From: Will Drewry <wad@chromium.org>
To: linux-kernel@vger.kernel.org
Cc: linux-man@vger.kernel.org, linux-security-module@vger.kernel.org,
linux-arch@vger.kernel.org, linux-doc@vger.kernel.org,
kernel-hardening@lists.openwall.com, netdev@vger.kernel.org,
x86@kernel.org, arnd@arndb.de, davem@davemloft.net,
hpa@zytor.com, mingo@redhat.com, oleg@redhat.com,
peterz@infradead.org, rdunlap@xenotime.net,
mcgrathr@chromium.org, tglx@linutronix.de, luto@mit.edu,
eparis@redhat.com, serge.hallyn@canonical.com, djm@mindrot.org,
scarybeasts@gmail.com, indan@nul.nu, pmoore@redhat.com,
akpm@linux-foundation.org, corbet@lwn.net,
eric.dumazet@gmail.com, markus@chromium.org,
coreyb@linux.vnet.ibm.com, keescook@chromium.org,
jmorris@namei.org, John Johansen <john.johansen@canonical.com>,
Will Drewry <wad@chromium.org>,
Andy Lutomirski <luto@amacapital.net>
Subject: [PATCH v18 02/15] Fix execve behavior apparmor for PR_{GET,SET}_NO_NEW_PRIVS
Date: Thu, 12 Apr 2012 16:47:51 -0500 [thread overview]
Message-ID: <1334267284-19166-2-git-send-email-wad@chromium.org> (raw)
In-Reply-To: <1334267284-19166-1-git-send-email-wad@chromium.org>
From: John Johansen <john.johansen@canonical.com>
Add support for AppArmor to explicitly fail requested domain transitions
if NO_NEW_PRIVS is set and the task is not unconfined.
Transitions from unconfined are still allowed because this always results
in a reduction of privileges.
Acked-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Will Drewry <wad@chromium.org>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
v18: new acked-by, new description
---
security/apparmor/domain.c | 39 +++++++++++++++++++++++++++++++++++----
1 files changed, 35 insertions(+), 4 deletions(-)
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 18c88d0..b81ea10 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -360,10 +360,6 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
if (bprm->cred_prepared)
return 0;
- /* XXX: no_new_privs is not usable with AppArmor yet */
- if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
- return -EPERM;
-
cxt = bprm->cred->security;
BUG_ON(!cxt);
@@ -398,6 +394,11 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
new_profile = find_attach(ns, &ns->base.profiles, name);
if (!new_profile)
goto cleanup;
+ /*
+ * NOTE: Domain transitions from unconfined are allowed
+ * even when no_new_privs is set because this aways results
+ * in a further reduction of permissions.
+ */
goto apply;
}
@@ -459,6 +460,16 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
/* fail exec */
error = -EACCES;
+ /*
+ * Policy has specified a domain transition, if no_new_privs then
+ * fail the exec.
+ */
+ if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) {
+ aa_put_profile(new_profile);
+ error = -EPERM;
+ goto cleanup;
+ }
+
if (!new_profile)
goto audit;
@@ -613,6 +624,14 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest)
const char *target = NULL, *info = NULL;
int error = 0;
+ /*
+ * Fail explicitly requested domain transitions if no_new_privs.
+ * There is no exception for unconfined as change_hat is not
+ * available.
+ */
+ if (current->no_new_privs)
+ return -EPERM;
+
/* released below */
cred = get_current_cred();
cxt = cred->security;
@@ -754,6 +773,18 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec,
cxt = cred->security;
profile = aa_cred_profile(cred);
+ /*
+ * Fail explicitly requested domain transitions if no_new_privs
+ * and not unconfined.
+ * Domain transitions from unconfined are allowed even when
+ * no_new_privs is set because this aways results in a reduction
+ * of permissions.
