€•‡?Œsphinx.addnodes”Œdocument”“”)”}”(Œ rawsource”Œ”Œchildren”]”(Œ translations”Œ LanguagesNode”“”)”}”(hhh]”(hŒ pending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ refdomain”Œstd”Œreftype”Œdoc”Œ reftarget”Œ./translations/zh_CN/userspace-api/no_new_privs”Œmodname”NŒ classname”NŒ refexplicit”ˆuŒtagname”hhh ubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ./translations/zh_TW/userspace-api/no_new_privs”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ./translations/it_IT/userspace-api/no_new_privs”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ./translations/ja_JP/userspace-api/no_new_privs”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ./translations/ko_KR/userspace-api/no_new_privs”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubh)”}”(hhh]”hŒSpanish”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ./translations/sp_SP/userspace-api/no_new_privs”Œmodname”NŒ classname”NŒ refexplicit”ˆuh1hhh ubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h hhŒ _document”hŒsource”NŒline”NubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒNo New Privileges Flag”h]”hŒNo New Privileges Flag”…””}”(hh¨hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¦hh£hžhhŸŒH/var/lib/git/docbuild/linux/Documentation/userspace-api/no_new_privs.rst”h KubhŒ paragraph”“”)”}”(hXsThe execve system call can grant a newly-started program privileges that its parent did not have. The most obvious examples are setuid/setgid programs and file capabilities. To prevent the parent program from gaining these privileges as well, the kernel and user code must be careful to prevent the parent from doing anything that could subvert the child. For example:”h]”hXsThe execve system call can grant a newly-started program privileges that its parent did not have. The most obvious examples are setuid/setgid programs and file capabilities. To prevent the parent program from gaining these privileges as well, the kernel and user code must be careful to prevent the parent from doing anything that could subvert the child. For example:”…””}”(hh¹hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khh£hžhubhŒ block_quote”“”)”}”(hX:- The dynamic loader handles ``LD_*`` environment variables differently if a program is setuid. - chroot is disallowed to unprivileged processes, since it would allow ``/etc/passwd`` to be replaced from the point of view of a process that inherited chroot. - The exec code has special handling for ptrace. ”h]”hŒ bullet_list”“”)”}”(hhh]”(hŒ list_item”“”)”}”(hŒ^The dynamic loader handles ``LD_*`` environment variables differently if a program is setuid. ”h]”h¸)”}”(hŒ]The dynamic loader handles ``LD_*`` environment variables differently if a program is setuid.”h]”(hŒThe dynamic loader handles ”…””}”(hhØhžhhŸNh NubhŒliteral”“”)”}”(hŒ``LD_*``”h]”hŒLD_*”…””}”(hhâhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hàhhØubhŒ: environment variables differently if a program is setuid.”…””}”(hhØhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K hhÔubah}”(h]”h ]”h"]”h$]”h&]”uh1hÒhhÏubhÓ)”}”(hŒŸchroot is disallowed to unprivileged processes, since it would allow ``/etc/passwd`` to be replaced from the point of view of a process that inherited chroot. ”h]”h¸)”}”(hŒžchroot is disallowed to unprivileged processes, since it would allow ``/etc/passwd`` to be replaced from the point of view of a process that inherited chroot.”h]”(hŒEchroot is disallowed to unprivileged processes, since it would allow ”…””}”(hjhžhhŸNh Nubhá)”}”(hŒ``/etc/passwd``”h]”hŒ /etc/passwd”…””}”(hj hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hàhjubhŒJ to be replaced from the point of view of a process that inherited chroot.”