- To: Will Drewry <wad@xxxxxxxxxxxx>
- Subject: Re: [PATCH v18 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs
- From: Kees Cook <keescook@xxxxxxxxxxxx>
- Date: Thu, 12 Apr 2012 15:17:01 -0700
- Cc: linux-kernel@xxxxxxxxxxxxxxx, linux-man@xxxxxxxxxxxxxxx, linux-security-module@xxxxxxxxxxxxxxx, linux-arch@xxxxxxxxxxxxxxx, linux-doc@xxxxxxxxxxxxxxx, kernel-hardening@xxxxxxxxxxxxxxxxxx, netdev@xxxxxxxxxxxxxxx, x86@xxxxxxxxxx, arnd@xxxxxxxx, davem@xxxxxxxxxxxxx, hpa@xxxxxxxxx, mingo@xxxxxxxxxx, oleg@xxxxxxxxxx, peterz@xxxxxxxxxxxxx, rdunlap@xxxxxxxxxxxx, mcgrathr@xxxxxxxxxxxx, tglx@xxxxxxxxxxxxx, luto@xxxxxxx, eparis@xxxxxxxxxx, serge.hallyn@xxxxxxxxxxxxx, djm@xxxxxxxxxxx, scarybeasts@xxxxxxxxx, indan@xxxxxx, pmoore@xxxxxxxxxx, akpm@xxxxxxxxxxxxxxxxxxxx, corbet@xxxxxxx, eric.dumazet@xxxxxxxxx, markus@xxxxxxxxxxxx, coreyb@xxxxxxxxxxxxxxxxxx, jmorris@xxxxxxxxx, Andy Lutomirski <luto@xxxxxxxxxxxxxx>
- In-reply-to: <1334267284-19166-1-git-send-email-wad@chromium.org>
On Thu, Apr 12, 2012 at 2:47 PM, Will Drewry <wad@xxxxxxxxxxxx> wrote:
> From: Andy Lutomirski <luto@xxxxxxxxxxxxxx>
>
> With this change, calling
> prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)
> disables privilege granting operations at execve-time. For example, a
> process will not be able to execute a setuid binary to change their uid
> or gid if this bit is set. The same is true for file capabilities.
>
> Additionally, LSM_UNSAFE_NO_NEW_PRIVS is defined to ensure that
> LSMs respect the requested behavior.
>
> To determine if the NO_NEW_PRIVS bit is set, a task may call
> prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0);
> It returns 1 if set and 0 if it is not set. If any of the arguments are
> non-zero, it will return -1 and set errno to -EINVAL.
> (PR_SET_NO_NEW_PRIVS behaves similarly.)
>
> This functionality is desired for the proposed seccomp filter patch
> series. By using PR_SET_NO_NEW_PRIVS, it allows a task to modify the
> system call behavior for itself and its child tasks without being
> able to impact the behavior of a more privileged task.
>
> Another potential use is making certain privileged operations
> unprivileged. For example, chroot may be considered "safe" if it cannot
> affect privileged tasks.
>
> Note, this patch causes execve to fail when PR_SET_NO_NEW_PRIVS is
> set and AppArmor is in use. It is fixed in a subsequent patch.
>
> Signed-off-by: Andy Lutomirski <luto@xxxxxxxxxxxxxx>
> Signed-off-by: Will Drewry <wad@xxxxxxxxxxxx>
> Acked-by: Eric Paris <eparis@xxxxxxxxxx>
Acked-by: Kees Cook <keescook@xxxxxxxxxxxx>
--
Kees Cook
ChromeOS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
[Netdev]
[Linux Ethernet Bridging]
[Linux Wireless]
[Kernel Newbies]
[Memory]
[Security]
[Linux for Hams]
[Netfilter]
[Bugtraq]
[Photo]
[Yosemite]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux RAID]
[Linux Admin]
[Samba]
[Video 4 Linux]
[Linux Resources]
