On Mon, Feb 13, 2017 at 11:01 AM, Andy Lutomirski <[email protected]> wrote: > On Fri, Feb 10, 2017 at 3:44 PM, Kees Cook <[email protected]> wrote: >> On Wed, Jan 18, 2017 at 3:35 PM, Andy Lutomirski <[email protected]> wrote: >>> On Wed, Jan 18, 2017 at 2:50 PM, Djalal Harouni <[email protected]> wrote: >>>> Andy I don't follow here, no_new_privs is never cleared right ? I >>>> can't see the corresponding clear bit code for it. >>> >>> I believe that unsharing userns clears no_new_privs. >> >> Seriously? That's kind of ... weird. I mean, I guess you're >> priv-confined in a way, but that seems fragile. >> > > I appear to have made this up. Either I genuinely pulled it out of > thin air or it was discussed and not done. > > $ setpriv --nnp unshare -Ur cat /proc/self/status |grep NoNewPrivs > NoNewPrivs: 1 > > If it were to be done, it ought to be quite safe except for possible LSM > issues.
Okay, cool. Thanks. (Also, where does "setpriv" live? I must need a new set of util-linux or something?) -Kees -- Kees Cook Pixel Security