…””}”(hjhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khjubah}”(h]”h ]”h"]”h$]”h&]”uh1hÒhhÏubhÓ)”}”(hŒ/The exec code has special handling for ptrace. ”h]”h¸)”}”(hŒ.The exec code has special handling for ptrace.”h]”hŒ.The exec code has special handling for ptrace.”…””}”(hj.hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khj*ubah}”(h]”h ]”h"]”h$]”h&]”uh1hÒhhÏubeh}”(h]”h ]”h"]”h$]”h&]”Œbullet”Œ-”uh1hÍhŸh¶h K hhÉubah}”(h]”h ]”h"]”h$]”h&]”uh1hÇhŸh¶h K hh£hžhubh¸)”}”(hX•These are all ad-hoc fixes. The ``no_new_privs`` bit (since Linux 3.5) is a new, generic mechanism to make it safe for a process to modify its execution environment in a manner that persists across execve. Any task can set ``no_new_privs``. Once the bit is set, it is inherited across fork, clone, and execve and cannot be unset. With ``no_new_privs`` set, ``execve()`` promises not to grant the privilege to do anything that could not have been done without the execve call. For example, the setuid and setgid bits will no longer change the uid or gid; file capabilities will not add to the permitted set, and LSMs will not relax constraints after execve.”h]”(hŒ!These are all ad-hoc fixes. The ”…””}”(hjPhžhhŸNh Nubhá)”}”(hŒ``no_new_privs``”h]”hŒ no_new_privs”…””}”(hjXhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hàhjPubhŒ° bit (since Linux 3.5) is a new, generic mechanism to make it safe for a process to modify its execution environment in a manner that persists across execve. Any task can set ”…””}”(hjPhžhhŸNh Nubhá)”}”(hŒ``no_new_privs``”h]”hŒ no_new_privs”…””}”(hjjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hàhjPubhŒb. Once the bit is set, it is inherited across fork, clone, and execve and cannot be unset. With ”…””}”(hjPhžhhŸNh Nubhá)”}”(hŒ``no_new_privs``”h]”hŒ no_new_privs”…””}”(hj|hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hàhjPubhŒ set, ”…””}”(hjPhžhhŸNh Nubhá)”}”(hŒ ``execve()``”h]”hŒexecve()”…””}”(hjŽhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hàhjPubhX  promises not to grant the privilege to do anything that could not have been done without the execve call. For example, the setuid and setgid bits will no longer change the uid or gid; file capabilities will not add to the permitted set, and LSMs will not relax constraints after execve.”…””}”(hjPhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h Khh£hžhubh¸)”}”(hŒTo set ``no_new_privs``, use::”h]”(hŒTo set ”…””}”(hj¦hžhhŸNh Nubhá)”}”(hŒ``no_new_privs``”h]”hŒ no_new_privs”…””}”(hj®hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hàhj¦ubhŒ, use:”…””}”(hj¦hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K hh£hžhubhŒ literal_block”“”)”}”(hŒ'prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);”h]”hŒ'prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);”…””}”hjÈsbah}”(h]”h ]”h"]”h$]”h&]”Œ xml:space”Œpreserve”uh1jÆhŸh¶h K"hh£hžhubh¸)”}”(hŒöBe careful, though: LSMs might also not tighten constraints on exec in ``no_new_privs`` mode. (This means that setting up a general-purpose service launcher to set ``no_new_privs`` before execing daemons may interfere with LSM-based sandboxing.)”h]”(hŒGBe careful, though: LSMs might also not tighten constraints on exec in ”…””}”(hjØhžhhŸNh Nubhá)”}”(hŒ``no_new_privs``”h]”hŒ no_new_privs”…””}”(hjàhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hàhjØubhŒN mode. (This means that setting up a general-purpose service launcher to set ”…””}”(hjØhžhhŸNh Nubhá)”}”(hŒ``no_new_privs``”h]”hŒ no_new_privs”…””}”(hjòhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hàhjØubhŒA before execing daemons may interfere with LSM-based sandboxing.)”…””}”(hjØhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K$hh£hžhubh¸)”}”(hŒÀNote that ``no_new_privs`` does not prevent privilege changes that do not involve ``execve()``. An appropriately privileged task can still call ``setuid(2)`` and receive SCM_RIGHTS datagrams.”h]”(hŒ Note that ”…””}”(hj hžhhŸNh Nubhá)”}”(hŒ``no_new_privs``”h]”hŒ no_new_privs”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hàhj ubhŒ8 does not prevent privilege changes that do not involve ”…””}”(hj hžhhŸNh Nubhá)”}”(hŒ ``execve()``”h]”hŒexecve()”…””}”(hj$hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hàhj ubhŒ3. An appropriately privileged task can still call ”…””}”(hj hžhhŸNh Nubhá)”}”(hŒ ``setuid(2)``”h]”hŒ setuid(2)”…””}”(hj6hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hàhj ubhŒ" and receive SCM_RIGHTS datagrams.”…””}”(hj hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K)hh£hžhubh¸)”}”(hŒ9There are two main use cases for ``no_new_privs`` so far:”h]”(hŒ!There are two main use cases for ”…””}”(hjNhžhhŸNh Nubhá)”}”(hŒ``no_new_privs``”h]”hŒ no_new_privs”…””}”(hjVhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hàhjNubhŒ so far:”…””}”(hjNhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K-hh£hžhubhÈ)”}”(hXh- Filters installed for the seccomp mode 2 sandbox persist across execve and can change the behavior of newly-executed programs. Unprivileged users are therefore only allowed to install such filters if ``no_new_privs`` is set. - By itself, ``no_new_privs`` can be used to reduce the attack surface available to an unprivileged user. If everything running with a given uid has ``no_new_privs`` set, then that uid will be unable to escalate its privileges by directly attacking setuid, setgid, and fcap-using binaries; it will need to compromise something without the ``no_new_privs`` bit set first. ”h]”hÎ)”}”(hhh]”(hÓ)”}”(hŒáFilters installed for the seccomp mode 2 sandbox persist across execve and can change the behavior of newly-executed programs. Unprivileged users are therefore only allowed to install such filters if ``no_new_privs`` is set. ”h]”h¸)”}”(hŒàFilters installed for the seccomp mode 2 sandbox persist across execve and can change the behavior of newly-executed programs. Unprivileged users are therefore only allowed to install such filters if ``no_new_privs`` is set.”h]”(hŒÈFilters installed for the seccomp mode 2 sandbox persist across execve and can change the behavior of newly-executed programs. Unprivileged users are therefore only allowed to install such filters if ”…””}”(hjyhžhhŸNh Nubhá)”}”(hŒ``no_new_privs``”h]”hŒ no_new_privs”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hàhjyubhŒ is set.”…””}”(hjyhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K/hjuubah}”(h]”h ]”h"]”h$]”h&]”uh1hÒhjrubhÓ)”}”(hXrBy itself, ``no_new_privs`` can be used to reduce the attack surface available to an unprivileged user. If everything running with a given uid has ``no_new_privs`` set, then that uid will be unable to escalate its privileges by directly attacking setuid, setgid, and fcap-using binaries; it will need to compromise something without the ``no_new_privs`` bit set first. ”h]”h¸)”}”(hXqBy itself, ``no_new_privs`` can be used to reduce the attack surface available to an unprivileged user. If everything running with a given uid has ``no_new_privs`` set, then that uid will be unable to escalate its privileges by directly attacking setuid, setgid, and fcap-using binaries; it will need to compromise something without the ``no_new_privs`` bit set first.”h]”(hŒ By itself, ”…””}”(hj£hžhhŸNh Nubhá)”}”(hŒ``no_new_privs``”h]”hŒ no_new_privs”…””}”(hj«hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hàhj£ubhŒy can be used to reduce the attack surface available to an unprivileged user. If everything running with a given uid has ”…””}”(hj£hžhhŸNh Nubhá)”}”(hŒ``no_new_privs``”h]”hŒ no_new_privs”…””}”(hj½hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hàhj£ubhŒ® set, then that uid will be unable to escalate its privileges by directly attacking setuid, setgid, and fcap-using binaries; it will need to compromise something without the ”…””}”(hj£hžhhŸNh Nubhá)”}”(hŒ``no_new_privs``”h]”hŒ no_new_privs”…””}”(hjÏhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hàhj£ubhŒ bit set first.”…””}”(hj£hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K4hjŸubah}”(h]”h ]”h"]”h$]”h&]”uh1hÒhjrubeh}”(h]”h ]”h"]”h$]”h&]”jHjIuh1hÍhŸh¶h K/hjnubah}”(h]”h ]”h"]”h$]”h&]”uh1hÇhŸh¶h K/hh£hžhubh¸)”}”(hXIIn the future, other potentially dangerous kernel features could become available to unprivileged tasks if ``no_new_privs`` is set. In principle, several options to ``unshare(2)`` and ``clone(2)`` would be safe when ``no_new_privs`` is set, and ``no_new_privs`` + ``chroot`` is considerable less dangerous than chroot by itself.”h]”(hŒkIn the future, other potentially dangerous kernel features could become available to unprivileged tasks if ”…””}”(hjùhžhhŸNh Nubhá)”}”(hŒ``no_new_privs``”h]”hŒ no_new_privs”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hàhjùubhŒ+ is set. In principle, several options to ”…””}”(hjùhžhhŸNh Nubhá)”}”(hŒ``unshare(2)``”h]”hŒ unshare(2)”…””}”(hjhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hàhjùubhŒ and ”…””}”(hjùhžhhŸNh Nubhá)”}”(hŒ ``clone(2)``”h]”hŒclone(2)”…””}”(hj%hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hàhjùubhŒ would be safe when ”…””}”(hjùhžhhŸNh Nubhá)”}”(hŒ``no_new_privs``”h]”hŒ no_new_privs”…””}”(hj7hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hàhjùubhŒ is set, and ”…””}”(hjùhžhhŸNh Nubhá)”}”(hŒ``no_new_privs``”h]”hŒ no_new_privs”…””}”(hjIhžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hàhjùubhŒ + ”…””}”(hjùhžhhŸNh Nubhá)”}”(hŒ ``chroot``”h]”hŒchroot”…””}”(hj[hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hàhjùubhŒ6 is considerable less dangerous than chroot by itself.”…””}”(hjùhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1h·hŸh¶h K;hh£hžhubeh}”(h]”Œno-new-privileges-flag”ah ]”h"]”Œno new privileges flag”ah$]”h&]”uh1h¡hhhžhhŸh¶h Kubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”h¶uh1hŒcurrent_source”NŒ current_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(h¦NŒ generator”NŒ datestamp”NŒ source_link”NŒ source_url”NŒ toc_backlinks”Œentry”Œfootnote_backlinks”KŒ sectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒ strip_classes”NŒ report_level”KŒ halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ traceback”ˆŒinput_encoding”Œ utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”jžŒerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œ language_code”Œen”Œrecord_dependencies”NŒconfig”NŒ id_prefix”hŒauto_id_prefix”Œid”Œ dump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”h¶Œ _destination”NŒ _config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒ raw_enabled”KŒline_length_limit”M'Œpep_references”NŒ pep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒ rfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œ smart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œ docinfo_xform”KŒsectsubtitle_xform”‰Œ image_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”Œrefids”}”Œnameids”}”jxjusŒ nametypes”}”jx‰sh}”juh£sŒ footnote_refs”}”Œ citation_refs”}”Œ autofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ footnotes”]”Œ citations”]”Œautofootnote_start”KŒsymbol_footnote_start”KŒ id_counter”Œ collections”ŒCounter”“”}”…”R”Œparse_messages”]”Œtransform_messages”]”Œ transformer”NŒ include_log”]”Œ decoration”Nhžhub.