diff options
| author | Jann Horn <jann@thejh.net> | 2015-12-26 00:00:48 -0500 |
|---|---|---|
| committer | Kees Cook <keescook@chromium.org> | 2016-01-27 10:38:25 -0500 |
| commit | 103502a35cfce0710909da874f092cb44823ca03 (patch) | |
| tree | 81f6474629fba8af0fc696d5944711f312e04fa0 | |
| parent | 607259e17b37017e9ec0249a8b0a7d8b76b572aa (diff) | |
seccomp: always propagate NO_NEW_PRIVS on tsync
Before this patch, a process with some permissive seccomp filter
that was applied by root without NO_NEW_PRIVS was able to add
more filters to itself without setting NO_NEW_PRIVS by setting
the new filter from a throwaway thread with NO_NEW_PRIVS.
Signed-off-by: Jann Horn <jann@thejh.net>
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
| -rw-r--r-- | kernel/seccomp.c | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 580ac2d4024f..15a1795bbba1 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c | |||
| @@ -316,24 +316,24 @@ static inline void seccomp_sync_threads(void) | |||
| 316 | put_seccomp_filter(thread); | 316 | put_seccomp_filter(thread); |
| 317 | smp_store_release(&thread->seccomp.filter, | 317 | smp_store_release(&thread->seccomp.filter, |
| 318 | caller->seccomp.filter); | 318 | caller->seccomp.filter); |
| 319 | |||
| 320 | /* | ||
| 321 | * Don't let an unprivileged task work around | ||
| 322 | * the no_new_privs restriction by creating | ||
| 323 | * a thread that sets it up, enters seccomp, | ||
| 324 | * then dies. | ||
| 325 | */ | ||
| 326 | if (task_no_new_privs(caller)) | ||
| 327 | task_set_no_new_privs(thread); | ||
| 328 | |||
| 319 | /* | 329 | /* |
| 320 | * Opt the other thread into seccomp if needed. | 330 | * Opt the other thread into seccomp if needed. |
| 321 | * As threads are considered to be trust-realm | 331 | * As threads are considered to be trust-realm |
| 322 | * equivalent (see ptrace_may_access), it is safe to | 332 | * equivalent (see ptrace_may_access), it is safe to |
| 323 | * allow one thread to transition the other. | 333 | * allow one thread to transition the other. |
| 324 | */ | 334 | */ |
| 325 | if (thread->seccomp.mode == SECCOMP_MODE_DISABLED) { | 335 | if (thread->seccomp.mode == SECCOMP_MODE_DISABLED) |
| 326 | /* | ||
| 327 | * Don't let an unprivileged task work around | ||
| 328 | * the no_new_privs restriction by creating | ||
| 329 | * a thread that sets it up, enters seccomp, | ||
| 330 | * then dies. | ||
| 331 | */ | ||
| 332 | if (task_no_new_privs(caller)) | ||
| 333 | task_set_no_new_privs(thread); | ||
| 334 | |||
| 335 | seccomp_assign_mode(thread, SECCOMP_MODE_FILTER); | 336 | seccomp_assign_mode(thread, SECCOMP_MODE_FILTER); |
| 336 | } | ||
| 337 | } | 337 | } |
| 338 | } | 338 | } |
| 339 | 339 | ||