UBUNTU: SAUCE: AppArmor: Disable Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs

With this set, a lot of dangerous operations (chroot, unshare, etc) become a lot less dangerous because there is no possibility of subverting privileged binaries. This patch completely breaks apparmor. Someone who understands (and uses) apparmor should fix it or at least give me a hint. Signed-off-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: Kees Cook <kees@ubuntu.com>
author: Andy Lutomirski <luto@amacapital.net> 2012-01-30 08:17:26 -0800
committer: John Rigby <john.rigby@linaro.org> 2012-06-21 03:26:28 -0600
commit: edf6bca0a228e1e1feb6d2e25f2473438ca28a0b (patch)
tree: c1235d95e6f29cc73f1e7b59d8cb52d791370876
parent: 8e2282c99d82aa7b91d3d26f0b48bd270a1aef5c (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index b81ea10a17a..507dd8583b0 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -360,6 +360,10 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
 	if (bprm->cred_prepared)
 		return 0;
 
+	/* XXX: no_new_privs is not usable with AppArmor yet */
+	if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
+		return -EPERM;
+
 	cxt = bprm->cred->security;
 	BUG_ON(!cxt);
author	Andy Lutomirski <luto@amacapital.net>	2012-01-30 08:17:26 -0800
committer	John Rigby <john.rigby@linaro.org>	2012-06-21 03:26:28 -0600
commit	edf6bca0a228e1e1feb6d2e25f2473438ca28a0b (patch)
tree	c1235d95e6f29cc73f1e7b59d8cb52d791370876
parent	8e2282c99d82aa7b91d3d26f0b48bd270a1aef5c (diff)