Fix execve behavior apparmor for PR_{GET,SET}_NO_NEW_PRIVS

Add support for AppArmor to explicitly fail requested domain transitions
if NO_NEW_PRIVS is set and the task is not unconfined.

Transitions from unconfined are still allowed because this always results
in a reduction of privileges.

Acked-by: Eric Paris <>
Signed-off-by: Will Drewry <>
Signed-off-by: John Johansen <>
Signed-off-by: Andy Lutomirski <>

v18: new acked-by, new description
1 file changed