UBUNTU: SAUCE: AppArmor: Disable Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs

With this set, a lot of dangerous operations (chroot, unshare, etc) become a lot less dangerous because there is no possibility of subverting privileged binaries. This patch completely breaks apparmor. Someone who understands (and uses) apparmor should fix it or at least give me a hint. Signed-off-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: Kees Cook <kees@ubuntu.com>
author: Andy Lutomirski <luto@amacapital.net> 2012-01-30 08:17:26 -0800
committer: John Rigby <john.rigby@linaro.org> 2012-06-21 17:22:00 -0600
commit: ebde54d9610ebfe37152fac403c372b3d2541b80 (patch)
tree: c1235d95e6f29cc73f1e7b59d8cb52d791370876 /security
parent: 217de84a46511cc9349b8ed29b4081b70929efa6 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index b81ea10a17a..507dd8583b0 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -360,6 +360,10 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
 	if (bprm->cred_prepared)
 		return 0;
 
+	/* XXX: no_new_privs is not usable with AppArmor yet */
+	if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
+		return -EPERM;
+
 	cxt = bprm->cred->security;
 	BUG_ON(!cxt);
author	Andy Lutomirski <luto@amacapital.net>	2012-01-30 08:17:26 -0800
committer	John Rigby <john.rigby@linaro.org>	2012-06-21 17:22:00 -0600
commit	ebde54d9610ebfe37152fac403c372b3d2541b80 (patch)
tree	c1235d95e6f29cc73f1e7b59d8cb52d791370876 /security
parent	217de84a46511cc9349b8ed29b4081b70929efa6 (diff)