* linux-next: manual merge of the akpm with the security tree
@ 2012-02-10 5:50 Stephen Rothwell
0 siblings, 0 replies; 3+ messages in thread
From: Stephen Rothwell @ 2012-02-10 5:50 UTC (permalink / raw)
To: Andrew Morton
Cc: linux-next, linux-kernel, Kees Cook, John Johansen, James Morris,
Lennart Poettering
[-- Attachment #1: Type: text/plain, Size: 952 bytes --]
Hi Andrew,
Today's linux-next merge of the scsi-post-merge tree got a conflict in
include/linux/prctl.h between commit 2d514487faf1 ("security: Yama LSM")
from the security tree and commit "prctl: add PR_{SET,GET}
_CHILD_SUBREAPER to allow simple process supervision" from the akpm tree.
Just context changes. I fixed it up (see below) and can carry the fix as
necessary.
--
Cheers,
Stephen Rothwell sfr@canb.auug.org.au
diff --cc include/linux/prctl.h
index 4d0e5bc,b885c85..0000000
--- a/include/linux/prctl.h
+++ b/include/linux/prctl.h
@@@ -114,10 -114,7 +114,13 @@@
# define PR_SET_MM_START_BRK 6
# define PR_SET_MM_BRK 7
+ #define PR_SET_CHILD_SUBREAPER 35
+ #define PR_GET_CHILD_SUBREAPER 36
+
+/*
+ * Set specific pid that is allowed to ptrace the current task.
+ * A value of 0 mean "no process".
+ */
+#define PR_SET_PTRACER 0x59616d61
+
#endif /* _LINUX_PRCTL_H */
[-- Attachment #2: Type: application/pgp-signature, Size: 836 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: linux-next: manual merge of the akpm with the security tree
2012-04-16 5:02 Stephen Rothwell
@ 2012-04-16 6:08 ` Cyrill Gorcunov
0 siblings, 0 replies; 3+ messages in thread
From: Cyrill Gorcunov @ 2012-04-16 6:08 UTC (permalink / raw)
To: Stephen Rothwell
Cc: Andrew Morton, linux-next, linux-kernel, Andy Lutomirski,
Will Drewry, James Morris
On Mon, Apr 16, 2012 at 03:02:58PM +1000, Stephen Rothwell wrote:
> Hi Andrew,
>
> Today's linux-next merge of the akpm tree got conflicts in kernel/sys.c
> and include/linux/prctl.h between commit 259e5e6c75a9 ("Add PR_{GET,SET}
> _NO_NEW_PRIVS to prevent execve from granting privs") from the security
> tree and patch "c/r: prctl: add ability to get clear_tid_address" from
> the akpm tree.
>
> I fixed them up (see below) and can carry the fix as necessary.
Thanks, Stephen.
Cyrill
^ permalink raw reply [flat|nested] 3+ messages in thread
* linux-next: manual merge of the akpm with the security tree
@ 2012-04-16 5:02 Stephen Rothwell
2012-04-16 6:08 ` Cyrill Gorcunov
0 siblings, 1 reply; 3+ messages in thread
From: Stephen Rothwell @ 2012-04-16 5:02 UTC (permalink / raw)
To: Andrew Morton
Cc: linux-next, linux-kernel, Andy Lutomirski, Will Drewry,
James Morris, Cyrill Gorcunov
[-- Attachment #1: Type: text/plain, Size: 2162 bytes --]
Hi Andrew,
Today's linux-next merge of the akpm tree got conflicts in kernel/sys.c
and include/linux/prctl.h between commit 259e5e6c75a9 ("Add PR_{GET,SET}
_NO_NEW_PRIVS to prevent execve from granting privs") from the security
tree and patch "c/r: prctl: add ability to get clear_tid_address" from
the akpm tree.
I fixed them up (see below) and can carry the fix as necessary.
--
Cheers,
Stephen Rothwell sfr@canb.auug.org.au
diff --cc include/linux/prctl.h
index 711e0a3,ecbe30e..0000000
--- a/include/linux/prctl.h
+++ b/include/linux/prctl.h
@@@ -130,19 -130,6 +130,21 @@@
#define PR_SET_CHILD_SUBREAPER 36
#define PR_GET_CHILD_SUBREAPER 37
-#define PR_GET_TID_ADDRESS 38
+/*
+ * If no_new_privs is set, then operations that grant new privileges (i.e.
+ * execve) will either fail or not grant them. This affects suid/sgid,
+ * file capabilities, and LSMs.
+ *
+ * Operations that merely manipulate or drop existing privileges (setresuid,
+ * capset, etc.) will still work. Drop those privileges if you want them gone.
+ *
+ * Changing LSM security domain is considered a new privilege. So, for example,
+ * asking selinux for a specific new context (e.g. with runcon) will result
+ * in execve returning -EPERM.
+ */
+#define PR_SET_NO_NEW_PRIVS 38
+#define PR_GET_NO_NEW_PRIVS 39
+
++#define PR_GET_TID_ADDRESS 40
+
#endif /* _LINUX_PRCTL_H */
diff --cc kernel/sys.c
index 500c885,1d57adf..0000000
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@@ -2082,16 -2092,9 +2092,19 @@@ SYSCALL_DEFINE5(prctl, int, option, uns
error = put_user(me->signal->is_child_subreaper,
(int __user *) arg2);
break;
+ case PR_SET_NO_NEW_PRIVS:
+ if (arg2 != 1 || arg3 || arg4 || arg5)
+ return -EINVAL;
+
+ current->no_new_privs = 1;
+ break;
+ case PR_GET_NO_NEW_PRIVS:
+ if (arg2 || arg3 || arg4 || arg5)
+ return -EINVAL;
+ return current->no_new_privs ? 1 : 0;
+ case PR_GET_TID_ADDRESS:
+ error = prctl_get_tid_address(me, (int __user **)arg2);
+ break;
default:
error = -EINVAL;
break;
[-- Attachment #2: Type: application/pgp-signature, Size: 836 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2012-04-16 6:08 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-02-10 5:50 linux-next: manual merge of the akpm with the security tree Stephen Rothwell
2012-04-16 5:02 Stephen Rothwell
2012-04-16 6:08 ` Cyrill Gorcunov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).