Jann Horn 103502a35c seccomp: always propagate NO_NEW_PRIVS on tsync ...

Before this patch, a process with some permissive seccomp filter
that was applied by root without NO_NEW_PRIVS was able to add
more filters to itself without setting NO_NEW_PRIVS by setting
the new filter from a throwaway thread with NO_NEW_PRIVS.

Signed-off-by: Jann Horn <jann@thejh.net>
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>

2016-01-27 07:38:25 -08:00

25 KiB

Raw Blame History

View Raw