Description

The kernel has the "nonewprivs" flag, which can be enabled with the NoNewPrivs option of systemd during boot. This option allows you to prevent privilege escalation in any process when this behavior is undesirable. After the flag is set, it persists across execve, clone and fork syscalls, and cannot be cleared. This can help to avoid exploitation of vulnerable software, since the attacker will be running as an ordinary user.

Practical this means: setuid/setgid binaries will stop working.

Currently there is a PoC with openSUSE MicroOS as container host, including rootless podman container.

Goals

The goal is to enhance this to a full Desktop machine with SELinux enabled and NoNewPrivs set:

• ✅ Wrappers around run0 for pkexec, su and sudo: works
• ✅ Test with KDE: installed disable-setuid, everything works in daily usage
• Test with GNOME, document what's not working and try to solve that <= GNOME user needed for this!
• Test with k3s
• Test with k8s
• ✅ Test with sssd/openldap
• ✅ Test with NIS (ypserv/ypbind) (setsebool -P allow_ypbind 1)
• ✅ Test mariadb with auth_pam: works if you whitelist the mysql user for pwaccessd.
• Test with KVM/qemu/libvirt
• Test mail (postfix, sendmail, ...)
• Go through list of setuid/setgid services (see my blog below) in Tumbleweed and find ideas to get rid of them.

Resources

• https://www.thkukuk.de/blog/nonewprivs/
• https://github.com/thkukuk/run0-wrappers
• https://github.com/thkukuk/account-utils
• openSUSE MicroOS for container
• openSUSE Tumbleweed for Desktop
• https://build.opensuse.org/project/show/home:kukuk:nonewprivs

Result

One week openSUSE Tumbleweed with KDE and SELinux (in permissive mode) and NoNewPrivs enabled on my notebook, and there was no problem doing all the usual daily work with it. But I didn't manage to test everything.