UBUNTU: SAUCE: SECCOMP: Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs

With this set, a lot of dangerous operations (chroot, unshare, etc) become a lot less dangerous because there is no possibility of subverting privileged binaries. This patch completely breaks apparmor. Someone who understands (and uses) apparmor should fix it or at least give me a hint. Signed-off-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: Kees Cook <kees@ubuntu.com>
author: Andy Lutomirski <luto@amacapital.net> 2012-01-30 08:17:26 -0800
committer: John Rigby <john.rigby@linaro.org> 2012-06-20 14:33:51 -0600
commit: f24856dd0f4064ed18e13fddbfdce6df706234fb (patch)
tree: 547ddcea7bb7cf23e9d8ff9fbec5fe02bbd7393f /security/commoncap.c
parent: 0ff6317448948f553f1bd69eb5c58af6769a4d3e (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/security/commoncap.c b/security/commoncap.c
index 5d63aac4b90..5bedc1288cb 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -512,14 +512,17 @@ skip:
 
 
 	/* Don't let someone trace a set[ug]id/setpcap binary with the revised
-	 * credentials unless they have the appropriate permit
+	 * credentials unless they have the appropriate permit.
+	 *
+	 * In addition, if NO_NEW_PRIVS, then ensure we get no new privs.
 	 */
 	if ((new->euid != old->uid ||
 	     new->egid != old->gid ||
 	     !cap_issubset(new->cap_permitted, old->cap_permitted)) &&
 	    bprm->unsafe & ~LSM_UNSAFE_PTRACE_CAP) {
 		/* downgrade; they get no more than they had, and maybe less */
-		if (!capable(CAP_SETUID)) {
+		if (!capable(CAP_SETUID) ||
+		    (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) {
 			new->euid = new->uid;
 			new->egid = new->gid;
 		}
author	Andy Lutomirski <luto@amacapital.net>	2012-01-30 08:17:26 -0800
committer	John Rigby <john.rigby@linaro.org>	2012-06-20 14:33:51 -0600
commit	f24856dd0f4064ed18e13fddbfdce6df706234fb (patch)
tree	547ddcea7bb7cf23e9d8ff9fbec5fe02bbd7393f /security/commoncap.c
parent	0ff6317448948f553f1bd69eb5c58af6769a4d3e (diff)