]> git.baikalelectronics.ru Git - kernel.git/commit
projects / kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 25eaa1b) | patch
LSM: add SafeSetID module that gates setid calls
authorMicah Morton <mortonm@chromium.org>
Tue, 22 Jan 2019 22:42:09 +0000 (14:42 -0800)
committerJames Morris <james.morris@microsoft.com>
Fri, 25 Jan 2019 19:22:43 +0000 (11:22 -0800)
commit907b7d62eca440972f9241e6f0d9029fb2974fb6
tree97db7b5d7dfae0ecd678b57bc861e60e949afe44tree | snapshot
parent25eaa1b7cb9c41edf305619b940c9e5a0083a1e0commit | diff
LSM: add SafeSetID module that gates setid calls

This change ensures that the set*uid family of syscalls in kernel/sys.c
(setreuid, setuid, setresuid, setfsuid) all call ns_capable_common with
the CAP_OPT_INSETID flag, so capability checks in the security_capable
hook can know whether they are being called from within a set*uid
syscall. This change is a no-op by itself, but is needed for the
proposed SafeSetID LSM.

Signed-off-by: Micah Morton <mortonm@chromium.org>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.morris@microsoft.com>
include/linux/capability.h diff | blob | history
kernel/capability.c diff | blob | history
kernel/sys.c diff | blob | history
Linux Kernel Source Tree.