UBUNTU: SAUCE: AppArmor: Disable Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs

With this set, a lot of dangerous operations (chroot, unshare, etc) become a lot less dangerous because there is no possibility of subverting privileged binaries. This patch completely breaks apparmor. Someone who understands (and uses) apparmor should fix it or at least give me a hint. Signed-off-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: Kees Cook <kees@ubuntu.com>
author: Andy Lutomirski <luto@amacapital.net> 2012-01-30 08:17:26 -0800
committer: John Rigby <john.rigby@linaro.org> 2012-06-25 15:02:22 -0600
commit: 9067f0d69a3926cb3c0fbdd2aba0c999a086ac1d (patch)
tree: c1235d95e6f29cc73f1e7b59d8cb52d791370876
parent: 741a9699a3328e78ee801b55143ae80f743c1efc (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index b81ea10a17a..507dd8583b0 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -360,6 +360,10 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
 	if (bprm->cred_prepared)
 		return 0;
 
+	/* XXX: no_new_privs is not usable with AppArmor yet */
+	if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
+		return -EPERM;
+
 	cxt = bprm->cred->security;
 	BUG_ON(!cxt);
author	Andy Lutomirski <luto@amacapital.net>	2012-01-30 08:17:26 -0800
committer	John Rigby <john.rigby@linaro.org>	2012-06-25 15:02:22 -0600
commit	9067f0d69a3926cb3c0fbdd2aba0c999a086ac1d (patch)
tree	c1235d95e6f29cc73f1e7b59d8cb52d791370876
parent	741a9699a3328e78ee801b55143ae80f743c1efc (diff)