Re: [PATCH v2 0/4] PR_SET_NO_NEW_PRIVS, unshare, and chroot

From: Andy Lutomirski
Date: Mon Jan 16 2012 - 16:58:15 EST


On Mon, Jan 16, 2012 at 1:47 PM, Colin Walters <walters@xxxxxxxxxx> wrote:
> On Mon, 2012-01-16 at 13:25 -0800, Andy Lutomirski wrote:
>
>> The MS_NOSUID semantics are somewhat ridiculous for selinux,
>
> I don't see how they're ridiculous.

exec_sid is silently ignored. So runcon will not switch context but
will still appear to succeed.

>
>> and I'd
>> rather not make them match for no_new_privs.
>
> Note your patch for selinux does exactly the same thing in the NOSUID
> case and your NO_NEW_PRIVS flag.  Right?
>
> -       if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
> +       if ((bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) ||
> +           (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS))
>                new_tsec->sid = old_tsec->sid;
>

See several lines up.

>
>>  AppArmor completely
>> ignores MS_NOSUID,
>
> Ugh...well, I guess if it doesn't store any security data associated
> with files, only with file names, then there's nothing for it to do.

Nope. It looks it up by file name or path, I think.

> Like I said before though, I think SELinux is the only sane LSM.

I think the fact that there is a bprm_set_creds hook at all is insane,
but maybe that's just me. I think this is one of the things that
Windows does far better than POSIX. On Windows, CreateProcess (the
moral equivalent of execve) never gains privileges.

--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/