diff options
Diffstat (limited to 'features/seccomp/Fix-execve-behavior-apparmor-for-PR_-GET-SET-_NO_NEW.patch')
-rw-r--r-- | features/seccomp/Fix-execve-behavior-apparmor-for-PR_-GET-SET-_NO_NEW.patch | 106 |
1 files changed, 106 insertions, 0 deletions
diff --git a/features/seccomp/Fix-execve-behavior-apparmor-for-PR_-GET-SET-_NO_NEW.patch b/features/seccomp/Fix-execve-behavior-apparmor-for-PR_-GET-SET-_NO_NEW.patch new file mode 100644 index 00000000..5d0e2930 --- /dev/null +++ b/features/seccomp/Fix-execve-behavior-apparmor-for-PR_-GET-SET-_NO_NEW.patch @@ -0,0 +1,106 @@ +From a7c57bb9edacc420cc99d16852621a12d112cb0f Mon Sep 17 00:00:00 2001 +From: John Johansen <john.johansen@canonical.com> +Date: Thu, 12 Apr 2012 16:47:51 -0500 +Subject: [PATCH] Fix execve behavior apparmor for PR_{GET,SET}_NO_NEW_PRIVS + +commit c29bceb3967398cf2ac8bf8edf9634fdb722df7d upstream. + +Add support for AppArmor to explicitly fail requested domain transitions +if NO_NEW_PRIVS is set and the task is not unconfined. + +Transitions from unconfined are still allowed because this always results +in a reduction of privileges. + +Acked-by: Eric Paris <eparis@redhat.com> +Signed-off-by: Will Drewry <wad@chromium.org> +Signed-off-by: John Johansen <john.johansen@canonical.com> +Signed-off-by: Andy Lutomirski <luto@amacapital.net> + +v18: new acked-by, new description +Signed-off-by: James Morris <james.l.morris@oracle.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + security/apparmor/domain.c | 39 +++++++++++++++++++++++++++++++++++---- + 1 files changed, 35 insertions(+), 4 deletions(-) + +diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c +index 18c88d0..b81ea10 100644 +--- a/security/apparmor/domain.c ++++ b/security/apparmor/domain.c +@@ -360,10 +360,6 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm) + if (bprm->cred_prepared) + return 0; + +- /* XXX: no_new_privs is not usable with AppArmor yet */ +- if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) +- return -EPERM; +- + cxt = bprm->cred->security; + BUG_ON(!cxt); + +@@ -398,6 +394,11 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm) + new_profile = find_attach(ns, &ns->base.profiles, name); + if (!new_profile) + goto cleanup; ++ /* ++ * NOTE: Domain transitions from unconfined are allowed ++ * even when no_new_privs is set because this aways results ++ * in a further reduction of permissions. ++ */ + goto apply; + } + +@@ -459,6 +460,16 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm) + /* fail exec */ + error = -EACCES; + ++ /* ++ * Policy has specified a domain transition, if no_new_privs then ++ * fail the exec. ++ */ ++ if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) { ++ aa_put_profile(new_profile); ++ error = -EPERM; ++ goto cleanup; ++ } ++ + if (!new_profile) + goto audit; + +@@ -613,6 +624,14 @@ int aa_change_hat(const char *hats[], int count, u64 token, bool permtest) + const char *target = NULL, *info = NULL; + int error = 0; + ++ /* ++ * Fail explicitly requested domain transitions if no_new_privs. ++ * There is no exception for unconfined as change_hat is not ++ * available. ++ */ ++ if (current->no_new_privs) ++ return -EPERM; ++ + /* released below */ + cred = get_current_cred(); + cxt = cred->security; +@@ -754,6 +773,18 @@ int aa_change_profile(const char *ns_name, const char *hname, bool onexec, + cxt = cred->security; + profile = aa_cred_profile(cred); + ++ /* ++ * Fail explicitly requested domain transitions if no_new_privs ++ * and not unconfined. ++ * Domain transitions from unconfined are allowed even when ++ * no_new_privs is set because this aways results in a reduction ++ * of permissions. ++ */ ++ if (current->no_new_privs && !unconfined(profile)) { ++ put_cred(cred); ++ return -EPERM; ++ } ++ + if (ns_name) { + /* released below */ + ns = aa_find_namespace(profile->ns, ns_name); +-- +1.7.9.1 + |