€•a@Œsphinx.addnodes”Œdocument”“”)”}”(Œ rawsource”Œ”Œchildren”]”(Œ translations”Œ LanguagesNode”“”)”}”(hhh]”(hŒ pending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ refdomain”Œstd”Œreftype”Œdoc”Œ reftarget”Œ./translations/zh_CN/userspace-api/no_new_privs”Œmodname”NŒ classname”NŒ refexplicit”ˆuŒtagname”hhh ubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ./translations/zh_TW/userspace-api/no_new_privs”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ./translations/it_IT/userspace-api/no_new_privs”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ./translations/ja_JP/userspace-api/no_new_privs”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ./translations/ko_KR/userspace-api/no_new_privs”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒPortuguese (Brazilian)”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ./translations/pt_BR/userspace-api/no_new_privs”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒSpanish”…””}”hh–sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ./translations/sp_SP/userspace-api/no_new_privs”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h hhŒ _document”hŒsource”NŒline”NubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒNo New Privileges Flag”h]”hŒNo New Privileges Flag”…””}”(hh¼h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hºhh·h²hh³ŒH/var/lib/git/docbuild/linux/Documentation/userspace-api/no_new_privs.rst”h´KubhŒ paragraph”“”)”}”(hXsThe execve system call can grant a newly-started program privileges that its parent did not have. The most obvious examples are setuid/setgid programs and file capabilities. To prevent the parent program from gaining these privileges as well, the kernel and user code must be careful to prevent the parent from doing anything that could subvert the child. For example:”h]”hXsThe execve system call can grant a newly-started program privileges that its parent did not have. The most obvious examples are setuid/setgid programs and file capabilities. To prevent the parent program from gaining these privileges as well, the kernel and user code must be careful to prevent the parent from doing anything that could subvert the child. For example:”…””}”(hhÍh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´Khh·h²hubhŒ block_quote”“”)”}”(hX:- The dynamic loader handles ``LD_*`` environment variables differently if a program is setuid. - chroot is disallowed to unprivileged processes, since it would allow ``/etc/passwd`` to be replaced from the point of view of a process that inherited chroot. - The exec code has special handling for ptrace. ”h]”hŒ bullet_list”“”)”}”(hhh]”(hŒ list_item”“”)”}”(hŒ^The dynamic loader handles ``LD_*`` environment variables differently if a program is setuid. ”h]”hÌ)”}”(hŒ]The dynamic loader handles ``LD_*`` environment variables differently if a program is setuid.”h]”(hŒThe dynamic loader handles ”…””}”(hhìh²hh³Nh´NubhŒliteral”“”)”}”(hŒ``LD_*``”h]”hŒLD_*”…””}”(hhöh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hôhhìubhŒ: environment variables differently if a program is setuid.”…””}”(hhìh²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K hhèubah}”(h]”h ]”h"]”h$]”h&]”uh1hæhhãubhç)”}”(hŒŸchroot is disallowed to unprivileged processes, since it would allow ``/etc/passwd`` to be replaced from the point of view of a process that inherited chroot. ”h]”hÌ)”}”(hŒžchroot is disallowed to unprivileged processes, since it would allow ``/etc/passwd`` to be replaced from the point of view of a process that inherited chroot.”h]”(hŒEchroot is disallowed to unprivileged processes, since it would allow ”…””}”(hjh²hh³Nh´Nubhõ)”}”(hŒ``/etc/passwd``”h]”hŒ /etc/passwd”…””}”(hj h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hôhjubhŒJ to be replaced from the point of view of a process that inherited chroot.”