clone: add CLONE_NNP

Add a new clone3() flag CLONE_NNP that sets no_new_privs on the child
process at clone time. This is analogous to prctl(PR_SET_NO_NEW_PRIVS)
but applied at process creation rather than requiring a separate step
after the child starts running.

CLONE_NNP is rejected with CLONE_THREAD. It's conceptually a lot simpler
if the whole thread-group is forced into NNP and not have single threads
running around with NNP.

Link: https://patch.msgid.link/20260226-work-pidfs-autoreap-v5-2-d148b984a989@kernel.org
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>

diff --git a/include/uapi/linux/sched.h b/include/uapi/linux/sched.h
index 69f7b4f9eb0c60c4123fd6f04394d4907844defa..386c8d7e89cbff467043a2670103e6b55a5ca11c 100644 (file)
--- a/include/uapi/linux/sched.h
+++ b/include/uapi/linux/sched.h
@@ -37,6 +37,7 @@
 #define CLONE_CLEAR_SIGHAND    (1ULL << 32) /* Clear any signal handler and reset to SIG_DFL. */
 #define CLONE_INTO_CGROUP      (1ULL << 33) /* Clone into a specific cgroup given the right permissions. */
 #define CLONE_AUTOREAP         (1ULL << 34) /* Auto-reap child on exit. */
+#define CLONE_NNP              (1ULL << 35) /* Set no_new_privs on child. */
 
 /*
  * cloning flags intersect with CSIGNAL so can be used with unshare and clone3

diff --git a/kernel/fork.c b/kernel/fork.c
index 10549574fda6990d7557b830e1e05d324a01bf31..736798e4005a7dabbba94dd4254b13396b7b3fd5 100644 (file)
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -2040,6 +2040,11 @@ __latent_entropy struct task_struct *copy_process(
        if ((clone_flags & CLONE_PARENT) && current->signal->autoreap)
                return ERR_PTR(-EINVAL);
 
+       if (clone_flags & CLONE_NNP) {
+               if (clone_flags & CLONE_THREAD)
+                       return ERR_PTR(-EINVAL);
+       }
+
        /*
         * Force any signals received before this point to be delivered
         * before the fork happens.  Collect up signals sent to multiple
@@ -2424,6 +2429,9 @@ __latent_entropy struct task_struct *copy_process(
         */
        copy_seccomp(p);
 
+       if (clone_flags & CLONE_NNP)
+               task_set_no_new_privs(p);
+
        init_task_pid_links(p);
        if (likely(p->pid)) {
                ptrace_init_task(p, (clone_flags & CLONE_PTRACE) || trace);
@@ -2912,7 +2920,7 @@ static bool clone3_args_valid(struct kernel_clone_args *kargs)
        /* Verify that no unknown flags are passed along. */
        if (kargs->flags &
            ~(CLONE_LEGACY_FLAGS | CLONE_CLEAR_SIGHAND | CLONE_INTO_CGROUP |
-             CLONE_AUTOREAP))
+             CLONE_AUTOREAP | CLONE_NNP))
                return false;
 
        /*