]> pilppa.com Git - linux-2.6-omap-h63xx.git/commit
Fix filesystem capability support
authorAndrew G. Morgan <morgan@kernel.org>
Tue, 22 Jan 2008 01:18:30 +0000 (17:18 -0800)
committerLinus Torvalds <torvalds@woody.linux-foundation.org>
Tue, 22 Jan 2008 03:39:41 +0000 (19:39 -0800)
commita6dbb1ef2fc8d73578eacd02ac701f4233175c9f
treeeb2efa0193cdc7ab6b1f30068571194d0dabf230
parenta10336043b8193ec603ad54bb79cdcd26bbf94b3
Fix filesystem capability support

In linux-2.6.24-rc1, security/commoncap.c:cap_inh_is_capped() was
introduced. It has the exact reverse of its intended behavior. This
led to an unintended privilege esculation involving a process'
inheritable capability set.

To be exposed to this bug, you need to have Filesystem Capabilities
enabled and in use. That is:

- CONFIG_SECURITY_FILE_CAPABILITIES must be defined for the buggy code
  to be compiled in.

- You also need to have files on your system marked with fI bits raised.

Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@akpm@linux-foundation.org>
security/commoncap.c