…””}”(hjh²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´Khjubah}”(h]”h ]”h"]”h$]”h&]”uh1hæhhãubhç)”}”(hŒ/The exec code has special handling for ptrace. ”h]”hÌ)”}”(hŒ.The exec code has special handling for ptrace.”h]”hŒ.The exec code has special handling for ptrace.”…””}”(hjBh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´Khj>ubah}”(h]”h ]”h"]”h$]”h&]”uh1hæhhãubeh}”(h]”h ]”h"]”h$]”h&]”Œbullet”Œ-”uh1háh³hÊh´K hhÝubah}”(h]”h ]”h"]”h$]”h&]”uh1hÛh³hÊh´K hh·h²hubhÌ)”}”(hX•These are all ad-hoc fixes. The ``no_new_privs`` bit (since Linux 3.5) is a new, generic mechanism to make it safe for a process to modify its execution environment in a manner that persists across execve. Any task can set ``no_new_privs``. Once the bit is set, it is inherited across fork, clone, and execve and cannot be unset. With ``no_new_privs`` set, ``execve()`` promises not to grant the privilege to do anything that could not have been done without the execve call. For example, the setuid and setgid bits will no longer change the uid or gid; file capabilities will not add to the permitted set, and LSMs will not relax constraints after execve.”h]”(hŒ!These are all ad-hoc fixes. The ”…””}”(hjdh²hh³Nh´Nubhõ)”}”(hŒ``no_new_privs``”h]”hŒ no_new_privs”…””}”(hjlh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hôhjdubhŒ° bit (since Linux 3.5) is a new, generic mechanism to make it safe for a process to modify its execution environment in a manner that persists across execve. Any task can set ”…””}”(hjdh²hh³Nh´Nubhõ)”}”(hŒ``no_new_privs``”h]”hŒ no_new_privs”…””}”(hj~h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hôhjdubhŒb. Once the bit is set, it is inherited across fork, clone, and execve and cannot be unset. With ”…””}”(hjdh²hh³Nh´Nubhõ)”}”(hŒ``no_new_privs``”h]”hŒ no_new_privs”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hôhjdubhŒ set, ”…””}”(hjdh²hh³Nh´Nubhõ)”}”(hŒ ``execve()``”h]”hŒexecve()”…””}”(hj¢h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hôhjdubhX  promises not to grant the privilege to do anything that could not have been done without the execve call. For example, the setuid and setgid bits will no longer change the uid or gid; file capabilities will not add to the permitted set, and LSMs will not relax constraints after execve.”…””}”(hjdh²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´Khh·h²hubhÌ)”}”(hŒTo set ``no_new_privs``, use::”h]”(hŒTo set ”…””}”(hjºh²hh³Nh´Nubhõ)”}”(hŒ``no_new_privs``”h]”hŒ no_new_privs”…””}”(hjÂh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hôhjºubhŒ, use:”…””}”(hjºh²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K hh·h²hubhŒ literal_block”“”)”}”(hŒ'prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);”h]”hŒ'prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);”…””}”hjÜsbah}”(h]”h ]”h"]”h$]”h&]”Œ xml:space”Œpreserve”uh1jÚh³hÊh´K"hh·h²hubhÌ)”}”(hŒöBe careful, though: LSMs might also not tighten constraints on exec in ``no_new_privs`` mode. (This means that setting up a general-purpose service launcher to set ``no_new_privs`` before execing daemons may interfere with LSM-based sandboxing.)”h]”(hŒGBe careful, though: LSMs might also not tighten constraints on exec in ”…””}”(hjìh²hh³Nh´Nubhõ)”}”(hŒ``no_new_privs``”h]”hŒ no_new_privs”…””}”(hjôh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hôhjìubhŒN mode. (This means that setting up a general-purpose service launcher to set ”…””}”(hjìh²hh³Nh´Nubhõ)”}”(hŒ``no_new_privs``”h]”hŒ no_new_privs”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hôhjìubhŒA before execing daemons may interfere with LSM-based sandboxing.)”