From: Serge E. Hallyn <[EMAIL PROTECTED]>
Subject: [PATCH 2/2] file capabilities: honor !SECURE_NOROOT
When the SECURE_NOROOT securebit is not set, allow root to
keep it's capabilities over exec, rather than compute the
capabilities based on file capabilities.
Signed-off-by: Serge E. Hallyn <[EMAIL PROTECTED]>
---
security/commoncap.c | 6 +++++-
1 files changed, 5 insertions(+), 1 deletions(-)
diff --git a/security/commoncap.c b/security/commoncap.c
index fde9695..be86acb 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -202,12 +202,16 @@ #endif
int cap_bprm_set_security (struct linux_binprm *bprm)
{
+ int ret;
+
/* Copied from fs/exec.c:prepare_binprm. */
cap_clear (bprm->cap_inheritable);
cap_clear (bprm->cap_permitted);
cap_clear (bprm->cap_effective);
+ ret = set_file_caps(bprm);
+
/* To support inheritance of root-permissions and suid-root
* executables under compatibility mode, we raise all three
* capability sets for the file.
@@ -225,7 +229,7 @@ int cap_bprm_set_security (struct linux_
cap_set_full (bprm->cap_effective);
}
- return set_file_caps(bprm);
+ return ret;
}
void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
--
1.4.1
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
