Please note this requires a followon patch: 51b79bee627d526199b2f6a6bef8ee0c0739b6d1
To fix a build failure on non-x86 systems (not certain how the header gets pulled in on x86, but it does) You need it in all of the stable branches. -Eric On Thu, 2012-04-19 at 09:07 -0700, [email protected] wrote: > This is a note to let you know that I've just added the patch titled > > fcaps: clear the same personality flags as suid when fcaps are used > > to the 3.3-stable tree which can be found at: > > http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary > > The filename of the patch is: > fcaps-clear-the-same-personality-flags-as-suid-when-fcaps-are-used.patch > and it can be found in the queue-3.3 subdirectory. > > If you, or anyone else, feels it should not be added to the stable tree, > please let <[email protected]> know about it. > > > From d52fc5dde171f030170a6cb78034d166b13c9445 Mon Sep 17 00:00:00 2001 > From: Eric Paris <[email protected]> > Date: Tue, 17 Apr 2012 16:26:54 -0400 > Subject: fcaps: clear the same personality flags as suid when fcaps are used > > From: Eric Paris <[email protected]> > > commit d52fc5dde171f030170a6cb78034d166b13c9445 upstream. > > If a process increases permissions using fcaps all of the dangerous > personality flags which are cleared for suid apps should also be cleared. > Thus programs given priviledge with fcaps will continue to have address space > randomization enabled even if the parent tried to disable it to make it > easier to attack. > > Signed-off-by: Eric Paris <[email protected]> > Reviewed-by: Serge Hallyn <[email protected]> > Signed-off-by: James Morris <[email protected]> > Signed-off-by: Greg Kroah-Hartman <[email protected]> > > --- > security/commoncap.c | 5 +++++ > 1 file changed, 5 insertions(+) > > --- a/security/commoncap.c > +++ b/security/commoncap.c > @@ -504,6 +504,11 @@ int cap_bprm_set_creds(struct linux_binp > } > skip: > > + /* if we have fs caps, clear dangerous personality flags */ > + if (!cap_issubset(new->cap_permitted, old->cap_permitted)) > + bprm->per_clear |= PER_CLEAR_ON_SETID; > + > + > /* Don't let someone trace a set[ug]id/setpcap binary with the revised > * credentials unless they have the appropriate permit > */ > > > Patches currently in stable-queue which might be from [email protected] are > > queue-3.3/fcaps-clear-the-same-personality-flags-as-suid-when-fcaps-are-used.patch -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