…””}”(hjìh²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K$hh·h²hubhÌ)”}”(hŒÀNote that ``no_new_privs`` does not prevent privilege changes that do not involve ``execve()``. An appropriately privileged task can still call ``setuid(2)`` and receive SCM_RIGHTS datagrams.”h]”(hŒ Note that ”…””}”(hjh²hh³Nh´Nubhõ)”}”(hŒ``no_new_privs``”h]”hŒ no_new_privs”…””}”(hj&h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hôhjubhŒ8 does not prevent privilege changes that do not involve ”…””}”(hjh²hh³Nh´Nubhõ)”}”(hŒ ``execve()``”h]”hŒexecve()”…””}”(hj8h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hôhjubhŒ3. An appropriately privileged task can still call ”…””}”(hjh²hh³Nh´Nubhõ)”}”(hŒ ``setuid(2)``”h]”hŒ setuid(2)”…””}”(hjJh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hôhjubhŒ" and receive SCM_RIGHTS datagrams.”…””}”(hjh²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K)hh·h²hubhÌ)”}”(hŒ9There are two main use cases for ``no_new_privs`` so far:”h]”(hŒ!There are two main use cases for ”…””}”(hjbh²hh³Nh´Nubhõ)”}”(hŒ``no_new_privs``”h]”hŒ no_new_privs”…””}”(hjjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hôhjbubhŒ so far:”…””}”(hjbh²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K-hh·h²hubhÜ)”}”(hXh- Filters installed for the seccomp mode 2 sandbox persist across execve and can change the behavior of newly-executed programs. Unprivileged users are therefore only allowed to install such filters if ``no_new_privs`` is set. - By itself, ``no_new_privs`` can be used to reduce the attack surface available to an unprivileged user. If everything running with a given uid has ``no_new_privs`` set, then that uid will be unable to escalate its privileges by directly attacking setuid, setgid, and fcap-using binaries; it will need to compromise something without the ``no_new_privs`` bit set first. ”h]”hâ)”}”(hhh]”(hç)”}”(hŒáFilters installed for the seccomp mode 2 sandbox persist across execve and can change the behavior of newly-executed programs. Unprivileged users are therefore only allowed to install such filters if ``no_new_privs`` is set. ”h]”hÌ)”}”(hŒàFilters installed for the seccomp mode 2 sandbox persist across execve and can change the behavior of newly-executed programs. Unprivileged users are therefore only allowed to install such filters if ``no_new_privs`` is set.”h]”(hŒÈFilters installed for the seccomp mode 2 sandbox persist across execve and can change the behavior of newly-executed programs. Unprivileged users are therefore only allowed to install such filters if ”…””}”(hjh²hh³Nh´Nubhõ)”}”(hŒ``no_new_privs``”h]”hŒ no_new_privs”…””}”(hj•h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hôhjubhŒ is set.”…””}”(hjh²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K/hj‰ubah}”(h]”h ]”h"]”h$]”h&]”uh1hæhj†ubhç)”}”(hXrBy itself, ``no_new_privs`` can be used to reduce the attack surface available to an unprivileged user. If everything running with a given uid has ``no_new_privs`` set, then that uid will be unable to escalate its privileges by directly attacking setuid, setgid, and fcap-using binaries; it will need to compromise something without the ``no_new_privs`` bit set first. ”h]”hÌ)”}”(hXqBy itself, ``no_new_privs`` can be used to reduce the attack surface available to an unprivileged user. If everything running with a given uid has ``no_new_privs`` set, then that uid will be unable to escalate its privileges by directly attacking setuid, setgid, and fcap-using binaries; it will need to compromise something without the ``no_new_privs`` bit set first.”h]”(hŒ By itself, ”…””}”(hj·h²hh³Nh´Nubhõ)”}”(hŒ``no_new_privs``”h]”hŒ no_new_privs”…””}”(hj¿h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hôhj·ubhŒy can be used to reduce the attack surface available to an unprivileged user. If everything running with a given uid has ”…””}”(hj·h²hh³Nh´Nubhõ)”}”(hŒ``no_new_privs``”h]”hŒ no_new_privs”…””}”(hjÑh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hôhj·ubhŒ® set, then that uid will be unable to escalate its privileges by directly attacking setuid, setgid, and fcap-using binaries; it will need to compromise something without the ”…””}”(hj·h²hh³Nh´Nubhõ)”}”(hŒ``no_new_privs``”h]”hŒ no_new_privs”…””}”(hjãh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hôhj·ubhŒ bit set first.”