Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1209726c authored by Andrew G. Morgan's avatar Andrew G. Morgan Committed by Linus Torvalds
Browse files

security: filesystem capabilities: fix CAP_SETPCAP handling 



The filesystem capability support meaning for CAP_SETPCAP is less powerful
than the non-filesystem capability support.  As such, when filesystem
capabilities are configured, we should not permit CAP_SETPCAP to 'enhance'
the current process through strace manipulation of a child process.

Signed-off-by: default avatarAndrew G. Morgan <morgan@kernel.org>
Acked-by: default avatarSerge Hallyn <serue@us.ibm.com>
Cc: David Howells <dhowells@redhat.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 086f7316

security/commoncap.c

+10 −3
Original line number Original line Diff line number Diff line
@@ -103,10 +103,16 @@ static inline int cap_inh_is_capped(void) 
	return (cap_capable(current, CAP_SETPCAP) != 0);

	return (cap_capable(current, CAP_SETPCAP) != 0);

}

}





static inline int cap_limit_ptraced_target(void) { return 1; }



#else /* ie., ndef CONFIG_SECURITY_FILE_CAPABILITIES */

#else /* ie., ndef CONFIG_SECURITY_FILE_CAPABILITIES */





static inline int cap_block_setpcap(struct task_struct *t) { return 0; }

static inline int cap_block_setpcap(struct task_struct *t) { return 0; }

static inline int cap_inh_is_capped(void) { return 1; }

static inline int cap_inh_is_capped(void) { return 1; }

static inline int cap_limit_ptraced_target(void)

{

	return !capable(CAP_SETPCAP);

}





#endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */

#endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */
@@ -342,8 +348,9 @@ void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) 
				bprm->e_uid = current->uid;

				bprm->e_uid = current->uid;

				bprm->e_gid = current->gid;

				bprm->e_gid = current->gid;

			}

			}

			if (!capable (CAP_SETPCAP)) {

			if (cap_limit_ptraced_target()) {

				new_permitted = cap_intersect (new_permitted,

				new_permitted =

					cap_intersect(new_permitted,

						      current->cap_permitted);

						      current->cap_permitted);

			}

			}

		}

		}