diff options
author | Andy Lutomirski <luto@amacapital.net> | 2012-01-30 08:17:26 -0800 |
---|---|---|
committer | John Rigby <john.rigby@linaro.org> | 2012-06-20 20:14:11 -0600 |
commit | 795118fec836dba4bd9944d3bf074081c54f5558 (patch) | |
tree | 547ddcea7bb7cf23e9d8ff9fbec5fe02bbd7393f /fs | |
parent | e66360f58a2beab6ffffb5b6f19d817aa0938fa5 (diff) |
UBUNTU: SAUCE: SECCOMP: Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs
With this set, a lot of dangerous operations (chroot, unshare, etc)
become a lot less dangerous because there is no possibility of
subverting privileged binaries.
This patch completely breaks apparmor. Someone who understands (and
uses) apparmor should fix it or at least give me a hint.
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Kees Cook <kees@ubuntu.com>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/exec.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/fs/exec.c b/fs/exec.c index 364f659b728..3ad4390116a 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1249,6 +1249,13 @@ static int check_unsafe_exec(struct linux_binprm *bprm) bprm->unsafe |= LSM_UNSAFE_PTRACE; } + /* + * This isn't strictly necessary, but it makes it harder for LSMs to + * mess up. + */ + if (current->no_new_privs) + bprm->unsafe |= LSM_UNSAFE_NO_NEW_PRIVS; + n_fs = 1; spin_lock(&p->fs->lock); rcu_read_lock(); @@ -1292,7 +1299,8 @@ int prepare_binprm(struct linux_binprm *bprm) bprm->cred->euid = current_euid(); bprm->cred->egid = current_egid(); - if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)) { + if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) && + !current->no_new_privs) { /* Set-uid? */ if (mode & S_ISUID) { bprm->per_clear |= PER_CLEAR_ON_SETID; |