mirror of https://gitee.com/openkylin/linux.git
exec: Don't reset euid and egid when the tracee has CAP_SETUID
Don't reset euid and egid when the tracee has CAP_SETUID in it's user namespace. I punted on relaxing this permission check long ago but now that I have read this code closely it is clear it is safe to test against CAP_SETUID in the user namespace. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
This commit is contained in:
parent
1cce1eea0a
commit
70169420f5
|
@ -550,7 +550,7 @@ int cap_bprm_set_creds(struct linux_binprm *bprm)
|
|||
!cap_issubset(new->cap_permitted, old->cap_permitted)) &&
|
||||
bprm->unsafe & ~LSM_UNSAFE_PTRACE_CAP) {
|
||||
/* downgrade; they get no more than they had, and maybe less */
|
||||
if (!capable(CAP_SETUID) ||
|
||||
if (!ns_capable(new->user_ns, CAP_SETUID) ||
|
||||
(bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) {
|
||||
new->euid = new->uid;
|
||||
new->egid = new->gid;
|
||||
|
|
Loading…
Reference in New Issue