)]}' { "commit": "9bf75dffc07ea6b5e19251880b8dcf0debdbbccc", "tree": "329bb5327b7e523ed2812dc6679b035f594f69f5", "parents": [ "74cfe2dcc0f4b17f9abbabf349e33c39a260987e" ], "author": { "name": "Andy Lutomirski", "email": "luto@amacapital.net", "time": "Thu Apr 12 16:47:50 2012 -0500" }, "committer": { "name": "Ethan Chen", "email": "intervigil@gmail.com", "time": "Tue Dec 16 13:18:02 2014 -0800" }, "message": "Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs\n\nWith this change, calling\n prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)\ndisables privilege granting operations at execve-time. For example, a\nprocess will not be able to execute a setuid binary to change their uid\nor gid if this bit is set. The same is true for file capabilities.\n\nAdditionally, LSM_UNSAFE_NO_NEW_PRIVS is defined to ensure that\nLSMs respect the requested behavior.\n\nTo determine if the NO_NEW_PRIVS bit is set, a task may call\n prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0);\nIt returns 1 if set and 0 if it is not set. If any of the arguments are\nnon-zero, it will return -1 and set errno to -EINVAL.\n(PR_SET_NO_NEW_PRIVS behaves similarly.)\n\nThis functionality is desired for the proposed seccomp filter patch\nseries. By using PR_SET_NO_NEW_PRIVS, it allows a task to modify the\nsystem call behavior for itself and its child tasks without being\nable to impact the behavior of a more privileged task.\n\nAnother potential use is making certain privileged operations\nunprivileged. For example, chroot may be considered \"safe\" if it cannot\naffect privileged tasks.\n\nNote, this patch causes execve to fail when PR_SET_NO_NEW_PRIVS is\nset and AppArmor is in use. It is fixed in a subsequent patch.\n\nSigned-off-by: Andy Lutomirski \u003cluto@amacapital.net\u003e\nSigned-off-by: Will Drewry \u003cwad@chromium.org\u003e\nAcked-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Kees Cook \u003ckeescook@chromium.org\u003e\n\nChange-Id: I2159006d20daefe6add5adc47c22bdbcd7d79e3a\nv18: updated change desc\nv17: using new define values as per 3.4\nSigned-off-by: James Morris \u003cjames.l.morris@oracle.com\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "5b9dfbe84b198599b570795aad83c4b6e45fd0a6", "old_mode": 33188, "old_path": "fs/exec.c", "new_id": "4f319cb6814fe6c8b5de69d791ac43e64846eb18", "new_mode": 33188, "new_path": "fs/exec.c" }, { "type": "modify", "old_id": "2f513409fabf82e965472a6244ab9e3ccc71115b", "old_mode": 33188, "old_path": "include/linux/prctl.h", "new_id": "0b32556ac20be86ec83f8543d12b331cd9fde09f", "new_mode": 33188, "new_path": "include/linux/prctl.h" }, { "type": "modify", "old_id": "83ef63fbf6d976394db129562ed94861fb0eb642", "old_mode": 33188, "old_path": "include/linux/sched.h", "new_id": "066d74d8443bae47d6256e03c1fbf84ebec8c549", "new_mode": 33188, "new_path": "include/linux/sched.h" }, { "type": "modify", "old_id": "b62f3969e84bbe534e958377025d813548bf2469", "old_mode": 33188, "old_path": "include/linux/security.h", "new_id": "2a825304509c02ba84becccd57ee9483370f9670", "new_mode": 33188, "new_path": "include/linux/security.h" }, { "type": "modify", "old_id": "864611c7b1a3d670671748041f93d506dec43c90", "old_mode": 33188, "old_path": "kernel/sys.c", "new_id": "48006a05e56a78cbb932b1147aa7e60d9360a6b1", "new_mode": 33188, "new_path": "kernel/sys.c" }, { "type": "modify", "old_id": "6327685c101e49cc720553c9db9f02da3fed1d24", "old_mode": 33188, "old_path": "security/apparmor/domain.c", "new_id": "18c88d06e88141f7bc71bf8f01dbf6b923b5f120", "new_mode": 33188, "new_path": "security/apparmor/domain.c" }, { "type": "modify", "old_id": "0051ac2d0583773560e0186f56d3a9a8a5c7edd9", "old_mode": 33188, "old_path": "security/commoncap.c", "new_id": "98ff4630f9fad5b9d7f0a2fcdd10476e81268263", "new_mode": 33188, "new_path": "security/commoncap.c" }, { "type": "modify", "old_id": "aa287977f9c202a1ed92fc502a2a11641e40f55e", "old_mode": 33188, "old_path": "security/selinux/hooks.c", "new_id": "e2c6b450ac44ce09b06b1bae69e9a7a97d1c6ad3", "new_mode": 33188, "new_path": "security/selinux/hooks.c" } ] }