首頁 探索 說明
登入
GfA
/
linux_kernel
5
0
複刻 0
Files 問題管理 0 合併請求 0 Wiki
瀏覽代碼

exec: Don't reset euid and egid when the tracee has CAP_SETUID

Don't reset euid and egid when the tracee has CAP_SETUID in
it's user namespace.  I punted on relaxing this permission check
long ago but now that I have read this code closely it is clear
it is safe to test against CAP_SETUID in the user namespace.

Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Eric W. Biederman 8 年之前
父節點
1cce1eea0a
當前提交
70169420f5
共有 1 個文件被更改,包括 1 次插入1 次删除
統一視圖 顯示文件統計
  1. 1 1
      security/commoncap.c

+ 1 - 1
security/commoncap.c
查看文件 

@@ -550,7 +550,7 @@ skip:
 
 	     !cap_issubset(new->cap_permitted, old->cap_permitted)) &&
 
 	     !cap_issubset(new->cap_permitted, old->cap_permitted)) &&
 
 	    bprm->unsafe & ~LSM_UNSAFE_PTRACE_CAP) {
 
 	    bprm->unsafe & ~LSM_UNSAFE_PTRACE_CAP) {
 
 		/* downgrade; they get no more than they had, and maybe less */
 
 		/* downgrade; they get no more than they had, and maybe less */
 
-		if (!capable(CAP_SETUID) ||
 
+		if (!ns_capable(new->user_ns, CAP_SETUID) ||
 
 		    (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) {
 
 		    (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) {
 
 			new->euid = new->uid;
 
 			new->euid = new->uid;
 
 			new->egid = new->gid;
 
 			new->egid = new->gid;