| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20210728072629.530435-1-ran.xiaokai@zte.com.cn>
Date: Wed, 28 Jul 2021 00:26:29 -0700
From: cgel.zte@...il.com
To: christian.brauner@...ntu.com, peterz@...radead.org,
tglx@...utronix.de
Cc: linux-kernel@...r.kernel.org, Ran Xiaokai <ran.xiaokai@....com.cn>
Subject: [PATCH] set_user: add capability check when rlimit(RLIMIT_NPROC) exceeds
From: Ran Xiaokai <ran.xiaokai@....com.cn>
in copy_process(): non root users but with capability CAP_SYS_RESOURCE
or CAP_SYS_ADMIN will clean PF_NPROC_EXCEEDED flag even
rlimit(RLIMIT_NPROC) exceeds. Add the same capability check logic here.
Signed-off-by: Ran Xiaokai <ran.xiaokai@....com.cn>
---
kernel/sys.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/sys.c b/kernel/sys.c
index ef1a78f5d71c..72c7639e3c98 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -480,7 +480,8 @@ static int set_user(struct cred *new)
* failure to the execve() stage.
*/
if (is_ucounts_overlimit(new->ucounts, UCOUNT_RLIMIT_NPROC, rlimit(RLIMIT_NPROC)) &&
- new_user != INIT_USER)
+ new_user != INIT_USER &&
+ !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN))
current->flags |= PF_NPROC_EXCEEDED;
else
current->flags &= ~PF_NPROC_EXCEEDED;
--
2.25.1
Powered by blists - more mailing lists