diff options
author | Kees Cook <keescook@chromium.org> | 2017-07-18 15:25:28 -0700 |
---|---|---|
committer | Kees Cook <keescook@chromium.org> | 2017-08-01 12:03:09 -0700 |
commit | ee67ae7ef6ff499137292ac8a9dfe86096796283 (patch) | |
tree | 6a23c8212426db697546ead1019325504f53114c /include | |
parent | 46d98eb4e1d2bc225f661879e0e157a952107598 (diff) |
commoncap: Move cap_elevated calculation into bprm_set_creds
Instead of a separate function, open-code the cap_elevated test, which
lets us entirely remove bprm->cap_effective (to use the local "effective"
variable instead), and more accurately examine euid/egid changes via the
existing local "is_setid".
The following LTP tests were run to validate the changes:
# ./runltp -f syscalls -s cap
# ./runltp -f securebits
# ./runltp -f cap_bounds
# ./runltp -f filecaps
All kernel selftests for capabilities and exec continue to pass as well.
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Reviewed-by: Andy Lutomirski <luto@kernel.org>
Diffstat (limited to 'include')
-rw-r--r-- | include/linux/binfmts.h | 3 |
1 files changed, 0 insertions, 3 deletions
diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h index 213c61fa3780..fb44d6180ca0 100644 --- a/include/linux/binfmts.h +++ b/include/linux/binfmts.h @@ -31,9 +31,6 @@ struct linux_binprm { * binfmt_script/misc). */ called_set_creds:1, - cap_effective:1,/* true if has elevated effective capabilities, - * false if not; except for init which inherits - * its parent's caps anyway */ /* * True if most recent call to the commoncaps bprm_set_creds * hook (due to multiple prepare_binprm() calls from the |