From 3760a5aa8e5c2a6c7494156f5bd35ff73c959d84 Mon Sep 17 00:00:00 2001 From: Andy Lutomirski Date: Mon, 2 Jul 2012 14:03:58 -0700 Subject: [PATCH] --- yaml --- r: 311549 b: refs/heads/master c: 09b243577be319ef55310b45c65737008f3ebf12 h: refs/heads/master i: 311547: cb6c998fc5c2ea524d8e49b64522280abc1b79bb v: v3 --- [refs] | 2 +- trunk/Documentation/prctl/no_new_privs.txt | 50 +++++++++++++++++++ trunk/arch/powerpc/kvm/book3s_hv_rmhandlers.S | 2 +- trunk/arch/powerpc/xmon/xmon.c | 2 +- 4 files changed, 53 insertions(+), 3 deletions(-) create mode 100644 trunk/Documentation/prctl/no_new_privs.txt diff --git a/[refs] b/[refs] index 4415c79aa2bf..0e06642e04eb 100644 --- a/[refs] +++ b/[refs] @@ -1,2 +1,2 @@ --- -refs/heads/master: 9d4056aa9efa07015aa6da11ae2e72f22dc55c97 +refs/heads/master: 09b243577be319ef55310b45c65737008f3ebf12 diff --git a/trunk/Documentation/prctl/no_new_privs.txt b/trunk/Documentation/prctl/no_new_privs.txt new file mode 100644 index 000000000000..cb705ec69abe --- /dev/null +++ b/trunk/Documentation/prctl/no_new_privs.txt @@ -0,0 +1,50 @@ +The execve system call can grant a newly-started program privileges that +its parent did not have. The most obvious examples are setuid/setgid +programs and file capabilities. To prevent the parent program from +gaining these privileges as well, the kernel and user code must be +careful to prevent the parent from doing anything that could subvert the +child. For example: + + - The dynamic loader handles LD_* environment variables differently if + a program is setuid. + + - chroot is disallowed to unprivileged processes, since it would allow + /etc/passwd to be replaced from the point of view of a process that + inherited chroot. + + - The exec code has special handling for ptrace. + +These are all ad-hoc fixes. The no_new_privs bit (since Linux 3.5) is a +new, generic mechanism to make it safe for a process to modify its +execution environment in a manner that persists across execve. Any task +can set no_new_privs. Once the bit is set, it is inherited across fork, +clone, and execve and cannot be unset. With no_new_privs set, execve +promises not to grant the privilege to do anything that could not have +been done without the execve call. For example, the setuid and setgid +bits will no longer change the uid or gid; file capabilities will not +add to the permitted set, and LSMs will not relax constraints after +execve. + +Note that no_new_privs does not prevent privilege changes that do not +involve execve. An appropriately privileged task can still call +setuid(2) and receive SCM_RIGHTS datagrams. + +There are two main use cases for no_new_privs so far: + + - Filters installed for the seccomp mode 2 sandbox persist across + execve and can change the behavior of newly-executed programs. + Unprivileged users are therefore only allowed to install such filters + if no_new_privs is set. + + - By itself, no_new_privs can be used to reduce the attack surface + available to an unprivileged user. If everything running with a + given uid has no_new_privs set, then that uid will be unable to + escalate its privileges by directly attacking setuid, setgid, and + fcap-using binaries; it will need to compromise something without the + no_new_privs bit set first. + +In the future, other potentially dangerous kernel features could become +available to unprivileged tasks if no_new_privs is set. In principle, +several options to unshare(2) and clone(2) would be safe when +no_new_privs is set, and no_new_privs + chroot is considerable less +dangerous than chroot by itself. diff --git a/trunk/arch/powerpc/kvm/book3s_hv_rmhandlers.S b/trunk/arch/powerpc/kvm/book3s_hv_rmhandlers.S index a1044f43becd..a84aafce2a12 100644 --- a/trunk/arch/powerpc/kvm/book3s_hv_rmhandlers.S +++ b/trunk/arch/powerpc/kvm/book3s_hv_rmhandlers.S @@ -810,7 +810,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_201) lwz r3,VCORE_NAPPING_THREADS(r5) lwz r4,VCPU_PTID(r9) li r0,1 - sld r0,r0,r4 + sldi r0,r0,r4 andc. r3,r3,r0 /* no sense IPI'ing ourselves */ beq 43f mulli r4,r4,PACA_SIZE /* get paca for thread 0 */ diff --git a/trunk/arch/powerpc/xmon/xmon.c b/trunk/arch/powerpc/xmon/xmon.c index eab3492a45c5..0f3ab06d2222 100644 --- a/trunk/arch/powerpc/xmon/xmon.c +++ b/trunk/arch/powerpc/xmon/xmon.c @@ -971,7 +971,7 @@ static int cpu_cmd(void) /* print cpus waiting or in xmon */ printf("cpus stopped:"); count = 0; - for_each_possible_cpu(cpu) { + for (cpu = 0; cpu < NR_CPUS; ++cpu) { if (cpumask_test_cpu(cpu, &cpus_in_xmon)) { if (count == 0) printf(" %x", cpu);