Página inicial Explorar Ajuda
Entrar
GfA
/
linux_kernel
5
0
Fork 0
Arquivos Issues 0 Pull Requests 0 Wiki
Ver código fonte

exec: Don't reset euid and egid when the tracee has CAP_SETUID

Don't reset euid and egid when the tracee has CAP_SETUID in
it's user namespace.  I punted on relaxing this permission check
long ago but now that I have read this code closely it is clear
it is safe to test against CAP_SETUID in the user namespace.

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Eric W. Biederman 8 anos atrás
pai
1cce1eea0a
commit
70169420f5
1 arquivos alterados com 1 adições e 1 exclusões
Visão dividida Mostrar estatísticas do Diff
  1. 1 1
      security/commoncap.c

+ 1 - 1
security/commoncap.c
Ver arquivo 

@@ -550,7 +550,7 @@ skip:
 
 	     !cap_issubset(new->cap_permitted, old->cap_permitted)) &&
 
 	    bprm->unsafe & ~LSM_UNSAFE_PTRACE_CAP) {
 
 		/* downgrade; they get no more than they had, and maybe less */
 
-		if (!capable(CAP_SETUID) ||
 
+		if (!ns_capable(new->user_ns, CAP_SETUID) ||
 
 		    (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) {
 
 			new->euid = new->uid;
 
 			new->egid = new->gid;