Switch branches/tags
Nothing to show
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.



This is a LSM in which the kernel calls a user-mode helper to decide if binaries should be executed.

Every time a command is to be executed the kernel will invoke:

/sbin/can-exec $UID $COMMAND

Where the arguments are the UID of the invoking user, and the command they're trying to execute. If the user-space binary exits with a return-code of zero the execution will be permitted, otherwise it will be denied.

Installation & Configuration

Build the kernel with this support enabled, and then you'll need to configure the user-space side.

  • Install /sbin/can-exec from the samples/ directory.
    • This will be invoked to decide if users can execute binaries.
    • The sample implementation will read configuration files beneath /etc/can-exec, but you could rewrite it to only allow execution of commands between specific times of the day, or something entirely different!

I have these configuration-files setup upon my system:

  root@kernel:~# cat /etc/can-exec/redis.conf

  root@kernel:~# cat /etc/can-exec/nobody.conf

That means:

  • The redis user can execute only the single binary /usr/bin/redis-server.
  • The nobody user can execute:
    • /bin/sh
    • /bin/dash
    • /bin/bash
    • /usr/bin/id
    • /usr/bin/uptime

Once the user-space binary is in-place you'll need to enable the enforcement by running:

 echo 1 > /proc/sys/kernel/can-exec/enabled


There is some back-story in the following blog-post: