From: Andy Lutomirski <luto@amacapital.net>
To: Will Drewry <wad@chromium.org>, linux-kernel@vger.kernel.org
Cc: Casey Schaufler <casey@schaufler-ca.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Jamie Lokier <jamie@shareable.org>,
keescook@chromium.org, john.johansen@canonical.com,
serge.hallyn@canonical.com, coreyb@linux.vnet.ibm.com,
pmoore@redhat.com, eparis@redhat.com, djm@mindrot.org,
segoon@openwall.com, rostedt@goodmis.org, jmorris@namei.org,
scarybeasts@gmail.com, avi@redhat.com, penberg@cs.helsinki.fi,
viro@zeniv.linux.org.uk, mingo@elte.hu,
akpm@linux-foundation.org, khilman@ti.com,
borislav.petkov@amd.com, amwang@redhat.com, oleg@redhat.com,
ak@linux.intel.com, eric.dumazet@gmail.com, gregkh@suse.de,
dhowells@redhat.com, daniel.lezcano@free.fr,
linux-fsdevel@vger.kernel.org,
linux-security-module@vger.kernel.org, olofj@chromium.org,
mhalcrow@google.com, dlaor@redhat.com, corbet@lwn.net,
alan@lxorguk.ukuu.org.uk, Al Viro <viro@ZenIV.linux.org.uk>,
Andy Lutomirsk
Subject: [PATCH v3 0/4] PR_SET_NO_NEW_PRIVS, unshare, and chroot
Date: Mon, 30 Jan 2012 08:17:25 -0800 [thread overview]
Message-ID: <cover.1327858005.git.luto@amacapital.net> (raw)
This adds PR_{GET,SET}_NO_NEW_PRIVS. As an example of its use, it
allows some unshare operations and (sometimes) chroot when no_new_privs
is set. Another example is the experimental pam module here:
http://web.mit.edu/luto/www/linux/
After some impressively long mailing list threads, I still think that
blocking setresuid, setuid, and capset in no_new_privs mode is
unnecessary and overcomplicated. Additionally, blocking those calls
will make my pam module either fail or become a giant security hole
(depending on how carefully the core pam stuff is written -- I haven't
checked).
Changes from v2:
- Rebased onto a very recent -linus tree.
- Changed prctl numbering. (Needed because prctl 35 is now taken.)
- Fixed a typo or two.
- Removed explicit propagation of no_new_privs. dup_task_struct is enough.
- Reworked the chroot patch. It now uses hopefully much more sane logic
to decide whether the user is chrooted. It also checks that fs is not
shared (which was a big security hole in the earlier version).
For the git-inclined, this series is here:
https://git.kernel.org/?p=linux/kernel/git/luto/linux.git;a=shortlog;h=refs/heads/security/no_new_privs/patch_v3
Test it like this:
---- begin test case
#include <sys/prctl.h>
#include <stdio.h>
#include <unistd.h>
#include <errno.h>
#define PR_SET_NO_NEW_PRIVS 36
#define PR_GET_NO_NEW_PRIVS 37
int main()
{
int nnp = prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0);
if (nnp == -EINVAL) {
printf("Failed!\n");
return 1;
}
printf("nnp was %d\n", nnp);
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) {
printf("Failed!\n");
return 1;
}
nnp = prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0);
if (nnp == -EINVAL) {
printf("Failed!\n");
return 1;
}
printf("nnp is %d\n", nnp);
printf("here goes...\n");
execlp("bash", "bash", NULL);
printf("Failed to exec bash\n");
return 1;
}
---- end test case
Andy Lutomirski (3):
Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs
Allow unprivileged CLONE_NEWUTS and CLONE_NEWIPC with no_new_privs
Allow unprivileged chroot when safe
John Johansen (1):
Fix apparmor for PR_{GET,SET}_NO_NEW_PRIVS
fs/exec.c | 10 ++++++++-
fs/open.c | 46 ++++++++++++++++++++++++++++++++++++++++++-
include/linux/prctl.h | 15 ++++++++++++++
include/linux/sched.h | 2 +
include/linux/security.h | 1 +
