탐색 도움말
가입하기 로그인
dingyu
/
CooCenter-System-kernel
1
0
포크 0
파일 이슈 0 풀 리퀘스트 0 위키
브렌치: master
브랜치 태그
CooCenter-Sy...
/
Documentation
/
prctl
/
no_new_privs.txt

no_new_privs.txt 2.7 KB
고유링크 히스토리 Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657 
  1. The execve system call can grant a newly-started program privileges that
    2. 

  2. its parent did not have.  The most obvious examples are setuid/setgid
    3. 

  3. programs and file capabilities.  To prevent the parent program from
    4. 

  4. gaining these privileges as well, the kernel and user code must be
    5. 

  5. careful to prevent the parent from doing anything that could subvert the
    6. 

  6. child.  For example:
    7. 

  7. 

  8.  - The dynamic loader handles LD_* environment variables differently if
    9. 

  9.    a program is setuid.
    10. 

  10. 

  11.  - chroot is disallowed to unprivileged processes, since it would allow
    12. 

  12.    /etc/passwd to be replaced from the point of view of a process that
    13. 

  13.    inherited chroot.
    14. 

  14. 

  15.  - The exec code has special handling for ptrace.
    16. 

  16. 

  17. These are all ad-hoc fixes.  The no_new_privs bit (since Linux 3.5) is a
    18. 

  18. new, generic mechanism to make it safe for a process to modify its
    19. 

  19. execution environment in a manner that persists across execve.  Any task
    20. 

  20. can set no_new_privs.  Once the bit is set, it is inherited across fork,
    21. 

  21. clone, and execve and cannot be unset.  With no_new_privs set, execve
    22. 

  22. promises not to grant the privilege to do anything that could not have
    23. 

  23. been done without the execve call.  For example, the setuid and setgid
    24. 

  24. bits will no longer change the uid or gid; file capabilities will not
    25. 

  25. add to the permitted set, and LSMs will not relax constraints after
    26. 

  26. execve.
    27. 

  27. 

  28. To set no_new_privs, use prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0).
    29. 

  29. 

  30. Be careful, though: LSMs might also not tighten constraints on exec
    31. 

  31. in no_new_privs mode.  (This means that setting up a general-purpose
    32. 

  32. service launcher to set no_new_privs before execing daemons may
    33. 

  33. interfere with LSM-based sandboxing.)
    34. 

  34. 

  35. Note that no_new_privs does not prevent privilege changes that do not
    36. 

  36. involve execve.  An appropriately privileged task can still call
    37. 

  37. setuid(2) and receive SCM_RIGHTS datagrams.
    38. 

  38. 

  39. There are two main use cases for no_new_privs so far:
    40. 

  40. 

  41.  - Filters installed for the seccomp mode 2 sandbox persist across
    42. 

  42.    execve and can change the behavior of newly-executed programs.
    43. 

  43.    Unprivileged users are therefore only allowed to install such filters
    44. 

  44.    if no_new_privs is set.
    45. 

  45. 

  46.  - By itself, no_new_privs can be used to reduce the attack surface
    47. 

  47.    available to an unprivileged user.  If everything running with a
    48. 

  48.    given uid has no_new_privs set, then that uid will be unable to
    49. 

  49.    escalate its privileges by directly attacking setuid, setgid, and
    50. 

  50.    fcap-using binaries; it will need to compromise something without the
    51. 

  51.    no_new_privs bit set first.
    52. 

  52. 

  53. In the future, other potentially dangerous kernel features could become
    54. 

  54. available to unprivileged tasks if no_new_privs is set.  In principle,
    55. 

  55. several options to unshare(2) and clone(2) would be safe when
    56. 

  56. no_new_privs is set, and no_new_privs + chroot is considerable less
    57. 

  57. dangerous than chroot by itself.
    58.