[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v18 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs

On Thu, Apr 12, 2012 at 2:47 PM, Will Drewry <wad@xxxxxxxxxxxx> wrote:
> From: Andy Lutomirski <luto@xxxxxxxxxxxxxx>
> With this change, calling
>  prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)
> disables privilege granting operations at execve-time.  For example, a
> process will not be able to execute a setuid binary to change their uid
> or gid if this bit is set.  The same is true for file capabilities.
> Additionally, LSM_UNSAFE_NO_NEW_PRIVS is defined to ensure that
> LSMs respect the requested behavior.
> To determine if the NO_NEW_PRIVS bit is set, a task may call
>  prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0);
> It returns 1 if set and 0 if it is not set. If any of the arguments are
> non-zero, it will return -1 and set errno to -EINVAL.
> (PR_SET_NO_NEW_PRIVS behaves similarly.)
> This functionality is desired for the proposed seccomp filter patch
> series.  By using PR_SET_NO_NEW_PRIVS, it allows a task to modify the
> system call behavior for itself and its child tasks without being
> able to impact the behavior of a more privileged task.
> Another potential use is making certain privileged operations
> unprivileged.  For example, chroot may be considered "safe" if it cannot
> affect privileged tasks.
> Note, this patch causes execve to fail when PR_SET_NO_NEW_PRIVS is
> set and AppArmor is in use.  It is fixed in a subsequent patch.
> Signed-off-by: Andy Lutomirski <luto@xxxxxxxxxxxxxx>
> Signed-off-by: Will Drewry <wad@xxxxxxxxxxxx>
> Acked-by: Eric Paris <eparis@xxxxxxxxxx>

Acked-by: Kees Cook <keescook@xxxxxxxxxxxx>

Kees Cook
ChromeOS Security
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Fedora Maintainers]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]

Powered by Linux