>From c9ba01a5761a04f6839cca5857d1bdac36067825 Mon Sep 17 00:00:00 2001 From: Klaus Ethgen Date: Tue, 10 Nov 2015 13:46:11 +0100 Subject: [PATCH] capabilities: enable ambient capabilities explicit Ambient capabilities was introduced by 5831905 recently. This capabilities address a special use case when a process want to limit capabilities but want to be sure that they get inherited over several execve calls. However, there is a flaw in that design as it allows to easily break another use case of capabilities to explicitly _raise_ capabilities for clear defined binaries. Solution ======== With CAP_ENABLE_AMBIENT, there is a new capability that can be set via pP or pI (or even via pA) to explicitly allow the use of ambient capabilities. This would not affect the main use case as long as CAP_ENABLE_AMBIENT is not explicitly removed. But it will fix the problematic use case that now it is up to the admin if he wants to allow the use of ambient capabilities to unprivileged processes. So everybody should be happy with it. Signed-off-by: Klaus Ethgen --- include/uapi/linux/capability.h | 5 ++++- security/commoncap.c | 3 ++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h index 12c37a1..9fee97e 100644 --- a/include/uapi/linux/capability.h +++ b/include/uapi/linux/capability.h @@ -351,8 +351,11 @@ struct vfs_cap_data { #define CAP_AUDIT_READ 37 +/* Capability to allow ambient capabilities explicitely */ -#define CAP_LAST_CAP CAP_AUDIT_READ +#define CAP_ENABLE_AMBIENT 38 + +#define CAP_LAST_CAP CAP_ENABLE_AMBIENT #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP) diff --git a/security/commoncap.c b/security/commoncap.c index 1832cf7..16b03d3 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -994,7 +994,8 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, (!cap_raised(current_cred()->cap_permitted, arg3) || !cap_raised(current_cred()->cap_inheritable, arg3) || - issecure(SECURE_NO_CAP_AMBIENT_RAISE))) + issecure(SECURE_NO_CAP_AMBIENT_RAISE) || + capable(CAP_ENABLE_AMBIENT))) return -EPERM; new = prepare_creds(); -- 2.6.2