linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v3 0/4] PR_SET_NO_NEW_PRIVS, unshare, and chroot
@ 2012-01-30 16:17 Andy Lutomirski
  2012-01-30 16:17 ` [PATCH v3 1/4] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs Andy Lutomirski
                   ` (3 more replies)
  0 siblings, 4 replies; 22+ messages in thread
From: Andy Lutomirski @ 2012-01-30 16:17 UTC (permalink / raw)
  To: Will Drewry, linux-kernel
  Cc: Casey Schaufler, Linus Torvalds, Jamie Lokier, keescook,
	john.johansen, serge.hallyn, coreyb, pmoore, eparis, djm, segoon,
	rostedt, jmorris, scarybeasts, avi, penberg, viro, mingo, akpm,
	khilman, borislav.petkov, amwang, oleg, ak, eric.dumazet, gregkh,
	dhowells, daniel.lezcano, linux-fsdevel, linux-security-module,
	olofj, mhalcrow, dlaor, corbet, alan, Al Viro, Andy Lutomirski

This adds PR_{GET,SET}_NO_NEW_PRIVS.  As an example of its use, it
allows some unshare operations and (sometimes) chroot when no_new_privs
is set.  Another example is the experimental pam module here:

http://web.mit.edu/luto/www/linux/

After some impressively long mailing list threads, I still think that
blocking setresuid, setuid, and capset in no_new_privs mode is
unnecessary and overcomplicated.  Additionally, blocking those calls
will make my pam module either fail or become a giant security hole
(depending on how carefully the core pam stuff is written -- I haven't
checked).

Changes from v2:
 - Rebased onto a very recent -linus tree.
 - Changed prctl numbering.  (Needed because prctl 35 is now taken.)
 - Fixed a typo or two.
 - Removed explicit propagation of no_new_privs.  dup_task_struct is enough.
 - Reworked the chroot patch.  It now uses hopefully much more sane logic
   to decide whether the user is chrooted.  It also checks that fs is not
   shared (which was a big security hole in the earlier version).

For the git-inclined, this series is here:
https://git.kernel.org/?p=linux/kernel/git/luto/linux.git;a=shortlog;h=refs/heads/security/no_new_privs/patch_v3

Test it like this:

---- begin test case

#include <sys/prctl.h>
#include <stdio.h>
#include <unistd.h>
#include <errno.h>

#define PR_SET_NO_NEW_PRIVS 36
#define PR_GET_NO_NEW_PRIVS 37

int main()
{
  int nnp = prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0);
  if (nnp == -EINVAL) {
    printf("Failed!\n");
    return 1;
  }

  printf("nnp was %d\n", nnp);

  if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) {
    printf("Failed!\n");
    return 1;
  }

  nnp = prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0);
  if (nnp == -EINVAL) {
    printf("Failed!\n");
    return 1;
  }

  printf("nnp is %d\n", nnp);

  printf("here goes...\n");
  execlp("bash", "bash", NULL);
  printf("Failed to exec bash\n");
  return 1;
}

---- end test case

Andy Lutomirski (3):
  Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs
  Allow unprivileged CLONE_NEWUTS and CLONE_NEWIPC with no_new_privs
  Allow unprivileged chroot when safe

John Johansen (1):
  Fix apparmor for PR_{GET,SET}_NO_NEW_PRIVS

 fs/exec.c                  |   10 ++++++++-
 fs/open.c                  |   46 ++++++++++++++++++++++++++++++++++++++++++-
 include/linux/prctl.h      |   15 ++++++++++++++
 include/linux/sched.h      |    2 +
 include/linux/security.h   |    1 +
 kernel/nsproxy.c           |    8 ++++++-
 kernel/sys.c               |   10 +++++++++
 security/apparmor/domain.c |   35 +++++++++++++++++++++++++++++++++
 security/commoncap.c       |    7 ++++-
 security/selinux/hooks.c   |   10 ++++++++-
 10 files changed, 137 insertions(+), 7 deletions(-)

-- 
1.7.7.6


^ permalink raw reply	[flat|nested] 22+ messages in thread

end of thread, other threads:[~2012-02-09  9:39 UTC | newest]

Thread overview: 22+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-01-30 16:17 [PATCH v3 0/4] PR_SET_NO_NEW_PRIVS, unshare, and chroot Andy Lutomirski
2012-01-30 16:17 ` [PATCH v3 1/4] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs Andy Lutomirski
2012-02-01 18:14   ` Kees Cook
2012-01-30 16:17 ` [PATCH v3 2/4] Fix apparmor for PR_{GET,SET}_NO_NEW_PRIVS Andy Lutomirski
2012-01-30 16:17 ` [PATCH v3 3/4] Allow unprivileged CLONE_NEWUTS and CLONE_NEWIPC with no_new_privs Andy Lutomirski
2012-02-01 19:02   ` Kees Cook
2012-02-01 20:35     ` Andy Lutomirski
2012-01-30 16:17 ` [PATCH v3 4/4] Allow unprivileged chroot when safe Andy Lutomirski
2012-01-30 21:58   ` Colin Walters
2012-01-30 22:10     ` Andy Lutomirski
2012-01-30 22:41       ` Colin Walters
2012-01-30 22:43         ` Andy Lutomirski
2012-01-30 23:10           ` Colin Walters
2012-01-30 23:15             ` Andy Lutomirski
2012-01-30 23:55               ` Colin Walters
2012-01-31  0:13                 ` Andy Lutomirski
2012-01-30 22:18     ` Steven Rostedt
2012-01-30 22:28       ` Andy Lutomirski
2012-01-30 22:38       ` Will Drewry
2012-01-30 22:48         ` Colin Walters
2012-01-30 22:51         ` Andy Lutomirski
2012-02-09  9:35           ` Vasiliy Kulikov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).