1 files changed, 9 insertions, 0 deletions
diff --git a/security/commoncap.c b/security/commoncap.c
index 302e8d0839a..5bc1895f3f9 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -526,6 +526,15 @@ int cap_task_kill(struct task_struct *p, struct siginfo *info,
        if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
                return 0;
+        /*
+         * Running a setuid root program raises your capabilities.
+         * Killing your own setuid root processes was previously
+         * allowed.
+         * We must preserve legacy signal behavior in this case.
+         */
+        if (p->euid == 0 && p->uid == current->uid)
+                return 0;
        /* sigcont is permitted within same session */
        if (sig == SIGCONT && (task_session_nr(current) == task_session_nr(p)))
                return 0;

diff --git a/security/commoncap.c b/security/commoncap.c index 302e8d0839a..5bc1895f3f9 100644 --- a/security/commoncap.c +++ b/security/commoncap.c
@@ -526,6 +526,15 @@ int cap_task_kill(struct task_struct p, struct siginfo info,
526	if (info != SEND_SIG_NOINFO && (is_si_special(info) \|\| SI_FROMKERNEL(info)))	526	if (info != SEND_SIG_NOINFO && (is_si_special(info) \|\| SI_FROMKERNEL(info)))
527	return 0;	527	return 0;
528		528
		529	/*
		530	* Running a setuid root program raises your capabilities.
		531	* Killing your own setuid root processes was previously
		532	* allowed.
		533	* We must preserve legacy signal behavior in this case.
		534	*/
		535	if (p->euid == 0 && p->uid == current->uid)
		536	return 0;
		537
529	/* sigcont is permitted within same session */	538	/* sigcont is permitted within same session */
530	if (sig == SIGCONT && (task_session_nr(current) == task_session_nr(p)))	539	if (sig == SIGCONT && (task_session_nr(current) == task_session_nr(p)))
531	return 0;	540	return 0;