+ */
+ if (current->no_new_privs && !unconfined(profile)) {
+ put_cred(cred);
+ return -EPERM;
+ }
+
if (ns_name) {
/* released below */
ns = aa_find_namespace(profile->ns, ns_name);
--
1.7.5.4
WARNING: multiple messages have this Message-ID (diff)
From: Will Drewry <wad@chromium.org>
To: linux-kernel@vger.kernel.org
Cc: linux-man@vger.kernel.org, linux-security-module@vger.kernel.org,
linux-arch@vger.kernel.org, linux-doc@vger.kernel.org,
kernel-hardening@lists.openwall.com, netdev@vger.kernel.org,
x86@kernel.org, arnd@arndb.de, davem@davemloft.net,
hpa@zytor.com, mingo@redhat.com, oleg@redhat.com,
peterz@infradead.org, rdunlap@xenotime.net,
mcgrathr@chromium.org, tglx@linutronix.de, luto@mit.edu,
eparis@redhat.com, serge.hallyn@canonical.com, djm@mindrot.org,
scarybeasts@gmail.com, indan@nul.nu, pmoore@redhat.com,
akpm@linux-foundation.org, corbet@lwn.net,
eric.dumazet@gmail.com, markus@chromium.org,
coreyb@linux.vnet.ibm.com, keescook@chromium.org,
jmorris@namei.org, John Johansen <john.johansen@canonical.com>,
Will Drewry <wad@chromium.org>,
Andy Lutomirski <luto@amacapital.net>
Subject: [kernel-hardening] [PATCH v18 02/15] Fix execve behavior apparmor for PR_{GET,SET}_NO_NEW_PRIVS
Date: Thu, 12 Apr 2012 16:47:51 -0500 [thread overview]
Message-ID: <1334267284-19166-2-git-send-email-wad@chromium.org> (raw)
In-Reply-To: <1334267284-19166-1-git-send-email-wad@chromium.org>
From: John Johansen <john.johansen@canonical.com>
Add support for AppArmor to explicitly fail requested domain transitions
if NO_NEW_PRIVS is set and the task is not unconfined.
Transitions from unconfined are still allowed because this always results
in a reduction of privileges.
Acked-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Will Drewry <wad@chromium.org>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
v18: new acked-by, new description
---
security/apparmor/domain.c | 39 +++++++++++++++++++++++++++++++++++----
1 files changed, 35 insertions(+), 4 deletions(-)
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 18c88d0..b81ea10 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -360,10 +360,6 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
if (bprm->cred_prepared)
return 0;
- /* XXX: no_new_privs is not usable with AppArmor yet */
- if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
- return -EPERM;
-
cxt = bprm->cred->security;
BUG_ON(!cxt);
@@ -398,6 +394,11 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
new_profile = find_attach(ns, &ns->base.profiles, name);
if (!new_profile)
goto cleanup;
+ /*
+ * NOTE: Domain transitions from unconfined are allowed
+ * even when no_new_privs is set because this aways results
+ * in a further reduction of permissions.
+ */
goto apply;
}
@@ -459,6 +460,16 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
/* fail exec */
error = -EACCES;
+ /*
+ * Policy has specified a domain transition, if no_new_privs then
+ * fail the exec.
+ */
+ if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) {
+ aa_put_profile(new_profile);
+ error = -EPERM;
+ goto cleanup;
+ }
+
if (!new_profile)
goto audit;
@@ -613,6 +624,14 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest)
const char *target = NULL, *info = NULL;
int error = 0;
+ /*
+ * Fail explicitly requested domain transitions if no_new_privs.
+ * There is no exception for unconfined as change_hat is not
+ * available.
+ */
+ if (current->no_new_privs)
+ return -EPERM;
+
/* released below */
cred = get_current_cred();
cxt = cred->security;
@@ -754,6 +773,18 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec,
cxt = cred->security;
profile = aa_cred_profile(cred);
+ /*
+ * Fail explicitly requested domain transitions if no_new_privs
+ * and not unconfined.
+ * Domain transitions from unconfined are allowed even when
+ * no_new_privs is set because this aways results in a reduction
+ * of permissions.
+ */
+ if (current->no_new_privs && !unconfined(profile)) {
+ put_cred(cred);
+ return -EPERM;
+ }
+
if (ns_name) {
/* released below */
ns = aa_find_namespace(profile->ns, ns_name);
--
1.7.5.4
next prev parent reply other threads:[~2012-04-12 21:55 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-04-12 21:47 [PATCH v18 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs Will Drewry
