Re: [RFC][PATCH v3] Unprivileged: Disable raising of privileges

[Eric W. Biederman]

"Serge E. Hallyn" <serue@xxxxxxxxxx> writes:

>> diff --git a/security/commoncap.c b/security/commoncap.c
>> index f800fdb..34500e3 100644
>> --- a/security/commoncap.c
>> +++ b/security/commoncap.c
>> @@ -389,7 +389,7 @@ static int get_file_caps(struct linux_binprm *bprm, bool *effective)
>>  	if (!file_caps_enabled)
>>  		return 0;
>> 
>> -	if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
>> +	if (bprm->nosuid)
>>  		return 0;
>
> I'm sorry, this may actually not be sufficient.
>
> Could you try the following test on a kernel with this patch? :
>
> 1. become root
> 2. do prctl(PR_SET_NOSUID);
> 3. run bash, and examine your capabilities in /proc/self/status
>
> I think the code in security/commoncap.c:457-458 will re-raise your
> capabilities.

Right.  That is a legitimate issue.
I almost guard against it with my test against with my start condition test
of cap_isclear(cred->cap_permitted).

Which causes this to fail for root in most situations.  I will add a
test for the securebits, and deny this to root unless the securebits
are such that root cannot gain privilege.

Thanks for catching this.  I figured I might need a uid == 0 exclusion.
Where the test was split when I wrote it I wasn't certain where to put it.

Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/