Question: No New Privs

[doublez13]

I'm confused about the following error while tinkering with an apparmor profile:

apparmor="DENIED" operation="exec" class="file" info="no new privs"

It doesn't matter if I transition to a regular profile (Px), a child profile (Cx), or even unconfined (Ux), it still gets denied trying to exec another binary. An ix transition works, but I would prefer to use a more confined policy instead of inheriting the current policy.

My initial thought was seccomp, but I don't see any filters loaded when running the program (with apparmor disabled)

# grep -Ei "priv|seccomp" /proc/1024413/status 
NoNewPrivs:	0
Seccomp:	0
Seccomp_filters:	0

Lastly, the program is not started with Systemd, and I'm aware this is a semi common issue for Systemd services.

Can you shine some light on this for me? :)

[roddhjav]

Have a look at https://apparmor.pujol.io/development/structure/#no-new-privileges

It is common in systemd when a service is configured (in its unit file) in a sandbox that set the nnp flags. It is also systematic with sandbox managed by bwrap.