[PATCH 2/4] security: filesystem capabilities bugfix2

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: "Andrew G. Morgan" <morgan@kernel.org>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: David Howells <dhowells@redhat.com>,
	"Serge E. Hallyn" <serue@us.ibm.com>,
	Linux Security Modules List 
	<linux-security-module@vger.kernel.org>,
	lkml <linux-kernel@vger.kernel.org>
Subject: [PATCH 2/4] security: filesystem capabilities bugfix2
Date: Thu, 26 Jun 2008 01:48:44 -0700	[thread overview]
Message-ID: <486357EC.5060205@kernel.org> (raw)

[-- Attachment #1: Type: text/plain, Size: 328 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bugfix for strace, and CAP_SETPCAP, in the case that filesystem
capabilities are supported.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFIY1fr+bHCR3gb8jsRAph7AKDOlmeveIpQs1jhIs0TJxjCdMAS5ACgsml6
7UYR+FZpW2XdmG8PkiZzemU=
=+Ko+
-----END PGP SIGNATURE-----

[-- Attachment #2: 0002-Blunt-CAP_SETPCAP-on-strace-with-filesystem-capabili.patch --]
[-- Type: text/plain, Size: 1770 bytes --]

From f4419c78fff77c4fa3cdfa6b0a78edae92ddf467 Mon Sep 17 00:00:00 2001
From: Andrew G. Morgan <morgan@kernel.org>
Date: Wed, 25 Jun 2008 23:24:10 -0700
Subject: [PATCH] Blunt CAP_SETPCAP on strace with filesystem capability support

The filesystem capability support meaning for CAP_SETPCAP is less
powerful than the non-filesystem capability support. As such, when
filesystem capabilities are configured, we should not permit
CAP_SETPCAP to 'enhance' the current process through strace
manipulation of a child process.

Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
---
 security/commoncap.c |   13 ++++++++++---
 1 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/security/commoncap.c b/security/commoncap.c
index 5edabc7..a9ea921 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -103,10 +103,16 @@ static inline int cap_inh_is_capped(void)
 	return (cap_capable(current, CAP_SETPCAP) != 0);
 }
 
+static inline int cap_limit_straced_target(void) { return 1; }
+
 #else /* ie., ndef CONFIG_SECURITY_FILE_CAPABILITIES */
 
 static inline int cap_block_setpcap(struct task_struct *t) { return 0; }
 static inline int cap_inh_is_capped(void) { return 1; }
+static inline int cap_limit_straced_target(void)
+{
+	return !capable(CAP_SETPCAP);
+}
 
 #endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */
 
@@ -342,9 +348,10 @@ void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
 				bprm->e_uid = current->uid;
 				bprm->e_gid = current->gid;
 			}
-			if (!capable (CAP_SETPCAP)) {
-				new_permitted = cap_intersect (new_permitted,
-							current->cap_permitted);
+			if (cap_limit_straced_target()) {
+				new_permitted =
+					cap_intersect(new_permitted,
+						      current->cap_permitted);
 			}
 		}
 	}
-- 
1.5.3.7

next             reply	other threads:[~2008-06-26  8:48 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-06-26  8:48 Andrew G. Morgan [this message]
2008-06-27 20:59 ` [PATCH 2/4] security: filesystem capabilities bugfix2 Serge E. Hallyn
2008-06-30 14:53   ` David Howells
2008-06-30 18:53     ` Serge E. Hallyn
2008-06-30 19:10       ` David Howells
2008-06-30 19:49         ` Serge E. Hallyn
2008-06-27 23:04 ` David Howells
2008-06-30  5:41   ` Andrew G. Morgan
2008-06-30  9:45     ` David Howells

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:5edabc7 dfblob:a9ea921 )
 OR (
bs:"Blunt CAP_SETPCAP on strace with filesystem capability support" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=486357EC.5060205@kernel.org \
    --to=morgan@kernel.org \
    --cc=akpm@linux-foundation.org \
    --cc=dhowells@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=serue@us.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox