Commit ddd443e4 authored by Stephen D. Smalley's avatar Stephen D. Smalley Committed by Linus Torvalds

[PATCH] selinux: fix clearing of new personality bit on security transitions

This patch moves the clearing of the new personality bit from
selinux_bprm_apply_creds (called from compute_creds) to
selinux_bprm_set_security (called from prepare_binprm).  This ensures that the
bit is cleared at the same point in exec processing as for setuid/setgid
binaries, prior to setting up the new image.
Signed-off-by: default avatarStephen Smalley <sds@epoch.ncsc.mil>
Signed-off-by: default avatarIngo Molnar <mingo@elte.hu>
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent dac25d20
...@@ -1685,6 +1685,9 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm) ...@@ -1685,6 +1685,9 @@ static int selinux_bprm_set_security(struct linux_binprm *bprm)
if (rc) if (rc)
return rc; return rc;
/* Clear any possibly unsafe personality bits on exec: */
current->personality &= ~PER_CLEAR_ON_SETID;
/* Set the security field to the new SID. */ /* Set the security field to the new SID. */
bsec->sid = newsid; bsec->sid = newsid;
} }
...@@ -1895,9 +1898,6 @@ static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe) ...@@ -1895,9 +1898,6 @@ static void selinux_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
task_unlock(current); task_unlock(current);
} }
/* Clear any possibly unsafe personality bits on exec: */
current->personality &= ~PER_CLEAR_ON_SETID;
/* Close files for which the new task SID is not authorized. */ /* Close files for which the new task SID is not authorized. */
flush_unauthorized_files(current->files); flush_unauthorized_files(current->files);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment