[PATCH 2/4] security: filesystem capabilities bugfix2

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Andrew G. Morgan" <morgan@kernel.org>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: David Howells <dhowells@redhat.com>,
	"Serge E. Hallyn" <serue@us.ibm.com>,
	Linux Security Modules List 
	<linux-security-module@vger.kernel.org>,
	lkml <linux-kernel@vger.kernel.org>
Subject: [PATCH 2/4] security: filesystem capabilities bugfix2
Date: Thu, 26 Jun 2008 01:48:44 -0700	[thread overview]
Message-ID: <486357EC.5060205@kernel.org> (raw)

[-- Attachment #1: Type: text/plain, Size: 328 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bugfix for strace, and CAP_SETPCAP, in the case that filesystem
capabilities are supported.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFIY1fr+bHCR3gb8jsRAph7AKDOlmeveIpQs1jhIs0TJxjCdMAS5ACgsml6
7UYR+FZpW2XdmG8PkiZzemU=
=+Ko+
-----END PGP SIGNATURE-----

[-- Attachment #2: 0002-Blunt-CAP_SETPCAP-on-strace-with-filesystem-capabili.patch --]
[-- Type: text/plain, Size: 1770 bytes --]

From f4419c78fff77c4fa3cdfa6b0a78edae92ddf467 Mon Sep 17 00:00:00 2001
From: Andrew G. Morgan <morgan@kernel.org>
Date: Wed, 25 Jun 2008 23:24:10 -0700
Subject: [PATCH] Blunt CAP_SETPCAP on strace with filesystem capability support

The filesystem capability support meaning for CAP_SETPCAP is less
powerful than the non-filesystem capability support. As such, when
filesystem capabilities are configured, we should not permit
CAP_SETPCAP to 'enhance' the current process through strace
manipulation of a child process.

Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
---
 security/commoncap.c |   13 ++++++++++---
 1 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/security/commoncap.c b/security/commoncap.c
index 5edabc7..a9ea921 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -103,10 +103,16 @@ static inline int cap_inh_is_capped(void)
 	return (cap_capable(current, CAP_SETPCAP) != 0);
 }
 
+static inline int cap_limit_straced_target(void) { return 1; }
+
 #else /* ie., ndef CONFIG_SECURITY_FILE_CAPABILITIES */
 
 static inline int cap_block_setpcap(struct task_struct *t) { return 0; }
 static inline int cap_inh_is_capped(void) { return 1; }
+static inline int cap_limit_straced_target(void)
+{
+	return !capable(CAP_SETPCAP);
+}
 
 #endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */
 
@@ -342,9 +348,10 @@ void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
 				bprm->e_uid = current->uid;
 				bprm->e_gid = current->gid;
 			}
-			if (!capable (CAP_SETPCAP)) {
-				new_permitted = cap_intersect (new_permitted,
-							current->cap_permitted);
+			if (cap_limit_straced_target()) {
+				new_permitted =
+					cap_intersect(new_permitted,
+						      current->cap_permitted);
 			}
 		}
 	}
-- 
1.5.3.7

next             reply	other threads:[~2008-06-26  8:48 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-06-26  8:48 Andrew G. Morgan [this message]
2008-06-27 20:59 ` [PATCH 2/4] security: filesystem capabilities bugfix2 Serge E. Hallyn
2008-06-30 14:53   ` David Howells
2008-06-30 18:53     ` Serge E. Hallyn
2008-06-30 19:10       ` David Howells
2008-06-30 19:49         ` Serge E. Hallyn
2008-06-27 23:04 ` David Howells
2008-06-30  5:41   ` Andrew G. Morgan
2008-06-30  9:45     ` David Howells

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:5edabc7 dfblob:a9ea921 )
 OR (
bs:"Blunt CAP_SETPCAP on strace with filesystem capability support" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=486357EC.5060205@kernel.org \
    --to=morgan@kernel.org \
    --cc=akpm@linux-foundation.org \
    --cc=dhowells@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=serue@us.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.