diff options
Diffstat (limited to 'security/commoncap.c')
| -rw-r--r-- | security/commoncap.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/security/commoncap.c b/security/commoncap.c index 0cf4b53480a7..71a166a05975 100644 --- a/security/commoncap.c +++ b/security/commoncap.c | |||
| @@ -29,6 +29,7 @@ | |||
| 29 | #include <linux/securebits.h> | 29 | #include <linux/securebits.h> |
| 30 | #include <linux/user_namespace.h> | 30 | #include <linux/user_namespace.h> |
| 31 | #include <linux/binfmts.h> | 31 | #include <linux/binfmts.h> |
| 32 | #include <linux/personality.h> | ||
| 32 | 33 | ||
| 33 | /* | 34 | /* |
| 34 | * If a non-root user executes a setuid-root binary in | 35 | * If a non-root user executes a setuid-root binary in |
| @@ -505,6 +506,11 @@ int cap_bprm_set_creds(struct linux_binprm *bprm) | |||
| 505 | } | 506 | } |
| 506 | skip: | 507 | skip: |
| 507 | 508 | ||
| 509 | /* if we have fs caps, clear dangerous personality flags */ | ||
| 510 | if (!cap_issubset(new->cap_permitted, old->cap_permitted)) | ||
| 511 | bprm->per_clear |= PER_CLEAR_ON_SETID; | ||
| 512 | |||
| 513 | |||
| 508 | /* Don't let someone trace a set[ug]id/setpcap binary with the revised | 514 | /* Don't let someone trace a set[ug]id/setpcap binary with the revised |
| 509 | * credentials unless they have the appropriate permit | 515 | * credentials unless they have the appropriate permit |
| 510 | */ | 516 | */ |