diff options
| author | Andy Lutomirski <[email protected]> | 2015-09-04 15:42:51 -0700 |
|---|---|---|
| committer | Linus Torvalds <[email protected]> | 2015-09-04 16:54:41 -0700 |
| commit | 746bf6d64275be0c65b0631d8a72b16f1454cfa1 (patch) | |
| tree | 5debc8e6f0207fdea53271f631f37e319d39fff4 | |
| parent | 32ae976ed3b5ba39c9208ace41bcdf4157d21db3 (diff) | |
capabilities: add a securebit to disable PR_CAP_AMBIENT_RAISE
Per Andrew Morgan's request, add a securebit to allow admins to disable
PR_CAP_AMBIENT_RAISE. This securebit will prevent processes from adding
capabilities to their ambient set.
For simplicity, this disables PR_CAP_AMBIENT_RAISE entirely rather than
just disabling setting previously cleared bits.
Signed-off-by: Andy Lutomirski <[email protected]>
Acked-by: Andrew G. Morgan <[email protected]>
Acked-by: Serge Hallyn <[email protected]>
Cc: Kees Cook <[email protected]>
Cc: Christoph Lameter <[email protected]>
Cc: Serge Hallyn <[email protected]>
Cc: Jonathan Corbet <[email protected]>
Cc: Aaron Jones <[email protected]>
Cc: Ted Ts'o <[email protected]>
Cc: Andrew G. Morgan <[email protected]>
Cc: Mimi Zohar <[email protected]>
Cc: Austin S Hemmelgarn <[email protected]>
Cc: Markku Savela <[email protected]>
Cc: Jarkko Sakkinen <[email protected]>
Cc: Michael Kerrisk <[email protected]>
Cc: James Morris <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
| -rw-r--r-- | include/uapi/linux/securebits.h | 11 | ||||
| -rw-r--r-- | security/commoncap.c | 3 |
2 files changed, 12 insertions, 2 deletions
diff --git a/include/uapi/linux/securebits.h b/include/uapi/linux/securebits.h index 985aac9e6bf8..35ac35cef217 100644 --- a/include/uapi/linux/securebits.h +++ b/include/uapi/linux/securebits.h @@ -43,9 +43,18 @@ #define SECBIT_KEEP_CAPS (issecure_mask(SECURE_KEEP_CAPS)) #define SECBIT_KEEP_CAPS_LOCKED (issecure_mask(SECURE_KEEP_CAPS_LOCKED)) +/* When set, a process cannot add new capabilities to its ambient set. */ +#define SECURE_NO_CAP_AMBIENT_RAISE 6 +#define SECURE_NO_CAP_AMBIENT_RAISE_LOCKED 7 /* make bit-6 immutable */ + +#define SECBIT_NO_CAP_AMBIENT_RAISE (issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE)) +#define SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED \ + (issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE_LOCKED)) + #define SECURE_ALL_BITS (issecure_mask(SECURE_NOROOT) | \ issecure_mask(SECURE_NO_SETUID_FIXUP) | \ - issecure_mask(SECURE_KEEP_CAPS)) + issecure_mask(SECURE_KEEP_CAPS) | \ + issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE)) #define SECURE_ALL_LOCKS (SECURE_ALL_BITS << 1) #endif /* _UAPI_LINUX_SECUREBITS_H */ diff --git a/security/commoncap.c b/security/commoncap.c index 1f74dde1063e..1832cf701c3d 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -993,7 +993,8 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, if (arg2 == PR_CAP_AMBIENT_RAISE && (!cap_raised(current_cred()->cap_permitted, arg3) || !cap_raised(current_cred()->cap_inheritable, - arg3))) + arg3) || + issecure(SECURE_NO_CAP_AMBIENT_RAISE))) return -EPERM; new = prepare_creds(); |