On Mon, Feb 13, 2017 at 11:01 AM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote: > On Fri, Feb 10, 2017 at 3:44 PM, Kees Cook <keescook@xxxxxxxxxxxx> wrote: >> On Wed, Jan 18, 2017 at 3:35 PM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote: >>> On Wed, Jan 18, 2017 at 2:50 PM, Djalal Harouni <tixxdz@xxxxxxxxx> wrote: >>>> Andy I don't follow here, no_new_privs is never cleared right ? I >>>> can't see the corresponding clear bit code for it. >>> >>> I believe that unsharing userns clears no_new_privs. >> >> Seriously? That's kind of ... weird. I mean, I guess you're >> priv-confined in a way, but that seems fragile. >> > > I appear to have made this up. Either I genuinely pulled it out of > thin air or it was discussed and not done. > > $ setpriv --nnp unshare -Ur cat /proc/self/status |grep NoNewPrivs > NoNewPrivs: 1 > > If it were to be done, it ought to be quite safe except for possible LSM issues. Okay, cool. Thanks. (Also, where does "setpriv" live? I must need a new set of util-linux or something?) -Kees -- Kees Cook Pixel Security -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html