CME-707

NoNewPrivileges

Isolate OS/Kernel High Confidence

Description

Sets the no_new_privs process flag, preventing any child process from gaining new privileges via execve (SUID bits, file capabilities, setuid transitions). Inherited across fork/exec.

CVSS Vector Impacts

Metric Transition Rationale
Privileges Required (PR) L H Cannot use SUID binaries or file capabilities to escalate

CWE Relationships

CWE-269 CWE-250

Verification

Check NoNewPrivs flag on process

$ grep NoNewPrivs /proc/<pid>/status
# Expected: NoNewPrivs: 1
Platform: linux
← CME-706: Pod Security Standards (Restricted) CME-708: Least Privilege sudo Configuration →