39 lines
1.3 KiB
Diff
39 lines
1.3 KiB
Diff
From d52fc5dde171f030170a6cb78034d166b13c9445 Mon Sep 17 00:00:00 2001
|
|
From: Eric Paris <eparis@redhat.com>
|
|
Date: Tue, 17 Apr 2012 16:26:54 -0400
|
|
Subject: [PATCH] fcaps: clear the same personality flags as suid when fcaps
|
|
are used
|
|
|
|
If a process increases permissions using fcaps all of the dangerous
|
|
personality flags which are cleared for suid apps should also be cleared.
|
|
Thus programs given priviledge with fcaps will continue to have address space
|
|
randomization enabled even if the parent tried to disable it to make it
|
|
easier to attack.
|
|
|
|
Signed-off-by: Eric Paris <eparis@redhat.com>
|
|
Reviewed-by: Serge Hallyn <serge.hallyn@canonical.com>
|
|
Signed-off-by: James Morris <james.l.morris@oracle.com>
|
|
---
|
|
security/commoncap.c | 5 +++++
|
|
1 files changed, 5 insertions(+), 0 deletions(-)
|
|
|
|
diff --git a/security/commoncap.c b/security/commoncap.c
|
|
index 0cf4b53..0ecf4ba 100644
|
|
--- a/security/commoncap.c
|
|
+++ b/security/commoncap.c
|
|
@@ -505,6 +505,11 @@ int cap_bprm_set_creds(struct linux_binprm *bprm)
|
|
}
|
|
skip:
|
|
|
|
+ /* if we have fs caps, clear dangerous personality flags */
|
|
+ if (!cap_issubset(new->cap_permitted, old->cap_permitted))
|
|
+ bprm->per_clear |= PER_CLEAR_ON_SETID;
|
|
+
|
|
+
|
|
/* Don't let someone trace a set[ug]id/setpcap binary with the revised
|
|
* credentials unless they have the appropriate permit
|
|
*/
|
|
--
|
|
1.7.7.6
|
|
|