Andy Lutomirski 14434eef82 Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs ... With this change, calling prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) disables privilege granting operations at execve-time. For example, a process will not be able to execute a setuid binary to change their uid or gid if this bit is set. The same is true for file capabilities. Additionally, LSM_UNSAFE_NO_NEW_PRIVS is defined to ensure that LSMs respect the requested behavior. To determine if the NO_NEW_PRIVS bit is set, a task may call prctl(PR_GET_NO_NEW_PRIVS, 0, 0, 0, 0); It returns 1 if set and 0 if it is not set. If any of the arguments are non-zero, it will return -1 and set errno to -EINVAL. (PR_SET_NO_NEW_PRIVS behaves similarly.) This functionality is desired for the proposed seccomp filter patch series. By using PR_SET_NO_NEW_PRIVS, it allows a task to modify the system call behavior for itself and its child tasks without being able to impact the behavior of a more privileged task. Another potential use is making certain privileged operations unprivileged. For example, chroot may be considered "safe" if it cannot affect privileged tasks. Note, this patch causes execve to fail when PR_SET_NO_NEW_PRIVS is set and AppArmor is in use. It is fixed in a subsequent patch. Signed-off-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: Will Drewry <wad@chromium.org> Acked-by: Eric Paris <eparis@redhat.com> v18: updated change desc v17: using new define values as per 3.4 Conflicts: include/linux/prctl.h kernel/sys.c		2014-10-31 19:46:07 -07:00
..
9p	9p changes for the 3.4 merge window	2012-03-28 09:58:38 -07:00
adfs
affs
afs
autofs4	autofs: make the autofsv5 packet file descriptor use a packetized pipe	2012-04-29 13:30:08 -07:00
befs
bfs
btrfs	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs	2012-05-06 10:20:07 -07:00
cachefiles
ceph	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client	2012-03-28 10:01:29 -07:00
cifs	freezer: add unsafe versions of freezable helpers for CIFS	2013-07-12 14:22:55 -07:00
coda	Remove all #inclusions of asm/system.h	2012-03-28 18:30:03 +01:00
configfs
cramfs
debugfs	simple_open: automatically convert to simple_open()	2012-04-05 15:25:50 -07:00
devpts
dlm	dlm fixes for 3.4	2012-04-23 18:22:42 -07:00
ecryptfs
efs
exofs	Merge branch 'for-linus' of git://git.open-osd.org/linux-open-osd	2012-03-28 20:04:27 -07:00
exportfs
ext2	migrate ext2_fs.h guts to fs/ext2/ext2.h	2012-03-31 16:03:16 -04:00
ext3	ext3: move headers to fs/ext3/	2012-03-31 16:03:16 -04:00
ext4	ext4: protect group inode free counting with group lock	2013-04-18 16:07:55 -07:00
fat	fs: fat: rate limit the kernel messages	2013-02-20 02:49:28 -08:00
freevxfs
fscache
fuse	mm: Use correct define for CMA features	2013-03-07 15:23:58 -08:00
gfs2	GFS2: Instruct DLM to avoid queue convert slowdown	2012-04-24 13:26:50 +01:00
hfs
hfsplus	hfsplus: Fix potential buffer overflows	2012-05-04 17:11:24 -07:00
hostfs	Merge branch 'for-linus-3.4-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/uml	2012-03-27 18:29:53 -07:00
hpfs
hppfs
hugetlbfs	hugetlbfs: lockdep annotate root inode properly	2012-04-25 21:26:34 -07:00
isofs
jbd
jbd2	jbd2: use GFP_NOFS for blkdev_issue_flush	2012-04-23 21:43:41 -04:00
jffs2	jffs2: Fix lock acquisition order bug in gc path	2012-05-07 20:30:14 +01:00
jfs
lockd	lockd: fix the endianness bug	2012-04-13 13:50:52 -04:00
logfs
minix
ncpfs	Remove all #inclusions of asm/system.h	2012-03-28 18:30:03 +01:00
nfs	freezer: add unsafe versions of freezable helpers for NFS	2013-07-12 14:22:55 -07:00
nfs_common
nfsd	nfsd: fix nfs4recover.c printk format warning	2012-04-30 12:28:48 -07:00
nilfs2
nls
notify	fs/notify/notification.c: make subsys_initcall function static	2012-03-23 16:58:31 -07:00
ntfs
ocfs2	ocfs2: ->e_leaf_clusters endianness breakage	2012-04-13 12:31:43 -04:00
omfs
openpromfs
proc	mm: add a field to store names for private anonymous memory	2013-10-11 10:02:06 -07:00
pstore	Merge branch 'akpm' (Andrew's patch-bomb)	2012-04-05 15:30:34 -07:00
qnx4
qnx6
quota	Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs	2012-03-28 10:00:14 -07:00
ramfs
reiserfs	Disintegrate and delete asm/system.h	2012-03-28 15:58:21 -07:00
romfs	MTD merge for 3.4	2012-03-30 17:31:56 -07:00
squashfs	Add an extra mount time sanity check, plus some code cleanups and bug fixes.	2012-03-28 18:05:54 -07:00
sysfs	sysfs: handle 'parent deleted before child added'	2012-04-10 14:48:51 -07:00
sysv
ubifs	ubifs: Fix compiler warning	2013-02-27 18:10:47 -08:00
udf	Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs	2012-03-28 10:00:14 -07:00
ufs	Remove all #inclusions of asm/system.h	2012-03-28 18:30:03 +01:00
xfs	Disintegrate and delete asm/system.h	2012-03-28 15:58:21 -07:00
yaffs2	fs: yaffs2: Add null pointer check before dereferencing inode	2013-02-27 18:19:17 -08:00
aio.c	kill mm argument of vm_munmap()	2012-04-21 01:58:20 -04:00
anon_inodes.c
attr.c
bad_inode.c
binfmt_aout.c	VM: add "vm_mmap()" helper function	2012-04-20 17:29:13 -07:00
binfmt_elf.c	VM: add "vm_mmap()" helper function	2012-04-20 17:29:13 -07:00
binfmt_elf_fdpic.c	VM: add "vm_mmap()" helper function	2012-04-20 17:29:13 -07:00
binfmt_em86.c
binfmt_flat.c	VM: add "vm_mmap()" helper function	2012-04-20 17:29:13 -07:00
binfmt_misc.c	magic.h: move some FS magic numbers into magic.h	2012-03-23 16:58:31 -07:00
binfmt_script.c
binfmt_som.c	VM: add "vm_mmap()" helper function	2012-04-20 17:29:13 -07:00
bio-integrity.c
bio.c	bio allocation failure due to bio_get_nr_vecs()	2012-05-11 16:45:12 +02:00
block_dev.c	block: don't mark buffers beyond end of disk as mapped	2012-05-11 16:42:14 +02:00
buffer.c	block: fix infinite loop in __getblk_slow	2013-03-15 17:09:41 -07:00
char_dev.c
compat.c	Merge branch 'x86-x32-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip	2012-03-29 18:12:23 -07:00
compat_binfmt_elf.c
compat_ioctl.c	net: bluetooth: ioctl entry to modify auth info.	2013-02-25 11:37:16 -08:00
dcache.c	vfs: dcache: fix deadlock in tree traversal	2013-03-15 17:09:25 -07:00
dcookies.c
direct-io.c
drop_caches.c
eventfd.c
eventpoll.c	epoll: use freezable blocking call	2013-07-12 14:22:57 -07:00
exec.c	Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs	2014-10-31 19:46:07 -07:00
fcntl.c
fhandle.c
fifo.c
file.c	Merge branch 'x86-x32-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip	2012-03-29 18:12:23 -07:00
file_table.c
filesystems.c
fs-writeback.c	ext4: fix potential deadlock in ext4_nonda_switch()	2013-03-15 17:09:42 -07:00
fs_struct.c	The following text was taken from the original review request:	2012-03-24 10:24:31 -07:00
generic_acl.c
inode.c
internal.h
ioctl.c
ioprio.c
Kconfig	fs: yaffs: Import yaffs from Thu Dec 23 13:31:37 2010 +1300	2012-04-09 13:57:46 -07:00
Kconfig.binfmt
libfs.c	dentry leak in simple_fill_super() failure exit	2012-04-09 01:39:22 -04:00
locks.c	CIFS: Fix VFS lock usage for oplocked files	2012-04-01 13:54:27 -05:00
Makefile	fs: yaffs: Import yaffs from Thu Dec 23 13:31:37 2010 +1300	2012-04-09 13:57:46 -07:00
mbcache.c
mount.h
mpage.c
namei.c	vfs: make word-at-a-time accesses handle a non-existing page	2012-05-03 14:01:40 -07:00
namespace.c
no-block.c
open.c
pipe.c	pipes: add a "packetized pipe" mode for writing	2012-04-29 13:12:42 -07:00
pnode.c
pnode.h
posix_acl.c
proc_namespace.c
read_write.c
read_write.h
readdir.c
select.c	select: use freezable blocking call	2013-07-12 14:22:58 -07:00
seq_file.c	Fixing bad conflict resolution	2014-01-15 17:23:56 -08:00
signalfd.c
splice.c	tcp: tcp_sendpages() should call tcp_push() once	2012-04-05 19:04:27 -04:00
stack.c
stat.c	The following text was taken from the original review request:	2012-03-24 10:24:31 -07:00
statfs.c
super.c	The following text was taken from the original review request:	2012-03-24 10:24:31 -07:00
sync.c
timerfd.c
utimes.c
xattr.c	fs/xattr.c:setxattr(): improve handling of allocation failures	2012-04-05 15:25:50 -07:00
xattr_acl.c