2012-04-12 21:47 ` [kernel-hardening] " Will Drewry
2012-04-12 21:47 ` Will Drewry [this message]
2012-04-12 21:47 ` [kernel-hardening] [PATCH v18 02/15] Fix execve behavior apparmor for PR_{GET,SET}_NO_NEW_PRIVS Will Drewry
2012-04-12 21:47 ` [PATCH v18 03/15] sk_run_filter: add BPF_S_ANC_SECCOMP_LD_W Will Drewry
2012-04-12 21:47 ` [kernel-hardening] " Will Drewry
2012-04-12 21:47 ` [PATCH v18 04/15] net/compat.c,linux/filter.h: share compat_sock_fprog Will Drewry
2012-04-12 21:47 ` [kernel-hardening] " Will Drewry
2012-04-12 21:47 ` Will Drewry
2012-04-12 21:47 ` [PATCH v18 05/15] seccomp: kill the seccomp_t typedef Will Drewry
2012-04-12 21:47 ` [kernel-hardening] " Will Drewry
2012-04-12 21:47 ` [PATCH v18 06/15] asm/syscall.h: add syscall_get_arch Will Drewry
2012-04-12 21:47 ` [kernel-hardening] " Will Drewry
2012-04-12 21:47 ` [PATCH v18 07/15] arch/x86: add syscall_get_arch to syscall.h Will Drewry
2012-04-12 21:47 ` [kernel-hardening] " Will Drewry
2012-04-12 22:18 ` Kees Cook
2012-04-12 22:18 ` [kernel-hardening] " Kees Cook
2012-04-12 21:47 ` [PATCH v18 08/15] seccomp: add system call filtering using BPF Will Drewry
2012-04-12 21:47 ` [kernel-hardening] " Will Drewry
2012-04-12 22:19 ` Kees Cook
2012-04-12 22:19 ` [kernel-hardening] " Kees Cook
2012-04-12 22:19 ` Kees Cook
2012-04-12 21:47 ` [PATCH v18 09/15] seccomp: remove duplicated failure logging Will Drewry
2012-04-12 21:47 ` [kernel-hardening] " Will Drewry
2012-04-12 21:47 ` [PATCH v18 10/15] seccomp: add SECCOMP_RET_ERRNO Will Drewry
2012-04-12 21:47 ` [kernel-hardening] " Will Drewry
2012-04-12 21:48 ` [PATCH v18 11/15] signal, x86: add SIGSYS info and make it synchronous Will Drewry
2012-04-12 21:48 ` [kernel-hardening] " Will Drewry
2012-04-12 21:48 ` [PATCH v18 12/15] seccomp: Add SECCOMP_RET_TRAP Will Drewry
2012-04-12 21:48 ` [kernel-hardening] " Will Drewry
2012-04-12 21:48 ` [PATCH v18 13/15] ptrace,seccomp: Add PTRACE_SECCOMP support Will Drewry
2012-04-12 21:48 ` [kernel-hardening] " Will Drewry
2012-04-12 21:48 ` [PATCH v18 14/15] x86: Enable HAVE_ARCH_SECCOMP_FILTER Will Drewry
2012-04-12 21:48 ` [kernel-hardening] " Will Drewry
2012-04-12 22:16 ` Kees Cook
2012-04-12 22:16 ` [kernel-hardening] " Kees Cook
2012-04-12 21:48 ` [PATCH v18 15/15] Documentation: prctl/seccomp_filter Will Drewry
2012-04-12 21:48 ` [kernel-hardening] " Will Drewry
2012-04-12 22:11 ` Kees Cook
2012-04-12 22:11 ` [kernel-hardening] " Kees Cook
2012-04-18 2:28 ` Paul Gortmaker
2012-04-18 2:28 ` [kernel-hardening] " Paul Gortmaker
2012-04-18 2:53 ` Will Drewry
2012-04-18 2:53 ` [kernel-hardening] " Will Drewry
2012-04-18 2:53 ` Will Drewry
2012-04-12 22:17 ` [PATCH v18 01/15] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs Kees Cook
2012-04-12 22:17 ` [kernel-hardening] " Kees Cook
2012-04-13 4:16 ` James Morris
2012-04-13 4:16 ` [kernel-hardening] " James Morris
2012-04-13 4:16 ` James Morris
2012-04-13 4:16 ` James Morris
2012-04-13 4:25 ` Andrew Lutomirski
2012-04-13 4:25 ` [kernel-hardening] " Andrew Lutomirski
2012-04-13 4:25 ` Andrew Lutomirski
2012-04-13 4:34 ` James Morris
2012-04-13 4:34 ` [kernel-hardening] " James Morris
2012-04-13 4:34 ` James Morris
2012-04-13 4:34 ` James Morris
2012-04-13 4:40 ` Andy Lutomirski
2012-04-13 4:40 ` [kernel-hardening] " Andy Lutomirski
2012-04-14 1:45 ` James Morris
2012-04-14 1:45 ` [kernel-hardening] " James Morris
2012-04-14 3:06 ` Will Drewry
2012-04-14 3:06 ` [kernel-hardening] " Will Drewry
2012-04-14 3:06 ` Will Drewry
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1334267284-19166-2-git-send-email-wad@chromium.org \
--to=wad@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=corbet@lwn.net \
--cc=coreyb@linux.vnet.ibm.com \
--cc=davem@davemloft.net \
--cc=djm@mindrot.org \
--cc=eparis@redhat.com \
--cc=eric.dumazet@gmail.com \
--cc=hpa@zytor.com \
--cc=indan@nul.nu \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-man@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=luto@mit.edu \
--cc=markus@chromium.org \
--cc=mcgrathr@chromium.org \
--cc=mingo@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=peterz@infradead.org \
--cc=pmoore@redhat.com \
--cc=rdunlap@xenotime.net \
--cc=scarybeasts@gmail.com \
--cc=serge.hallyn@canonical.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.