kernel/nsproxy.c | 8 ++++++-
kernel/sys.c | 10 +++++++++
security/apparmor/domain.c | 35 +++++++++++++++++++++++++++++++++
security/commoncap.c | 7 ++++-
security/selinux/hooks.c | 10 ++++++++-
10 files changed, 137 insertions(+), 7 deletions(-)
--
1.7.7.6
WARNING: multiple messages have this Message-ID (diff)
From: Andy Lutomirski <luto@amacapital.net>
To: Will Drewry <wad@chromium.org>, linux-kernel@vger.kernel.org
Cc: Casey Schaufler <casey@schaufler-ca.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Jamie Lokier <jamie@shareable.org>,
keescook@chromium.org, john.johansen@canonical.com,
serge.hallyn@canonical.com, coreyb@linux.vnet.ibm.com,
pmoore@redhat.com, eparis@redhat.com, djm@mindrot.org,
segoon@openwall.com, rostedt@goodmis.org, jmorris@namei.org,
scarybeasts@gmail.com, avi@redhat.com, penberg@cs.helsinki.fi,
viro@zeniv.linux.org.uk, mingo@elte.hu,
akpm@linux-foundation.org, khilman@ti.com,
borislav.petkov@amd.com, amwang@redhat.com, oleg@redhat.com,
ak@linux.intel.com, eric.dumazet@gmail.com, gregkh@suse.de,
dhowells@redhat.com, daniel.lezcano@free.fr,
linux-fsdevel@vger.kernel.org,
linux-security-module@vger.kernel.org, olofj@chromium.org,
mhalcrow@google.com, dlaor@redhat.com, corbet@lwn.net,
alan@lxorguk.ukuu.org.uk, Al Viro <viro@zeniv.linux.org.uk>,
Andy Lutomirski <luto@amacapital.net>
Subject: [PATCH v3 0/4] PR_SET_NO_NEW_PRIVS, unshare, and chroot
Date: Mon, 30 Jan 2012 08:17:25 -0800 [thread overview]
Message-ID: <cover.1327858005.git.luto@amacapital.net> (raw)
This adds PR_{GET,SET}_NO_NEW_PRIVS. As an example of its use, it
allows some unshare operations and (sometimes) chroot when no_new_privs
is set. Another example is the experimental pam module here:
http://web.mit.edu/luto/www/linux/
After some impressively long mailing list threads, I still think that
blocking setresuid, setuid, and capset in no_new_privs mode is
unnecessary and overcomplicated. Additionally, blocking those calls
will make my pam module either fail or become a giant security hole
(depending on how carefully the core pam stuff is written -- I haven't
checked).
Changes from v2:
- Rebased onto a very recent -linus tree.
- Changed prctl numbering. (Needed because prctl 35 is now taken.)
- Fixed a typo or two.
- Removed explicit propagation of no_new_privs. dup_task_struct is enough.
- Reworked the chroot patch. It now uses hopefully much more sane logic
to decide whether the user is chrooted. It also checks that fs is not
shared (which was a big security hole in the earlier version).
For the git-inclined, this series is here:
https://git.kernel.org/?p=linux/kernel/git/luto/linux.git;a=shortlog;h=refs/heads/security/no_new_privs/patch_v3
Test it like this:
---- begin test case
#include <sys/prctl.h>
#include <stdio.h>
#include <unistd.h>
#include <errno.h>
#define PR_SET_NO_NEW_PRIVS 36
#define PR_GET_NO_NEW_PRIVS 37
int main()
{
int nnp = prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0);
if (nnp == -EINVAL) {
printf("Failed!\n");
return 1;
}
printf("nnp was %d\n", nnp);
if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) != 0) {
printf("Failed!\n");
return 1;
}
nnp = prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0);
if (nnp == -EINVAL) {
printf("Failed!\n");
return 1;
}
printf("nnp is %d\n", nnp);
printf("here goes...\n");
execlp("bash", "bash", NULL);
printf("Failed to exec bash\n");
return 1;
}
---- end test case
Andy Lutomirski (3):
Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs
Allow unprivileged CLONE_NEWUTS and CLONE_NEWIPC with no_new_privs