…””}”(hj·h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K4hj³ubah}”(h]”h ]”h"]”h$]”h&]”uh1hæhj†ubeh}”(h]”h ]”h"]”h$]”h&]”j\j]uh1háh³hÊh´K/hj‚ubah}”(h]”h ]”h"]”h$]”h&]”uh1hÛh³hÊh´K/hh·h²hubhÌ)”}”(hXIIn the future, other potentially dangerous kernel features could become available to unprivileged tasks if ``no_new_privs`` is set. In principle, several options to ``unshare(2)`` and ``clone(2)`` would be safe when ``no_new_privs`` is set, and ``no_new_privs`` + ``chroot`` is considerable less dangerous than chroot by itself.”h]”(hŒkIn the future, other potentially dangerous kernel features could become available to unprivileged tasks if ”…””}”(hj h²hh³Nh´Nubhõ)”}”(hŒ``no_new_privs``”h]”hŒ no_new_privs”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hôhj ubhŒ+ is set. In principle, several options to ”…””}”(hj h²hh³Nh´Nubhõ)”}”(hŒ``unshare(2)``”h]”hŒ unshare(2)”…””}”(hj'h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hôhj ubhŒ and ”…””}”(hj h²hh³Nh´Nubhõ)”}”(hŒ ``clone(2)``”h]”hŒclone(2)”…””}”(hj9h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hôhj ubhŒ would be safe when ”…””}”(hj h²hh³Nh´Nubhõ)”}”(hŒ``no_new_privs``”h]”hŒ no_new_privs”…””}”(hjKh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hôhj ubhŒ is set, and ”…””}”(hj h²hh³Nh´Nubhõ)”}”(hŒ``no_new_privs``”h]”hŒ no_new_privs”…””}”(hj]h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hôhj ubhŒ + ”…””}”(hj h²hh³Nh´Nubhõ)”}”(hŒ ``chroot``”h]”hŒchroot”…””}”(hjoh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hôhj ubhŒ6 is considerable less dangerous than chroot by itself.”…””}”(hj h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K;hh·h²hubeh}”(h]”Œno-new-privileges-flag”ah ]”h"]”Œno new privileges flag”ah$]”h&]”uh1hµhhh²hh³hÊh´Kubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”hÊuh1hŒcurrent_source”NŒ current_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(hºNŒ generator”NŒ datestamp”NŒ source_link”NŒ source_url”NŒ toc_backlinks”Œentry”Œfootnote_backlinks”KŒ sectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒ strip_classes”NŒ report_level”KŒ halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ traceback”ˆŒinput_encoding”Œ utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”j²Œerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œ language_code”Œen”Œrecord_dependencies”NŒconfig”NŒ id_prefix”hŒauto_id_prefix”Œid”Œ dump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”hÊŒ _destination”NŒ _config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒ raw_enabled”KŒline_length_limit”M'Œpep_references”NŒ pep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒ rfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œ smart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œ docinfo_xform”KŒsectsubtitle_xform”‰Œ image_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”Œrefids”}”Œnameids”}”jŒj‰sŒ nametypes”}”jŒ‰sh}”j‰h·sŒ footnote_refs”}”Œ citation_refs”}”Œ autofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ footnotes”]”Œ citations”]”Œautofootnote_start”KŒsymbol_footnote_start”KŒ id_counter”Œ collections”ŒCounter”“”}”…”R”Œparse_messages”]”Œtransform_messages”]”Œ transformer”NŒ include_log”]”Œ decoration”Nh²hub.