From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail333.us4.mandrillapp.com ([205.201.137.77]:58947 "EHLO
	mail333.us4.mandrillapp.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1752036AbcCAVnB (ORCPT
	<rfc822;stable@vger.kernel.org>); Tue, 1 Mar 2016 16:43:01 -0500
Received: from pmta03.dal05.mailchimp.com (127.0.0.1) by mail333.us4.mandrillapp.com id hqo6ea174nos for <stable@vger.kernel.org>; Tue, 1 Mar 2016 21:42:46 +0000 (envelope-from <bounce-md_30481620.56d60cd6.v1-e5d2b5d0228b4375b77b6bddddc5c27d@mandrillapp.com>)
From: <gregkh@linuxfoundation.org>
Subject: Patch "seccomp: always propagate NO_NEW_PRIVS on tsync" has been added to the 4.4-stable tree
To: <jann@thejh.net>, <gregkh@linuxfoundation.org>,
	<keescook@chromium.org>
Cc: <stable@vger.kernel.org>, <stable-commits@vger.kernel.org>
Message-Id: <145686856491105@kroah.com>
Date: Tue, 01 Mar 2016 21:42:46 +0000
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>


This is a note to let you know that I've just added the patch titled

    seccomp: always propagate NO_NEW_PRIVS on tsync

to the 4.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     seccomp-always-propagate-no_new_privs-on-tsync.patch
and it can be found in the queue-4.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>>From 103502a35cfce0710909da874f092cb44823ca03 Mon Sep 17 00:00:00 2001
From: Jann Horn <jann@thejh.net>
Date: Sat, 26 Dec 2015 06:00:48 +0100
Subject: seccomp: always propagate NO_NEW_PRIVS on tsync

From: Jann Horn <jann@thejh.net>

commit 103502a35cfce0710909da874f092cb44823ca03 upstream.

Before this patch, a process with some permissive seccomp filter
that was applied by root without NO_NEW_PRIVS was able to add
more filters to itself without setting NO_NEW_PRIVS by setting
the new filter from a throwaway thread with NO_NEW_PRIVS.

Signed-off-by: Jann Horn <jann@thejh.net>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 kernel/seccomp.c |   22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -316,24 +316,24 @@ static inline void seccomp_sync_threads(
 		put_seccomp_filter(thread);
 		smp_store_release(&thread->seccomp.filter,
 				  caller->seccomp.filter);
+
+		/*
+		 * Don't let an unprivileged task work around
+		 * the no_new_privs restriction by creating
+		 * a thread that sets it up, enters seccomp,
+		 * then dies.
+		 */
+		if (task_no_new_privs(caller))
+			task_set_no_new_privs(thread);
+
 		/*
 		 * Opt the other thread into seccomp if needed.
 		 * As threads are considered to be trust-realm
 		 * equivalent (see ptrace_may_access), it is safe to
 		 * allow one thread to transition the other.
 		 */
-		if (thread->seccomp.mode == SECCOMP_MODE_DISABLED) {
-			/*
-			 * Don't let an unprivileged task work around
-			 * the no_new_privs restriction by creating
-			 * a thread that sets it up, enters seccomp,
-			 * then dies.
-			 */
-			if (task_no_new_privs(caller))
-				task_set_no_new_privs(thread);
-
+		if (thread->seccomp.mode == SECCOMP_MODE_DISABLED)
 			seccomp_assign_mode(thread, SECCOMP_MODE_FILTER);
-		}
 	}
 }
 


Patches currently in stable-queue which might be from jann@thejh.net are

queue-4.4/seccomp-always-propagate-no_new_privs-on-tsync.patch