Patchwork [quantal,lowlatency] Revert "UBUNTU: SAUCE: (no-up) AppArmor: Disable Add PR_{GET, SET}_NO_NEW_PRIVS to prevent execve from granting privs"

login
register
mail settings
Submitter John Johansen
Date Aug. 12, 2013, 9:22 p.m.
Message ID <5209522D.7050509@canonical.com>
Download mbox | patch
Permalink /patch/266636/
State New
Headers show

Comments

John Johansen - Aug. 12, 2013, 9:22 p.m.
BugLink: http://bugs.launchpad.net/bugs/1202161

Reverts commit c27debc6b9cc939ac6919074f4ed3c82cb745ca5 which was fixed in
c29bceb3

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 security/apparmor/domain.c | 4 ----
 1 file changed, 4 deletions(-)
Stefan Bader - Aug. 13, 2013, 9:01 a.m.
A little more explanation in the revert about how this slipped in would have
been helpful- It is a bit hard to figure out.
Andy Whitcroft - Aug. 13, 2013, 9:03 a.m.
On Mon, Aug 12, 2013 at 02:22:53PM -0700, John Johansen wrote:
> BugLink: http://bugs.launchpad.net/bugs/1202161
> 
> Reverts commit c27debc6b9cc939ac6919074f4ed3c82cb745ca5 which was fixed in
> c29bceb3
> 
> Signed-off-by: John Johansen <john.johansen@canonical.com>
> ---
>  security/apparmor/domain.c | 4 ----
>  1 file changed, 4 deletions(-)
> 
> diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
> index 31a3f52..afa8671 100644
> --- a/security/apparmor/domain.c
> +++ b/security/apparmor/domain.c
> @@ -360,10 +360,6 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
>  	if (bprm->cred_prepared)
>  		return 0;
>  
> -	/* XXX: no_new_privs is not usable with AppArmor yet */
> -	if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
> -		return -EPERM;
> -
>  	cxt = bprm->cred->security;
>  	BUG_ON(!cxt);

These derivatives are all rebase trees so they should get this fix
naturally.

-apw

Patch

diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 31a3f52..afa8671 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -360,10 +360,6 @@  int apparmor_bprm_set_creds(struct linux_binprm *bprm)
 	if (bprm->cred_prepared)
 		return 0;
 
-	/* XXX: no_new_privs is not usable with AppArmor yet */
-	if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
-		return -EPERM;
-
 	cxt = bprm->cred->security;
 	BUG_ON(!cxt);