aboutsummaryrefslogtreecommitdiffstats
path: root/fs
diff options
context:
space:
mode:
Diffstat (limited to 'fs')
-rw-r--r--fs/exec.c10
1 files changed, 9 insertions, 1 deletions
diff --git a/fs/exec.c b/fs/exec.c
index b1fd2025e59a..d038968b54b4 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1245,6 +1245,13 @@ static int check_unsafe_exec(struct linux_binprm *bprm)
1245 bprm->unsafe |= LSM_UNSAFE_PTRACE; 1245 bprm->unsafe |= LSM_UNSAFE_PTRACE;
1246 } 1246 }
1247 1247
1248 /*
1249 * This isn't strictly necessary, but it makes it harder for LSMs to
1250 * mess up.
1251 */
1252 if (current->no_new_privs)
1253 bprm->unsafe |= LSM_UNSAFE_NO_NEW_PRIVS;
1254
1248 n_fs = 1; 1255 n_fs = 1;
1249 spin_lock(&p->fs->lock); 1256 spin_lock(&p->fs->lock);
1250 rcu_read_lock(); 1257 rcu_read_lock();
@@ -1288,7 +1295,8 @@ int prepare_binprm(struct linux_binprm *bprm)
1288 bprm->cred->euid = current_euid(); 1295 bprm->cred->euid = current_euid();
1289 bprm->cred->egid = current_egid(); 1296 bprm->cred->egid = current_egid();
1290 1297
1291 if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)) { 1298 if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) &&
1299 !current->no_new_privs) {
1292 /* Set-uid? */ 1300 /* Set-uid? */
1293 if (mode & S_ISUID) { 1301 if (mode & S_ISUID) {
1294 bprm->per_clear |= PER_CLEAR_ON_SETID; 1302 bprm->per_clear |= PER_CLEAR_ON_SETID;
generated by cgit v1.2.2 (git 2.25.0) at 2024-12-02 03:41:42 -0500