LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Re: [PATCH] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs

[Posted January 18, 2012 by jake]

From:  Eric Paris <eparis-AT-redhat.com>
To:  Alan Cox <alan-AT-lxorguk.ukuu.org.uk>
Subject:  Re: [PATCH] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs
Date:  Fri, 13 Jan 2012 13:54:51 -0500
Message-ID:  <1326480891.4342.7.camel@localhost>
Cc:  Oleg Nesterov <oleg-AT-redhat.com>, Andy Lutomirski <luto-AT-amacapital.net>, Will Drewry <wad-AT-chromium.org>, torvalds-AT-linux-foundation.org, linux-kernel-AT-vger.kernel.org, keescook-AT-chromium.org, john.johansen-AT-canonical.com, serge.hallyn-AT-canonical.com, coreyb-AT-linux.vnet.ibm.com, pmoore-AT-redhat.com, djm-AT-mindrot.org, segoon-AT-openwall.com, rostedt-AT-goodmis.org, jmorris-AT-namei.org, scarybeasts-AT-gmail.com, avi-AT-redhat.com, penberg-AT-cs.helsinki.fi, viro-AT-zeniv.linux.org.uk, luto-AT-MIT.EDU, mingo-AT-elte.hu, akpm-AT-linux-foundation.org, khilman-AT-ti.com, borislav.petkov-AT-amd.com, amwang-AT-redhat.com, ak-AT-linux.intel.com, eric.dumazet-AT-gmail.com, gregkh-AT-suse.de, dhowells-AT-redhat.com, daniel.lezcano-AT-free.fr, linux-fsdevel-AT-vger.kernel.org, linux-security-module-AT-vger.kernel.org, olofj-AT-chromium.org, mhalcrow-AT-google.com, dlaor-AT-redhat.com, corbet-AT-lwn.net
Archive-link:  Article, Thread 

On Fri, 2012-01-13 at 18:24 +0000, Alan Cox wrote:
> This still appears to be a bit broken
> 
> There are three problems here
> 
> 1. I can stop an app changing privs which in some SELinux or APParmour
> cases might mean I prevent it being dropped into a less privileged
> position. That's something only the security policy knows.
> 
> So for SELinux and Apparmour and the like in some situations you are
> potentially adding a security hole. That one seems hard to fix unless you
> fail the exec if it causes a security transition, as opposed to just
> keeping the old one. For non change cases we can however still pass the
> filter on, which is the usual sane case.

I can't speak about AppArmour at all, but not transitioning in SELinux
(the same as MNT_NOSUID) is safe since policy will still make a security
decision if you are allowed to launch the binary without transitioning.
I have thoughts on how to make the SELinux approach more flexible and
policy controlled, but I'd be fine with this flag just applying no
transition for now and adding that as a new feature down the road.

--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
(Log in to post comments)

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds