Issue metadata
Sign in to add a comment
|
NoNewPrivs all the things |
||||||||||||||||||||||
Issue descriptionNoNewPrivs is a per-process setting that prevents the process and its descendants from ever gaining any privilege. We should use it everywhere we can.
,
Jun 8 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/dccb3d6b4db6075e09df15238c23778aa253ef7f commit dccb3d6b4db6075e09df15238c23778aa253ef7f Author: Jorge Lucangeli Obes <jorgelo@chromium.org> Date: Thu Jun 08 06:45:38 2017 permission_broker: Set NoNewPrivs. BUG= chromium:730623 TEST=platform_Firewall (uses permission_broker to talk to firewalld.) TEST=security_SandboxedServices. Change-Id: I42d9edd15ba92285342726ea59bbdd430c436956 Reviewed-on: https://chromium-review.googlesource.com/527194 Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/dccb3d6b4db6075e09df15238c23778aa253ef7f/permission_broker/permission_broker.conf
,
Jun 8 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/adhd/+/a0aab94fc9aaacabb198c01d560d29ac19a89900 commit a0aab94fc9aaacabb198c01d560d29ac19a89900 Author: Jorge Lucangeli Obes <jorgelo@chromium.org> Date: Thu Jun 08 06:45:40 2017 Set NoNewPrivs for cras. Also fix some typos and grammar in the shell script. BUG= chromium:730623 TEST=Audio still works. TEST=security_SandboxedServices. Change-Id: Ifaed8c90df299711d5982b244893da754cf8d757 Reviewed-on: https://chromium-review.googlesource.com/527193 Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Dylan Reid <dgreid@chromium.org> [modify] https://crrev.com/a0aab94fc9aaacabb198c01d560d29ac19a89900/init/cras.conf [modify] https://crrev.com/a0aab94fc9aaacabb198c01d560d29ac19a89900/init/cras.sh
,
Jun 8 2017
,
Jun 9 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/429712d2b27f5ed3a9666d09388055756c87dde3 commit 429712d2b27f5ed3a9666d09388055756c87dde3 Author: Jorge Lucangeli Obes <jorgelo@chromium.org> Date: Fri Jun 09 16:16:27 2017 Set NoNewPrivs for bluetoothd. BUG= chromium:730623 TEST=Enable Bluetooth, device sees other Bluetooth devices. TEST=security_SandboxedServices. Change-Id: I62c13b86f8c1a661bba451c4672bb0602d8935c0 Reviewed-on: https://chromium-review.googlesource.com/526933 Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/429712d2b27f5ed3a9666d09388055756c87dde3/net-wireless/bluez/files/bluetoothd.service [modify] https://crrev.com/429712d2b27f5ed3a9666d09388055756c87dde3/net-wireless/bluez/files/bluez-upstart.conf
,
Jun 17 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/a7c8388dc3776f42ef8d247983bbb0574008ee9e commit a7c8388dc3776f42ef8d247983bbb0574008ee9e Author: Jorge Lucangeli Obes <jorgelo@chromium.org> Date: Sat Jun 17 08:12:41 2017 modemmanager-next: Use NoNewPrivs. BUG= chromium:730623 TEST=security_SandboxedServices. Change-Id: I33389c9e43ec90dd209bb003dee96f8aa42b156b Reviewed-on: https://chromium-review.googlesource.com/527498 Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Ben Chan <benchan@chromium.org> [modify] https://crrev.com/a7c8388dc3776f42ef8d247983bbb0574008ee9e/net-misc/modemmanager-next/files/modemmanager.conf [modify] https://crrev.com/a7c8388dc3776f42ef8d247983bbb0574008ee9e/net-misc/modemmanager-next/files/modemmanager.service
,
Jun 29 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/daisydog/+/96d9e30fdfb7ab8b0cdc44228359dd0c08d59946 commit 96d9e30fdfb7ab8b0cdc44228359dd0c08d59946 Author: Jorge Lucangeli Obes <jorgelo@chromium.org> Date: Thu Jun 29 21:16:35 2017 Use NoNewPrivs for daisydog. Doesn't look like daisydog is launching anything that requires to elevate privilege. BUG= chromium:730623 TEST=security_SandboxedServices. Change-Id: Ia6ea273c543c2e4a9bd9d7dd0e49142d2e08640a Reviewed-on: https://chromium-review.googlesource.com/527817 Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/96d9e30fdfb7ab8b0cdc44228359dd0c08d59946/daisydog.conf
,
Jun 30 2017
,
Jul 5 2017
,
Jul 7 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/581f552eb5c63562285c13a01d36bc164f2d0edd commit 581f552eb5c63562285c13a01d36bc164f2d0edd Author: Jorge Lucangeli Obes <jorgelo@chromium.org> Date: Fri Jul 07 04:13:56 2017 wpa_supplicant: Use NoNewPrivs. BUG= chromium:730623 TEST=Connect to encrypted WiFi network. TEST=security_SandboxedServices. Change-Id: I5bc1ea0aac7e45df28ef19a8a26c27a2312173bd Reviewed-on: https://chromium-review.googlesource.com/539895 Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Ben Chan <benchan@chromium.org> Reviewed-by: Kirtika Ruchandani <kirtika@chromium.org> [modify] https://crrev.com/581f552eb5c63562285c13a01d36bc164f2d0edd/net-wireless/wpa_supplicant/files/init/wpasupplicant.service [modify] https://crrev.com/581f552eb5c63562285c13a01d36bc164f2d0edd/net-wireless/wpa_supplicant/files/init/wpasupplicant.conf
,
Jul 10 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/autotest/+/05f757b54b934be3992427286b2ddeaf6791c08b commit 05f757b54b934be3992427286b2ddeaf6791c08b Author: Jorge Lucangeli Obes <jorgelo@chromium.org> Date: Mon Jul 10 22:27:28 2017 security_SandboxedServices: Add some more no_new_privs. This was most of the NNP low-hanging fruit. Most of what's left is 3P code dropping privs without Minijail, or stuff running as root. BUG= chromium:730623 TEST=Passes on kevin. Change-Id: I21a955a7dd8a755f6d8374bc5f455626997d42e2 Reviewed-on: https://chromium-review.googlesource.com/563717 Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/05f757b54b934be3992427286b2ddeaf6791c08b/client/site_tests/security_SandboxedServices/baseline
,
Jul 10 2017
The only thing missing here is updating the baseline for wpa_supplicant.
,
Jul 12 2017
The NextAction date has arrived: 2017-07-12
,
Jul 14 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/c4bf7569f319d90b4438b117581ee7bfaf150795 commit c4bf7569f319d90b4438b117581ee7bfaf150795 Author: Jorge Lucangeli Obes <jorgelo@chromium.org> Date: Fri Jul 14 02:46:16 2017 wpa_supplicant: Uprev. https://chromium-review.googlesource.com/c/539895/ missed an uprev. BUG= chromium:730623 TEST=emerge-kevin wpa_supplicant, check init script. Change-Id: I6a7dff19a66a0ed1117b57a1ec3dcb9f2227a747 Reviewed-on: https://chromium-review.googlesource.com/567120 Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [rename] https://crrev.com/c4bf7569f319d90b4438b117581ee7bfaf150795/net-wireless/wpa_supplicant/wpa_supplicant-2.5-r79.ebuild
,
Jul 14 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/autotest/+/4d92126654fd2ce2ca1c1370d56b46571cc40349 commit 4d92126654fd2ce2ca1c1370d56b46571cc40349 Author: Jorge Lucangeli Obes <jorgelo@chromium.org> Date: Fri Jul 14 14:37:07 2017 security_SandboxedServices: Enforce no_new_privs. Once the dependent CL uprev's wpa_supplicant, we can enforce no_new_privs. BUG= chromium:730623 TEST=Passes on minnie. CQ-DEPEND=CL:567120 Change-Id: I7fe9886e20e60f6af09c69bd294cf5abbf5598bc Reviewed-on: https://chromium-review.googlesource.com/567263 Commit-Ready: Jorge Lucangeli Obes <jorgelo@chromium.org> Tested-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/4d92126654fd2ce2ca1c1370d56b46571cc40349/client/site_tests/security_SandboxedServices/baseline
,
Jul 14 2017
I'm gonna call this fixed. Looks like we have at least 10 new entries with no_new_privs.
,
Jan 22 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by jorgelo@chromium.org
, Jun 7 2017