capabilities: do not grant full privs for setuid w/ file caps + no effective caps
A task (when !SECURE_NOROOT) which executes a setuid-root binary will
obtain root privileges while executing that binary. If the binary also
has effective capabilities set, then only those capabilities will be
granted. The rationale is that the same binary can carry both setuid-root
and the minimal file capability set, so that on a filesystem not
supporting file caps the binary can still be executed with privilege,
while on a filesystem supporting file caps it will run with minimal
privilege.
This special case currently does NOT happen if there are file capabilities
but no effective capabilities. Since capability-aware programs can very
well start with empty pE but populated pP and move those caps to pE when
needed. In other words, if the file has file capabilities but NOT
effective capabilities, then we should do the same thing as if there
were file capabilities, and not grant full root privileges.
This patchset does that.
(Changelog by Serge Hallyn).
Signed-off-by: Zhi Li <lizhi1215@gmail.com>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
1 file changed