Allow unprivileged chroot when safe
John Johansen (1):
Fix apparmor for PR_{GET,SET}_NO_NEW_PRIVS
fs/exec.c | 10 ++++++++-
fs/open.c | 46 ++++++++++++++++++++++++++++++++++++++++++-
include/linux/prctl.h | 15 ++++++++++++++
include/linux/sched.h | 2 +
include/linux/security.h | 1 +
kernel/nsproxy.c | 8 ++++++-
kernel/sys.c | 10 +++++++++
security/apparmor/domain.c | 35 +++++++++++++++++++++++++++++++++
security/commoncap.c | 7 ++++-
security/selinux/hooks.c | 10 ++++++++-
10 files changed, 137 insertions(+), 7 deletions(-)
--
1.7.7.6
next reply other threads:[~2012-01-30 16:17 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-30 16:17 Andy Lutomirski [this message]
2012-01-30 16:17 ` [PATCH v3 0/4] PR_SET_NO_NEW_PRIVS, unshare, and chroot Andy Lutomirski
2012-01-30 16:17 ` [PATCH v3 1/4] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs Andy Lutomirski
2012-01-30 16:17 ` Andy Lutomirski
2012-02-01 18:14 ` Kees Cook
2012-02-01 18:14 ` Kees Cook
2012-01-30 16:17 ` [PATCH v3 2/4] Fix apparmor for PR_{GET,SET}_NO_NEW_PRIVS Andy Lutomirski
2012-01-30 16:17 ` Andy Lutomirski
2012-01-30 16:17 ` [PATCH v3 3/4] Allow unprivileged CLONE_NEWUTS and CLONE_NEWIPC with no_new_privs Andy Lutomirski
2012-01-30 16:17 ` Andy Lutomirski
2012-02-01 19:02 ` Kees Cook
2012-02-01 19:02 ` Kees Cook
2012-02-01 20:35 ` Andy Lutomirski
2012-02-01 20:35 ` Andy Lutomirski
2012-01-30 16:17 ` [PATCH v3 4/4] Allow unprivileged chroot when safe Andy Lutomirski
2012-01-30 16:17 ` Andy Lutomirski
2012-01-30 21:58 ` Colin Walters
2012-01-30 21:58 ` Colin Walters
2012-01-30 22:10 ` Andy Lutomirski
2012-01-30 22:10 ` Andy Lutomirski
2012-01-30 22:41 ` Colin Walters
2012-01-30 22:41 ` Colin Walters
2012-01-30 22:43 ` Andy Lutomirski
2012-01-30 22:43 ` Andy Lutomirski
2012-01-30 23:10 ` Colin Walters
2012-01-30 23:10 ` Colin Walters
2012-01-30 23:15 ` Andy Lutomirski
2012-01-30 23:15 ` Andy Lutomirski
2012-01-30 23:55 ` Colin Walters
2012-01-30 23:55 ` Colin Walters
2012-01-31 0:13 ` Andy Lutomirski
2012-01-31 0:13 ` Andy Lutomirski
2012-01-30 22:18 ` Steven Rostedt
2012-01-30 22:18 ` Steven Rostedt
2012-01-30 22:28 ` Andy Lutomirski
2012-01-30 22:28 ` Andy Lutomirski
2012-01-30 22:38 ` Will Drewry
2012-01-30 22:38 ` Will Drewry
2012-01-30 22:48 ` Colin Walters
2012-01-30 22:48 ` Colin Walters
2012-01-30 22:51 ` Andy Lutomirski
2012-01-30 22:51 ` Andy Lutomirski
2012-02-09 9:35 ` Vasiliy Kulikov
2012-02-09 9:35 ` Vasiliy Kulikov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1327858005.git.luto@amacapital.net \
--to=luto@amacapital.net \
--cc=ak@linux.intel.com \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=amwang@redhat.com \
--cc=avi@redhat.com \
--cc=borislav.petkov@amd.com \
--cc=casey@schaufler-ca.com \
--cc=corbet@lwn.net \
--cc=coreyb@linux.vnet.ibm.com \
--cc=daniel.lezcano@free.fr \
--cc=dhowells@redhat.com \
--cc=djm@mindrot.org \
--cc=dlaor@redhat.com \
--cc=eparis@redhat.com \
--cc=eric.dumazet@gmail.com \
--cc=gregkh@suse.de \
--cc=jamie@shareable.org \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=keescook@chromium.org \
--cc=khilman@ti.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mhalcrow@google.com \
--cc=mingo@elte.hu \
--cc=oleg@redhat.com \
--cc=olofj@chromium.org \
--cc=penberg@cs.helsinki.fi \
--cc=pmoore@redhat.com \
--cc=rostedt@goodmis.org \
--cc=scarybeasts@gmail.com \
--cc=segoon@openwall.com \
--cc=serge.hallyn@canonical.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.