lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 8 Dec 2006 13:38:25 -0600 From: "Serge E. Hallyn" <serue@...ibm.com> To: lkml <linux-kernel@...r.kernel.org> Cc: linux-security-module@...r.kernel.org, Andrew Morton <akpm@...l.org>, Stephen Smalley <sds@...ch.ncsc.mil> Subject: [PATCH 1/2] file capabilities: don't do file caps if MNT_NOSUID From: Serge E. Hallyn <serue@...ibm.com> Subject: [PATCH 1/2] file capabilities: don't do file caps if MNT_NOSUID A file system mounted NOSUID is likely a removable filesystem. Allowing file capabilities from such an fs is an easy attack vector, so don't honor file capabilities for a NOSUID filesystem. Signed-off-by: Serge E. Hallyn <serue@...ibm.com> --- security/commoncap.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/security/commoncap.c b/security/commoncap.c index ce91d9f..fde9695 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -23,6 +23,7 @@ #include <linux/netlink.h> #include <linux/ptrace.h> #include <linux/xattr.h> #include <linux/hugetlb.h> +#include <linux/mount.h> int cap_netlink_send(struct sock *sk, struct sk_buff *skb) { @@ -152,6 +153,9 @@ static int set_file_caps(struct linux_bi struct inode *inode; int err; + if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID) + return 0; + dentry = dget(bprm->file->f_dentry); inode = dentry->d_inode; if (!inode->i_op || !inode->i_op->getxattr) { -- 1.4.1 - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists