Commit 70169420 authored by Eric W. Biederman's avatar Eric W. Biederman

exec: Don't reset euid and egid when the tracee has CAP_SETUID

Don't reset euid and egid when the tracee has CAP_SETUID in
it's user namespace.  I punted on relaxing this permission check
long ago but now that I have read this code closely it is clear
it is safe to test against CAP_SETUID in the user namespace.
Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
parent 1cce1eea
...@@ -550,7 +550,7 @@ int cap_bprm_set_creds(struct linux_binprm *bprm) ...@@ -550,7 +550,7 @@ int cap_bprm_set_creds(struct linux_binprm *bprm)
!cap_issubset(new->cap_permitted, old->cap_permitted)) && !cap_issubset(new->cap_permitted, old->cap_permitted)) &&
bprm->unsafe & ~LSM_UNSAFE_PTRACE_CAP) { bprm->unsafe & ~LSM_UNSAFE_PTRACE_CAP) {
/* downgrade; they get no more than they had, and maybe less */ /* downgrade; they get no more than they had, and maybe less */
if (!capable(CAP_SETUID) || if (!ns_capable(new->user_ns, CAP_SETUID) ||
(bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) { (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) {
new->euid = new->uid; new->euid = new->uid;
new->egid = new->gid; new->egid = new->gid;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment