[PATCH][quantal] Revert "UBUNTU: SAUCE: (no-up) AppArmor: Disable Add PR_{GET, SET}_NO_NEW_PRIVS to prevent execve from granting privs"
John Johansen
john.johansen at canonical.com
Tue Aug 13 09:08:16 UTC 2013
On 08/13/2013 02:02 AM, Andy Whitcroft wrote:
> On Mon, Aug 12, 2013 at 02:23:12PM -0700, John Johansen wrote:
>> BugLink: http://bugs.launchpad.net/bugs/1202161
>>
>> Reverts commit c27debc6b9cc939ac6919074f4ed3c82cb745ca5 which was fixed in
>> c29bceb3
>>
>> Signed-off-by: John Johansen <john.johansen at canonical.com>
>> ---
>> security/apparmor/domain.c | 4 ----
>> 1 file changed, 4 deletions(-)
>>
>> diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
>> index 31a3f52..afa8671 100644
>> --- a/security/apparmor/domain.c
>> +++ b/security/apparmor/domain.c
>> @@ -360,10 +360,6 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
>> if (bprm->cred_prepared)
>> return 0;
>>
>> - /* XXX: no_new_privs is not usable with AppArmor yet */
>> - if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)
>> - return -EPERM;
>> -
>> cxt = bprm->cred->security;
>> BUG_ON(!cxt);
>>
>
> Looks like we had this as a sauce patch, which also went upstream, and
yeah we picked it up as part of the patch set for lxc
> then you fixed it (in 3.4-rc4), and we rebased and the sauce version
> survived the
> process?
>
I am not sure what happened there nor why I didn't noticed it was still
in place. We certainly are missing tests for this and that is something
that I need to fix
> Cirtainly it looks appropriate to remove this.
>
> Acked-by: Andy Whitcroft <apw at canonical.com>
>
> -apw
>
More information about the kernel-team
mailing list