aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndy Lutomirski <luto@amacapital.net>2012-04-12 17:47:50 -0400
committerJames Morris <james.l.morris@oracle.com>2012-04-13 21:13:18 -0400
commit259e5e6c75a910f3b5e656151dc602f53f9d7548 (patch)
tree4405fdf68238f2e33f27b04e8c37c9e29a2493d8
parent9ccf010f8172b699ea80178860e8ea228f7dce56 (diff)
Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs
With this change, calling prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) disables privilege granting operations at execve-time. For example, a process will not be able to execute a setuid binary to change their uid or gid if this bit is set. The same is true for file capabilities. Additionally, LSM_UNSAFE_NO_NEW_PRIVS is defined to ensure that LSMs respect the requested behavior. To determine if the NO_NEW_PRIVS bit is set, a task may call prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0); It returns 1 if set and 0 if it is not set. If any of the arguments are non-zero, it will return -1 and set errno to -EINVAL. (PR_SET_NO_NEW_PRIVS behaves similarly.) This functionality is desired for the proposed seccomp filter patch series. By using PR_SET_NO_NEW_PRIVS, it allows a task to modify the system call behavior for itself and its child tasks without being able to impact the behavior of a more privileged task. Another potential use is making certain privileged operations unprivileged. For example, chroot may be considered "safe" if it cannot affect privileged tasks. Note, this patch causes execve to fail when PR_SET_NO_NEW_PRIVS is set and AppArmor is in use. It is fixed in a subsequent patch. Signed-off-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: Will Drewry <wad@chromium.org> Acked-by: Eric Paris <eparis@redhat.com> Acked-by: Kees Cook <keescook@chromium.org> v18: updated change desc v17: using new define values as per 3.4 Signed-off-by: James Morris <james.l.morris@oracle.com>
Diffstat
-rw-r--r--fs/exec.c10
-rw-r--r--include/linux/prctl.h15
-rw-r--r--include/linux/sched.h2
-rw-r--r--include/linux/security.h1
-rw-r--r--kernel/sys.c10
-rw-r--r--security/apparmor/domain.c4
-rw-r--r--security/commoncap.c7
-rw-r--r--security/selinux/hooks.c10
8 files changed, 55 insertions, 4 deletions
diff --git a/fs/exec.c b/fs/exec.c
index b1fd2025e59a..d038968b54b4 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1245,6 +1245,13 @@ static int check_unsafe_exec(struct linux_binprm *bprm)
1245 bprm->unsafe |= LSM_UNSAFE_PTRACE; 1245 bprm->unsafe |= LSM_UNSAFE_PTRACE;
1246 } 1246 }
1247 1247
1248 /*
1249 * This isn't strictly necessary, but it makes it harder for LSMs to
1250 * mess up.
1251 */
1252 if (current->no_new_privs)
1253 bprm->unsafe |= LSM_UNSAFE_NO_NEW_PRIVS;
1254
1248 n_fs = 1; 1255 n_fs = 1;
1249 spin_lock(&p->fs->lock); 1256 spin_lock(&p->fs->lock);
1250 rcu_read_lock(); 1257 rcu_read_lock();
@@ -1288,7 +1295,8 @@ int prepare_binprm(struct linux_binprm *bprm)
1288 bprm->cred->euid = current_euid(); 1295 bprm->cred->euid = current_euid();
1289 bprm->cred->egid = current_egid(); 1296 bprm->cred->egid = current_egid();
1290 1297
1291 if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)) { 1298 if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) &&
1299 !current->no_new_privs) {
1292 /* Set-uid? */ 1300 /* Set-uid? */
1293 if (mode & S_ISUID) { 1301 if (mode & S_ISUID) {
1294 bprm->per_clear |= PER_CLEAR_ON_SETID; 1302 bprm->per_clear |= PER_CLEAR_ON_SETID;
diff --git a/include/linux/prctl.h b/include/linux/prctl.h
index e0cfec2490aa..78b76e24cc7e 100644
--- a/include/linux/prctl.h
+++ b/include/linux/prctl.h
@@ -124,4 +124,19 @@
124#define PR_SET_CHILD_SUBREAPER 36 124#define PR_SET_CHILD_SUBREAPER 36
125#define PR_GET_CHILD_SUBREAPER 37 125#define PR_GET_CHILD_SUBREAPER 37
126 126
127/*
128 * If no_new_privs is set, then operations that grant new privileges (i.e.
129 * execve) will either fail or not grant them. This affects suid/sgid,
130 * file capabilities, and LSMs.
131 *
132 * Operations that merely manipulate or drop existing privileges (setresuid,
133 * capset, etc.) will still work. Drop those privileges if you want them gone.
134 *
135 * Changing LSM security domain is considered a new privilege. So, for example,
136 * asking selinux for a specific new context (e.g. with runcon) will result
137 * in execve returning -EPERM.
