aboutsummaryrefslogtreecommitdiffstats
path: root/Documentation/prctl
diff options
context:
space:
mode:
authorAndy Lutomirski <luto@amacapital.net>2012-07-02 17:03:58 -0400
committerJames Morris <james.l.morris@oracle.com>2012-07-02 22:35:36 -0400
commit09b243577be319ef55310b45c65737008f3ebf12 (patch)
tree855f48235a5b6288e9ff17b97fc338341320e542 /Documentation/prctl
parentca24a145573124732152daff105ba68cc9a2b545 (diff)
security: document no_new_privs
Document no_new_privs. Signed-off-by: Andy Lutomirski <luto@amacapital.net> Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <james.l.morris@oracle.com>
Diffstat (limited to 'Documentation/prctl')
-rw-r--r--Documentation/prctl/no_new_privs.txt50
1 files changed, 50 insertions, 0 deletions
diff --git a/Documentation/prctl/no_new_privs.txt b/Documentation/prctl/no_new_privs.txt
new file mode 100644
index 000000000000..cb705ec69abe
--- /dev/null
+++ b/Documentation/prctl/no_new_privs.txt
@@ -0,0 +1,50 @@
1The execve system call can grant a newly-started program privileges that
2its parent did not have. The most obvious examples are setuid/setgid
3programs and file capabilities. To prevent the parent program from
4gaining these privileges as well, the kernel and user code must be
5careful to prevent the parent from doing anything that could subvert the
6child. For example:
7
8 - The dynamic loader handles LD_* environment variables differently if
9 a program is setuid.
10
11 - chroot is disallowed to unprivileged processes, since it would allow
12 /etc/passwd to be replaced from the point of view of a process that
13 inherited chroot.
14
15 - The exec code has special handling for ptrace.
16
17These are all ad-hoc fixes. The no_new_privs bit (since Linux 3.5) is a
18new, generic mechanism to make it safe for a process to modify its
19execution environment in a manner that persists across execve. Any task
20can set no_new_privs. Once the bit is set, it is inherited across fork,
21clone, and execve and cannot be unset. With no_new_privs set, execve
22promises not to grant the privilege to do anything that could not have
23been done without the execve call. For example, the setuid and setgid
24bits will no longer change the uid or gid; file capabilities will not
25add to the permitted set, and LSMs will not relax constraints after
26execve.
27
28Note that no_new_privs does not prevent privilege changes that do not
29involve execve. An appropriately privileged task can still call
30setuid(2) and receive SCM_RIGHTS datagrams.
31
32There are two main use cases for no_new_privs so far:
33
34 - Filters installed for the seccomp mode 2 sandbox persist across
35 execve and can change the behavior of newly-executed programs.
36 Unprivileged users are therefore only allowed to install such filters
37 if no_new_privs is set.
38
39 - By itself, no_new_privs can be used to reduce the attack surface
40 available to an unprivileged user. If everything running with a
41 given uid has no_new_privs set, then that uid will be unable to
42 escalate its privileges by directly attacking setuid, setgid, and
43 fcap-using binaries; it will need to compromise something without the
44 no_new_privs bit set first.
45
46In the future, other potentially dangerous kernel features could become
47available to unprivileged tasks if no_new_privs is set. In principle,
48several options to unshare(2) and clone(2) would be safe when
49no_new_privs is set, and no_new_privs + chroot is considerable less
50dangerous than chroot by itself.