security: Minor improvements to no_new_privs documentation

The documentation didn't actually mention how to enable no_new_privs. This also adds a note about possible interactions between no_new_privs and LSMs (i.e. why teaching systemd to set no_new_privs is not necessarily a good idea), and it references the new docs from include/linux/prctl.h. Suggested-by: Rob Landley <rob@landley.net> Signed-off-by: Andy Lutomirski <luto@amacapital.net> Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <james.l.morris@oracle.com>
author: Andy Lutomirski <luto@amacapital.net> 2012-07-05 14:23:24 -0400
committer: James Morris <james.l.morris@oracle.com> 2012-07-07 10:25:48 -0400
commit: c540521bba5d2f24bd2c0417157bfaf8b85e2eee (patch)
tree: 64d387e5910f377b178bb168659684a0f09b20c2 /Documentation/prctl/no_new_privs.txt
parent: 26c439d4005d94b8da28e023e285fd4a9943470e (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/Documentation/prctl/no_new_privs.txt b/Documentation/prctl/no_new_privs.txt
index cb705ec69abe..f7be84fba910 100644
--- a/Documentation/prctl/no_new_privs.txt
+++ b/Documentation/prctl/no_new_privs.txt
@@ -25,6 +25,13 @@ bits will no longer change the uid or gid; file capabilities will not
 add to the permitted set, and LSMs will not relax constraints after
 execve.
+To set no_new_privs, use prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0).
+Be careful, though: LSMs might also not tighten constraints on exec
+in no_new_privs mode.  (This means that setting up a general-purpose
+service launcher to set no_new_privs before execing daemons may
+interfere with LSM-based sandboxing.)
 Note that no_new_privs does not prevent privilege changes that do not
 involve execve.  An appropriately privileged task can still call
 setuid(2) and receive SCM_RIGHTS datagrams.
author	Andy Lutomirski <luto@amacapital.net>	2012-07-05 14:23:24 -0400
committer	James Morris <james.l.morris@oracle.com>	2012-07-07 10:25:48 -0400
commit	c540521bba5d2f24bd2c0417157bfaf8b85e2eee (patch)
tree	64d387e5910f377b178bb168659684a0f09b20c2 /Documentation/prctl/no_new_privs.txt
parent	26c439d4005d94b8da28e023e285fd4a9943470e (diff)

diff --git a/Documentation/prctl/no_new_privs.txt b/Documentation/prctl/no_new_privs.txt index cb705ec69abe..f7be84fba910 100644 --- a/Documentation/prctl/no_new_privs.txt +++ b/Documentation/prctl/no_new_privs.txt
@@ -25,6 +25,13 @@ bits will no longer change the uid or gid; file capabilities will not
25	add to the permitted set, and LSMs will not relax constraints after	25	add to the permitted set, and LSMs will not relax constraints after
26	execve.	26	execve.
27		27
		28	To set no_new_privs, use prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0).
		29
		30	Be careful, though: LSMs might also not tighten constraints on exec
		31	in no_new_privs mode. (This means that setting up a general-purpose
		32	service launcher to set no_new_privs before execing daemons may
		33	interfere with LSM-based sandboxing.)
		34
28	Note that no_new_privs does not prevent privilege changes that do not	35	Note that no_new_privs does not prevent privilege changes that do not
29	involve execve. An appropriately privileged task can still call	36	involve execve. An appropriately privileged task can still call
30	setuid(2) and receive SCM_RIGHTS datagrams.	37	setuid(2) and receive SCM_RIGHTS datagrams.