138 */
139#define PR_SET_NO_NEW_PRIVS 38
140#define PR_GET_NO_NEW_PRIVS 39
141
127#endif /* _LINUX_PRCTL_H */ 142#endif /* _LINUX_PRCTL_H */
diff --git a/include/linux/sched.h b/include/linux/sched.h
index 81a173c0897d..ba60897bb447 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -1341,6 +1341,8 @@ struct task_struct {
1341 * execve */ 1341 * execve */
1342 unsigned in_iowait:1; 1342 unsigned in_iowait:1;
1343 1343
1344 /* task may not gain privileges */
1345 unsigned no_new_privs:1;
1344 1346
1345 /* Revert to default priority/policy when forking */ 1347 /* Revert to default priority/policy when forking */
1346 unsigned sched_reset_on_fork:1; 1348 unsigned sched_reset_on_fork:1;
diff --git a/include/linux/security.h b/include/linux/security.h
index 673afbb8238a..6e1dea93907a 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -144,6 +144,7 @@ struct request_sock;
144#define LSM_UNSAFE_SHARE 1 144#define LSM_UNSAFE_SHARE 1
145#define LSM_UNSAFE_PTRACE 2 145#define LSM_UNSAFE_PTRACE 2
146#define LSM_UNSAFE_PTRACE_CAP 4 146#define LSM_UNSAFE_PTRACE_CAP 4
147#define LSM_UNSAFE_NO_NEW_PRIVS 8
147 148
148#ifdef CONFIG_MMU 149#ifdef CONFIG_MMU
149extern int mmap_min_addr_handler(struct ctl_table *table, int write, 150extern int mmap_min_addr_handler(struct ctl_table *table, int write,
diff --git a/kernel/sys.c b/kernel/sys.c
index e7006eb6c1e4..b82568b7d201 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1979,6 +1979,16 @@ SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,
1979 error = put_user(me->signal->is_child_subreaper, 1979 error = put_user(me->signal->is_child_subreaper,
1980 (int __user *) arg2); 1980 (int __user *) arg2);
1981 break; 1981 break;
1982 case PR_SET_NO_NEW_PRIVS:
1983 if (arg2 != 1 || arg3 || arg4 || arg5)
1984 return -EINVAL;
1985
1986 current->no_new_privs = 1;
1987 break;
1988 case PR_GET_NO_NEW_PRIVS:
1989 if (arg2 || arg3 || arg4 || arg5)
1990 return -EINVAL;
1991 return current->no_new_privs ? 1 : 0;
1982 default: 1992 default:
1983 error = -EINVAL; 1993 error = -EINVAL;
1984 break; 1994 break;
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 6327685c101e..18c88d06e881 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -360,6 +360,10 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
360 if (bprm->cred_prepared) 360 if (bprm->cred_prepared)
361 return 0; 361 return 0;
362 362
363 /* XXX: no_new_privs is not usable with AppArmor yet */
364 if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
365 return -EPERM;
366
363 cxt = bprm->cred->security; 367 cxt = bprm->cred->security;
364 BUG_ON(!cxt); 368 BUG_ON(!cxt);
365 369
diff --git a/security/commoncap.c b/security/commoncap.c
index 0cf4b53480a7..edd3918fac02 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -506,14 +506,17 @@ int cap_bprm_set_creds(struct linux_binprm *bprm)
506skip: 506skip:
507 507
508 /* Don't let someone trace a set[ug]id/setpcap binary with the revised 508 /* Don't let someone trace a set[ug]id/setpcap binary with the revised
509 * credentials unless they have the appropriate permit 509 * credentials unless they have the appropriate permit.
510 *
511 * In addition, if NO_NEW_PRIVS, then ensure we get no new privs.
510 */ 512 */
511 if ((new->euid != old->uid || 513 if ((new->euid != old->uid ||
512 new->egid != old->gid || 514 new->egid != old->gid ||
513 !cap_issubset(new->cap_permitted, old->cap_permitted)) && 515 !cap_issubset(new->cap_permitted, old->cap_permitted)) &&
514 bprm->unsafe & ~LSM_UNSAFE_PTRACE_CAP) { 516 bprm->unsafe & ~LSM_UNSAFE_PTRACE_CAP) {
515 /* downgrade; they get no more than they had, and maybe less */ 517 /* downgrade; they get no more than they had, and maybe less */
516 if (!capable(CAP_SETUID)) { 518 if (!capable(CAP_SETUID) ||
519 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) {
517 new->euid = new->uid; 520 new->euid = new->uid;
518 new->egid = new->gid; 521 new->egid = new->gid;
519 } 522 }
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index d85b793c9321..0b06685787b9 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2016,6 +2016,13 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2016 new_tsec->sid = old_tsec->exec_sid; 2016 new_tsec->sid = old_tsec->exec_sid;
2017 /* Reset exec SID on execve. */ 2017 /* Reset exec SID on execve. */
2018 new_tsec->exec_sid = 0; 2018 new_tsec->exec_sid = 0;
2019
2020 /*
2021 * Minimize confusion: if no_new_privs and a transition is
2022 * explicitly requested, then fail the exec.
2023 */
2024 if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
2025 return -EPERM;
2019 } else { 2026 } else {
2020 /* Check for a default transition on this program. */ 2027 /* Check for a default transition on this program. */
2021 rc = security_transition_sid(old_tsec->sid, isec->sid, 2028 rc = security_transition_sid(old_tsec->sid, isec->sid,
@@ -2029,7 +2036,8 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2029 ad.selinux_audit_data = &sad; 2036 ad.selinux_audit_data = &sad;
2030 ad.u.path = bprm->file->f_path; 2037 ad.u.path = bprm->file->f_path;
2031 2038
2032 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) 2039 if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) ||
2040 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS))
2033 new_tsec->sid = old_tsec->sid; 2041 new_tsec->sid = old_tsec->sid;
2034 2042
2035 if (new_tsec->sid == old_tsec->sid) { 2043 if (new_tsec->sid == old_tsec->sid) {
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-02 05:26:32 -0400