Re: [PATCH v3 1/4] Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execvefrom granting privs

From: Kees Cook
Date: Wed Feb 01 2012 - 13:14:36 EST

Next message: Roland Stigge: "[PATCH] ARM: LPC32xx: Ethernet support"
Previous message: David Miller: "Re: Memory corruption due to word sharing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jan 30, 2012 at 8:17 AM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:
> With this set, a lot of dangerous operations (chroot, unshare, etc)
> become a lot less dangerous because there is no possibility of
> subverting privileged binaries.
>
> This patch completely breaks apparmor. Someone who understands (and
> uses) apparmor should fix it or at least give me a hint.
>
> Signed-off-by: Andy Lutomirski <luto@xxxxxxxxxxxxxx>

Looking forward to this -- it'll give us a lot more flexibility.

Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>

--
Kees Cook
ChromeOS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Roland Stigge: "[PATCH] ARM: LPC32xx: Ethernet support"
Previous message: David Miller: "Re: Memory corruption due to word sharing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]