_BINFMT_ELF_PLUGINS)
> +static DEFINE_MUTEX(elf_plugins_lock);
> +static LIST_HEAD(elf_plugins);
> +
> +int register_elf_plugin(struct elf_plugin *plugin)
> +{
> + mutex_lock(&elf_plugins_lock);
> + list_add_tail(&plugin->list, &elf_plugins);
> + mutex_unlock(&elf_plugins_lock);
> + return 0;
> +}
> +EXPORT_SYMBOL_GPL(register_elf_plugin);
> +
> +void unregister_elf_plugin(struct elf_plugin *plugin)
> +{
> + mutex_lock(&elf_plugins_lock);
> + list_del(&plugin->list);
> + mutex_unlock(&elf_plugins_lock);
> +}
> +EXPORT_SYMBOL_GPL(unregister_elf_plugin);
> +
> +struct file *elf_plugin_open_interpreter(struct linux_binprm *bprm,
> + struct elfhdr *elf_ex,
> + struct elf_phdr *elf_phdata)
> +{
> + struct elf_plugin *plugin;
> + struct file *file = NULL;
> +
> + mutex_lock(&elf_plugins_lock);
> + list_for_each_entry(plugin, &elf_plugins, list) {
> + if (!try_module_get(plugin->owner))
> + continue;
> + mutex_unlock(&elf_plugins_lock);
> +
> + file = plugin->open_interpreter(bprm, elf_ex, elf_phdata);
I have to say I do not like this at all because it also means you need
actual kernel modules for custom binaries. Yeech.
I think you should extend binfmt_misc for that, combining it with bpf.
When binfmt_misc selects the interpreter a bpf program is run. That bpf
program is passed the necessary information to make a decision. It can
check whether it's in the right sandbox. Then checks if the interpreter
starts with the magic ORIGIN string or whatever. Once it has determined
that a binfmt_misc entry applies things progress as usual. Then you can
point binfmt_misc at a static binary that finds the right loader to use.
--
Christian Brauner <[email protected]>