[PATCH 1/1] security: handle secureexec with filesystem capabilities

From: Serge E . Hallyn
Date: Mon Aug 21 2006 - 15:54:17 EST

Next message: Eric W. Biederman: "Re: [Fastboot] [PATCH][RFC] x86_64: Reload CS when startup_64 is used."
Previous message: Trond Myklebust: "Re: [NFS] 2.6.17.8 - do_vfs_lock: VFS is out of sync with lockmanager!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

A secure exec is required if euid!=uid, and, correspondingly,
if the executable's file capability set was not empty and the
process is not owned by (real uid) root.

Signed-off-by: Serge E. Hallyn <serue@xxxxxxxxxx>
---
security/commoncap.c | 14 +++++++++-----
1 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/security/commoncap.c b/security/commoncap.c
index 6bf030d..b1777a9 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -265,11 +265,15 @@ void cap_bprm_apply_creds (struct linux_

int cap_bprm_secureexec (struct linux_binprm *bprm)
{
- /* If/when this module is enhanced to incorporate capability
- bits on files, the test below should be extended to also perform a
- test between the old and new capability sets. For now,
- it simply preserves the legacy decision algorithm used by
- the old userland. */
+ if (current->uid != 0) {
+ if (!cap_isclear(bprm->cap_effective))
+ return 1;
+ if (!cap_isclear(bprm->cap_permitted))
+ return 1;
+ if (!cap_isclear(bprm->cap_inheritable))
+ return 1;
+ }
+
return (current->euid != current->uid ||
current->egid != current->gid);
}
--
1.4.2

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Eric W. Biederman: "Re: [Fastboot] [PATCH][RFC] x86_64: Reload CS when startup_64 is used."
Previous message: Trond Myklebust: "Re: [NFS] 2.6.17.8 - do_vfs_lock: VFS is out of sync with lockmanager!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]