| commoncap.c (3423166fdbc2444bf3a4a27af1d7508364a17be7) | commoncap.c (259e5e6c75a910f3b5e656151dc602f53f9d7548) |
|---|---|
| 1/* Common capabilities, needed by capability.o. 2 * 3 * This program is free software; you can redistribute it and/or modify 4 * it under the terms of the GNU General Public License as published by 5 * the Free Software Foundation; either version 2 of the License, or 6 * (at your option) any later version. 7 * 8 */ --- 492 unchanged lines hidden (view full) --- 501 old->cap_inheritable); 502 } 503 if (new->euid == 0) 504 effective = true; 505 } 506skip: 507 508 /* Don't let someone trace a set[ug]id/setpcap binary with the revised | 1/* Common capabilities, needed by capability.o. 2 * 3 * This program is free software; you can redistribute it and/or modify 4 * it under the terms of the GNU General Public License as published by 5 * the Free Software Foundation; either version 2 of the License, or 6 * (at your option) any later version. 7 * 8 */ --- 492 unchanged lines hidden (view full) --- 501 old->cap_inheritable); 502 } 503 if (new->euid == 0) 504 effective = true; 505 } 506skip: 507 508 /* Don't let someone trace a set[ug]id/setpcap binary with the revised |
| 509 * credentials unless they have the appropriate permit | 509 * credentials unless they have the appropriate permit. 510 * 511 * In addition, if NO_NEW_PRIVS, then ensure we get no new privs. |
| 510 */ 511 if ((new->euid != old->uid || 512 new->egid != old->gid || 513 !cap_issubset(new->cap_permitted, old->cap_permitted)) && 514 bprm->unsafe & ~LSM_UNSAFE_PTRACE_CAP) { 515 /* downgrade; they get no more than they had, and maybe less */ | 512 */ 513 if ((new->euid != old->uid || 514 new->egid != old->gid || 515 !cap_issubset(new->cap_permitted, old->cap_permitted)) && 516 bprm->unsafe & ~LSM_UNSAFE_PTRACE_CAP) { 517 /* downgrade; they get no more than they had, and maybe less */ |
| 516 if (!capable(CAP_SETUID)) { | 518 if (!capable(CAP_SETUID) || 519 (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) { |
| 517 new->euid = new->uid; 518 new->egid = new->gid; 519 } 520 new->cap_permitted = cap_intersect(new->cap_permitted, 521 old->cap_permitted); 522 } 523 524 new->suid = new->fsuid = new->euid; --- 444 unchanged lines hidden --- | 520 new->euid = new->uid; 521 new->egid = new->gid; 522 } 523 new->cap_permitted = cap_intersect(new->cap_permitted, 524 old->cap_permitted); 525 } 526 527 new->suid = new->fsuid = new->euid; --- 444 unchanged lines hidden --- |