]> git.baikalelectronics.ru Git - kernel.git/commit
projects / kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 919b7b1) | patch
Fix filesystem capability support
authorAndrew G. Morgan <morgan@kernel.org>
Tue, 22 Jan 2008 01:18:30 +0000 (17:18 -0800)
committerLinus Torvalds <torvalds@woody.linux-foundation.org>
Tue, 22 Jan 2008 03:39:41 +0000 (19:39 -0800)
commit32b412f02044b2a694592b4539dd0d764f783e4a
treeeb2efa0193cdc7ab6b1f30068571194d0dabf230tree | snapshot
parent919b7b162e0f052f1da33162c06844ce7c07c005commit | diff
Fix filesystem capability support

In linux-2.6.24-rc1, security/commoncap.c:cap_inh_is_capped() was
introduced. It has the exact reverse of its intended behavior. This
led to an unintended privilege esculation involving a process'
inheritable capability set.

To be exposed to this bug, you need to have Filesystem Capabilities
enabled and in use. That is:

- CONFIG_SECURITY_FILE_CAPABILITIES must be defined for the buggy code
  to be compiled in.

- You also need to have files on your system marked with fI bits raised.

Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@akpm@linux-foundation.org>
security/commoncap.c diff | blob | history
Linux Kernel Source Tree.