diff options
Diffstat (limited to 'security')
| -rw-r--r-- | security/apparmor/domain.c | 2 | ||||
| -rw-r--r-- | security/commoncap.c | 5 | ||||
| -rw-r--r-- | security/selinux/hooks.c | 3 | ||||
| -rw-r--r-- | security/smack/smack_lsm.c | 2 |
4 files changed, 6 insertions, 6 deletions
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index ef4beef06e9d..001e133a3c8c 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c | |||
| @@ -471,7 +471,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm) | |||
| 471 | ; | 471 | ; |
| 472 | } | 472 | } |
| 473 | 473 | ||
| 474 | if (bprm->unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { | 474 | if (bprm->unsafe & LSM_UNSAFE_PTRACE) { |
| 475 | error = may_change_ptraced_domain(new_profile); | 475 | error = may_change_ptraced_domain(new_profile); |
| 476 | if (error) | 476 | if (error) |
| 477 | goto audit; | 477 | goto audit; |
diff --git a/security/commoncap.c b/security/commoncap.c index 6d4d586b9356..78b37838a2d3 100644 --- a/security/commoncap.c +++ b/security/commoncap.c | |||
| @@ -548,9 +548,10 @@ skip: | |||
| 548 | 548 | ||
| 549 | if ((is_setid || | 549 | if ((is_setid || |
| 550 | !cap_issubset(new->cap_permitted, old->cap_permitted)) && | 550 | !cap_issubset(new->cap_permitted, old->cap_permitted)) && |
| 551 | bprm->unsafe & ~LSM_UNSAFE_PTRACE_CAP) { | 551 | ((bprm->unsafe & ~LSM_UNSAFE_PTRACE) || |
| 552 | !ptracer_capable(current, new->user_ns))) { | ||
| 552 | /* downgrade; they get no more than they had, and maybe less */ | 553 | /* downgrade; they get no more than they had, and maybe less */ |
| 553 | if (!capable(CAP_SETUID) || | 554 | if (!ns_capable(new->user_ns, CAP_SETUID) || |
| 554 | (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) { | 555 | (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) { |
| 555 | new->euid = new->uid; | 556 | new->euid = new->uid; |
| 556 | new->egid = new->gid; | 557 | new->egid = new->gid; |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index e6b1b7410321..9a8f12f8d5b7 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -2399,8 +2399,7 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm) | |||
| 2399 | 2399 | ||
| 2400 | /* Make sure that anyone attempting to ptrace over a task that | 2400 | /* Make sure that anyone attempting to ptrace over a task that |
| 2401 | * changes its SID has the appropriate permit */ | 2401 | * changes its SID has the appropriate permit */ |
| 2402 | if (bprm->unsafe & | 2402 | if (bprm->unsafe & LSM_UNSAFE_PTRACE) { |
| 2403 | (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { | ||
| 2404 | u32 ptsid = ptrace_parent_sid(); | 2403 | u32 ptsid = ptrace_parent_sid(); |
| 2405 | if (ptsid != 0) { | 2404 | if (ptsid != 0) { |
| 2406 | rc = avc_has_perm(ptsid, new_tsec->sid, | 2405 | rc = avc_has_perm(ptsid, new_tsec->sid, |
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 60b4217b9b68..fc8fb31fc24f 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c | |||
| @@ -931,7 +931,7 @@ static int smack_bprm_set_creds(struct linux_binprm *bprm) | |||
| 931 | isp->smk_task != sbsp->smk_root) | 931 | isp->smk_task != sbsp->smk_root) |
| 932 | return 0; | 932 | return 0; |
| 933 | 933 | ||
| 934 | if (bprm->unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { | 934 | if (bprm->unsafe & LSM_UNSAFE_PTRACE) { |
| 935 | struct task_struct *tracer; | 935 | struct task_struct *tracer; |
| 936 | rc = 0; | 936 | rc = 0; |
| 937 | 937 | ||