UBUNTU: SAUCE: SECCOMP: Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs

With this set, a lot of dangerous operations (chroot, unshare, etc) become a lot less dangerous because there is no possibility of subverting privileged binaries. This patch completely breaks apparmor. Someone who understands (and uses) apparmor should fix it or at least give me a hint. Signed-off-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: Kees Cook <kees@ubuntu.com>
author: Andy Lutomirski <luto@amacapital.net> 2012-01-30 08:17:26 -0800
committer: John Rigby <john.rigby@linaro.org> 2012-06-21 02:53:21 -0600
commit: b57a2be56b3c41b2563985374b0116e8ea89dd9c (patch)
tree: 547ddcea7bb7cf23e9d8ff9fbec5fe02bbd7393f /fs
parent: 7f6f22c39b8ef95b88652e3b20e9f5ffcf906c5a (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/fs/exec.c b/fs/exec.c
index 364f659b728..3ad4390116a 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1249,6 +1249,13 @@ static int check_unsafe_exec(struct linux_binprm *bprm)
 			bprm->unsafe |= LSM_UNSAFE_PTRACE;
 	}
 
+	/*
+	 * This isn't strictly necessary, but it makes it harder for LSMs to
+	 * mess up.
+	 */
+	if (current->no_new_privs)
+		bprm->unsafe |= LSM_UNSAFE_NO_NEW_PRIVS;
+
 	n_fs = 1;
 	spin_lock(&p->fs->lock);
 	rcu_read_lock();
@@ -1292,7 +1299,8 @@ int prepare_binprm(struct linux_binprm *bprm)
 	bprm->cred->euid = current_euid();
 	bprm->cred->egid = current_egid();
 
-	if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)) {
+	if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) &&
+	    !current->no_new_privs) {
 		/* Set-uid? */
 		if (mode & S_ISUID) {
 			bprm->per_clear |= PER_CLEAR_ON_SETID;
author	Andy Lutomirski <luto@amacapital.net>	2012-01-30 08:17:26 -0800
committer	John Rigby <john.rigby@linaro.org>	2012-06-21 02:53:21 -0600
commit	b57a2be56b3c41b2563985374b0116e8ea89dd9c (patch)
tree	547ddcea7bb7cf23e9d8ff9fbec5fe02bbd7393f /fs
parent	7f6f22c39b8ef95b88652e3b20e9f5ffcf906c5a (diff)