diff options
| -rw-r--r-- | Documentation/kernel-parameters.txt | 4 | ||||
| -rw-r--r-- | include/linux/capability.h | 3 | ||||
| -rw-r--r-- | kernel/capability.c | 11 | ||||
| -rw-r--r-- | security/commoncap.c | 3 |
4 files changed, 21 insertions, 0 deletions
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt index 1bbcaa8982b6..784443acca9c 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt | |||
| @@ -1459,6 +1459,10 @@ and is between 256 and 4096 characters. It is defined in the file | |||
| 1459 | instruction doesn't work correctly and not to | 1459 | instruction doesn't work correctly and not to |
| 1460 | use it. | 1460 | use it. |
| 1461 | 1461 | ||
| 1462 | no_file_caps Tells the kernel not to honor file capabilities. The | ||
| 1463 | only way then for a file to be executed with privilege | ||
| 1464 | is to be setuid root or executed by root. | ||
| 1465 | |||
| 1462 | nohalt [IA-64] Tells the kernel not to use the power saving | 1466 | nohalt [IA-64] Tells the kernel not to use the power saving |
| 1463 | function PAL_HALT_LIGHT when idle. This increases | 1467 | function PAL_HALT_LIGHT when idle. This increases |
| 1464 | power-consumption. On the positive side, it reduces | 1468 | power-consumption. On the positive side, it reduces |
diff --git a/include/linux/capability.h b/include/linux/capability.h index 9d1fe30b6f6c..5bc145bd759a 100644 --- a/include/linux/capability.h +++ b/include/linux/capability.h | |||
| @@ -68,6 +68,9 @@ typedef struct __user_cap_data_struct { | |||
| 68 | #define VFS_CAP_U32 VFS_CAP_U32_2 | 68 | #define VFS_CAP_U32 VFS_CAP_U32_2 |
| 69 | #define VFS_CAP_REVISION VFS_CAP_REVISION_2 | 69 | #define VFS_CAP_REVISION VFS_CAP_REVISION_2 |
| 70 | 70 | ||
| 71 | #ifdef CONFIG_SECURITY_FILE_CAPABILITIES | ||
| 72 | extern int file_caps_enabled; | ||
| 73 | #endif | ||
| 71 | 74 | ||
| 72 | struct vfs_cap_data { | 75 | struct vfs_cap_data { |
| 73 | __le32 magic_etc; /* Little endian */ | 76 | __le32 magic_etc; /* Little endian */ |
diff --git a/kernel/capability.c b/kernel/capability.c index 33e51e78c2d8..e13a68535ad5 100644 --- a/kernel/capability.c +++ b/kernel/capability.c | |||
| @@ -33,6 +33,17 @@ EXPORT_SYMBOL(__cap_empty_set); | |||
| 33 | EXPORT_SYMBOL(__cap_full_set); | 33 | EXPORT_SYMBOL(__cap_full_set); |
| 34 | EXPORT_SYMBOL(__cap_init_eff_set); | 34 | EXPORT_SYMBOL(__cap_init_eff_set); |
| 35 | 35 | ||
| 36 | #ifdef CONFIG_SECURITY_FILE_CAPABILITIES | ||
| 37 | int file_caps_enabled = 1; | ||
| 38 | |||
| 39 | static int __init file_caps_disable(char *str) | ||
| 40 | { | ||
| 41 | file_caps_enabled = 0; | ||
| 42 | return 1; | ||
| 43 | } | ||
| 44 | __setup("no_file_caps", file_caps_disable); | ||
| 45 | #endif | ||
| 46 | |||
| 36 | /* | 47 | /* |
| 37 | * More recent versions of libcap are available from: | 48 | * More recent versions of libcap are available from: |
| 38 | * | 49 | * |
diff --git a/security/commoncap.c b/security/commoncap.c index 3976613db829..f88119cb2bc2 100644 --- a/security/commoncap.c +++ b/security/commoncap.c | |||
| @@ -281,6 +281,9 @@ static int get_file_caps(struct linux_binprm *bprm) | |||
| 281 | 281 | ||
| 282 | bprm_clear_caps(bprm); | 282 | bprm_clear_caps(bprm); |
| 283 | 283 | ||
| 284 | if (!file_caps_enabled) | ||
| 285 | return 0; | ||
| 286 | |||
| 284 | if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID) | 287 | if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID) |
| 285 | return 0; | 288 | return 0; |
| 286 | 289 | ||