diff options
| author | Kees Cook <keescook@chromium.org> | 2017-05-13 07:51:38 -0400 |
|---|---|---|
| committer | Jonathan Corbet <corbet@lwn.net> | 2017-05-18 12:30:09 -0400 |
| commit | 40fde647ccb0ae8c11d256d271e24d385eed595b (patch) | |
| tree | d00d1d26dd2942af58f74aa39bda87c27f6f65ac | |
| parent | c061f33f35be0ccc80f4b8e0aea5dfd2ed7e01a3 (diff) | |
doc: ReSTify no_new_privs.txt
This updates no_new_privs documentation to ReST markup and adds it to
the user-space API documentation.
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
| -rw-r--r-- | Documentation/userspace-api/index.rst | 1 | ||||
| -rw-r--r-- | Documentation/userspace-api/no_new_privs.rst (renamed from Documentation/prctl/no_new_privs.txt) | 44 |
2 files changed, 26 insertions, 19 deletions
diff --git a/Documentation/userspace-api/index.rst b/Documentation/userspace-api/index.rst index 15ff12342db8..7b2eb1b7d4ca 100644 --- a/Documentation/userspace-api/index.rst +++ b/Documentation/userspace-api/index.rst | |||
| @@ -16,6 +16,7 @@ place where this information is gathered. | |||
| 16 | .. toctree:: | 16 | .. toctree:: |
| 17 | :maxdepth: 2 | 17 | :maxdepth: 2 |
| 18 | 18 | ||
| 19 | no_new_privs | ||
| 19 | seccomp_filter | 20 | seccomp_filter |
| 20 | unshare | 21 | unshare |
| 21 | 22 | ||
diff --git a/Documentation/prctl/no_new_privs.txt b/Documentation/userspace-api/no_new_privs.rst index f7be84fba910..d060ea217ea1 100644 --- a/Documentation/prctl/no_new_privs.txt +++ b/Documentation/userspace-api/no_new_privs.rst | |||
| @@ -1,3 +1,7 @@ | |||
| 1 | ====================== | ||
| 2 | No New Privileges Flag | ||
| 3 | ====================== | ||
| 4 | |||
| 1 | The execve system call can grant a newly-started program privileges that | 5 | The execve system call can grant a newly-started program privileges that |
| 2 | its parent did not have. The most obvious examples are setuid/setgid | 6 | its parent did not have. The most obvious examples are setuid/setgid |
| 3 | programs and file capabilities. To prevent the parent program from | 7 | programs and file capabilities. To prevent the parent program from |
| @@ -5,53 +9,55 @@ gaining these privileges as well, the kernel and user code must be | |||
| 5 | careful to prevent the parent from doing anything that could subvert the | 9 | careful to prevent the parent from doing anything that could subvert the |
| 6 | child. For example: | 10 | child. For example: |
| 7 | 11 | ||
| 8 | - The dynamic loader handles LD_* environment variables differently if | 12 | - The dynamic loader handles ``LD_*`` environment variables differently if |
| 9 | a program is setuid. | 13 | a program is setuid. |
| 10 | 14 | ||
| 11 | - chroot is disallowed to unprivileged processes, since it would allow | 15 | - chroot is disallowed to unprivileged processes, since it would allow |
| 12 | /etc/passwd to be replaced from the point of view of a process that | 16 | ``/etc/passwd`` to be replaced from the point of view of a process that |
| 13 | inherited chroot. | 17 | inherited chroot. |
| 14 | 18 | ||
| 15 | - The exec code has special handling for ptrace. | 19 | - The exec code has special handling for ptrace. |
| 16 | 20 | ||
| 17 | These are all ad-hoc fixes. The no_new_privs bit (since Linux 3.5) is a | 21 | These are all ad-hoc fixes. The ``no_new_privs`` bit (since Linux 3.5) is a |
| 18 | new, generic mechanism to make it safe for a process to modify its | 22 | new, generic mechanism to make it safe for a process to modify its |
| 19 | execution environment in a manner that persists across execve. Any task | 23 | execution environment in a manner that persists across execve. Any task |
| 20 | can set no_new_privs. Once the bit is set, it is inherited across fork, | 24 | can set ``no_new_privs``. Once the bit is set, it is inherited across fork, |
| 21 | clone, and execve and cannot be unset. With no_new_privs set, execve | 25 | clone, and execve and cannot be unset. With ``no_new_privs`` set, ``execve()`` |
| 22 | promises not to grant the privilege to do anything that could not have | 26 | promises not to grant the privilege to do anything that could not have |
| 23 | been done without the execve call. For example, the setuid and setgid | 27 | been done without the execve call. For example, the setuid and setgid |
| 24 | bits will no longer change the uid or gid; file capabilities will not | 28 | bits will no longer change the uid or gid; file capabilities will not |
| 25 | add to the permitted set, and LSMs will not relax constraints after | 29 | add to the permitted set, and LSMs will not relax constraints after |
| 26 | execve. | 30 | execve. |
| 27 | 31 | ||
| 28 | To set no_new_privs, use prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0). | 32 | To set ``no_new_privs``, use:: |
| 33 | |||
| 34 | prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0); | ||
| 29 | 35 | ||
| 30 | Be careful, though: LSMs might also not tighten constraints on exec | 36 | Be careful, though: LSMs might also not tighten constraints on exec |
| 31 | in no_new_privs mode. (This means that setting up a general-purpose | 37 | in ``no_new_privs`` mode. (This means that setting up a general-purpose |
| 32 | service launcher to set no_new_privs before execing daemons may | 38 | service launcher to set ``no_new_privs`` before execing daemons may |
| 33 | interfere with LSM-based sandboxing.) | 39 | interfere with LSM-based sandboxing.) |
| 34 | 40 | ||
| 35 | Note that no_new_privs does not prevent privilege changes that do not | 41 | Note that ``no_new_privs`` does not prevent privilege changes that do not |
| 36 | involve execve. An appropriately privileged task can still call | 42 | involve ``execve()``. An appropriately privileged task can still call |
| 37 | setuid(2) and receive SCM_RIGHTS datagrams. | 43 | ``setuid(2)`` and receive SCM_RIGHTS datagrams. |
| 38 | 44 | ||
| 39 | There are two main use cases for no_new_privs so far: | 45 | There are two main use cases for ``no_new_privs`` so far: |
| 40 | 46 | ||
| 41 | - Filters installed for the seccomp mode 2 sandbox persist across | 47 | - Filters installed for the seccomp mode 2 sandbox persist across |
| 42 | execve and can change the behavior of newly-executed programs. | 48 | execve and can change the behavior of newly-executed programs. |
| 43 | Unprivileged users are therefore only allowed to install such filters | 49 | Unprivileged users are therefore only allowed to install such filters |
| 44 | if no_new_privs is set. | 50 | if ``no_new_privs`` is set. |
| 45 | 51 | ||
| 46 | - By itself, no_new_privs can be used to reduce the attack surface | 52 | - By itself, ``no_new_privs`` can be used to reduce the attack surface |
| 47 | available to an unprivileged user. If everything running with a | 53 | available to an unprivileged user. If everything running with a |
| 48 | given uid has no_new_privs set, then that uid will be unable to | 54 | given uid has ``no_new_privs`` set, then that uid will be unable to |
| 49 | escalate its privileges by directly attacking setuid, setgid, and | 55 | escalate its privileges by directly attacking setuid, setgid, and |
| 50 | fcap-using binaries; it will need to compromise something without the | 56 | fcap-using binaries; it will need to compromise something without the |
| 51 | no_new_privs bit set first. | 57 | ``no_new_privs`` bit set first. |
| 52 | 58 | ||
| 53 | In the future, other potentially dangerous kernel features could become | 59 | In the future, other potentially dangerous kernel features could become |
| 54 | available to unprivileged tasks if no_new_privs is set. In principle, | 60 | available to unprivileged tasks if ``no_new_privs`` is set. In principle, |
| 55 | several options to unshare(2) and clone(2) would be safe when | 61 | several options to ``unshare(2)`` and ``clone(2)`` would be safe when |
| 56 | no_new_privs is set, and no_new_privs + chroot is considerable less | 62 | ``no_new_privs`` is set, and ``no_new_privs`` + ``chroot`` is considerable less |
| 57 | dangerous than chroot by itself. | 63 | dangerous than chroot by itself. |