The current understanding of apparmor with respect to no_new_privs is at
odds with how no_new_privs is implemented and understood by the rest of
the kernel.
The documentation of no_new_privs states:
> With ``no_new_privs`` set, ``execve()`` promises not to grant the
> privilege to do anything
On 1/20/21 2:56 PM, Eric W. Biederman wrote:
>
> TL;DR selinux and apparmor ignore no_new_privs
>
> What?
>
AppArmor does not ignore no_new_privs. Its mediation is bounded
and it doesn't grant anything that wasn't allowed when NNP was
set.
>
> John Johansen writes:
>
>> On
TL;DR selinux and apparmor ignore no_new_privs
What?
John Johansen writes:
> On 1/20/21 1:26 PM, Eric W. Biederman wrote:
>>
>> The current understanding of apparmor with respect to no_new_privs is at
>> odds with how no_new_privs is implemented and understood by the rest of
>>
On 1/20/21 1:26 PM, Eric W. Biederman wrote:
>
> The current understanding of apparmor with respect to no_new_privs is at
> odds with how no_new_privs is implemented and understood by the rest of
> the kernel.
>
> The documentation of no_new_privs states:
>> With ``no_new_privs`` set,
This should now Cc the correct email address for James Morris.
ebied...@xmission.com (Eric W. Biederman) writes:
> The current understanding of apparmor with respect to no_new_privs is at
> odds with how no_new_privs is implemented and understood by the rest of
> the kernel.
>
> The
5 matches
Mail list logo
