tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

capabilities: add a securebit to disable PR_CAP_AMBIENT_RAISE

Per Andrew Morgan's request, add a securebit to allow admins to disable
PR_CAP_AMBIENT_RAISE. This securebit will prevent processes from adding
capabilities to their ambient set.

For simplicity, this disables PR_CAP_AMBIENT_RAISE entirely rather than
just disabling setting previously cleared bits.

Signed-off-by: Andy Lutomirski <luto@kernel.org>
Acked-by: Andrew G. Morgan <morgan@kernel.org>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Christoph Lameter <cl@linux.com>
Cc: Serge Hallyn <serge.hallyn@canonical.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Aaron Jones <aaronmdjones@gmail.com>
Cc: Ted Ts'o <tytso@mit.edu>
Cc: Andrew G. Morgan <morgan@kernel.org>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: Austin S Hemmelgarn <ahferroin7@gmail.com>
Cc: Markku Savela <msa@moth.iki.fi>
Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: James Morris <james.l.morris@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

Andy Lutomirski and committed by
Linus Torvalds 746bf6d6 32ae976e

+12 -2
+10 -1
include/uapi/linux/securebits.h
··· 43 43 #define SECBIT_KEEP_CAPS (issecure_mask(SECURE_KEEP_CAPS)) 44 44 #define SECBIT_KEEP_CAPS_LOCKED (issecure_mask(SECURE_KEEP_CAPS_LOCKED)) 45 45 46 + /* When set, a process cannot add new capabilities to its ambient set. */ 47 + #define SECURE_NO_CAP_AMBIENT_RAISE 6 48 + #define SECURE_NO_CAP_AMBIENT_RAISE_LOCKED 7 /* make bit-6 immutable */ 49 + 50 + #define SECBIT_NO_CAP_AMBIENT_RAISE (issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE)) 51 + #define SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED \ 52 + (issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE_LOCKED)) 53 + 46 54 #define SECURE_ALL_BITS (issecure_mask(SECURE_NOROOT) | \ 47 55 issecure_mask(SECURE_NO_SETUID_FIXUP) | \ 48 - issecure_mask(SECURE_KEEP_CAPS)) 56 + issecure_mask(SECURE_KEEP_CAPS) | \ 57 + issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE)) 49 58 #define SECURE_ALL_LOCKS (SECURE_ALL_BITS << 1) 50 59 51 60 #endif /* _UAPI_LINUX_SECUREBITS_H */
+2 -1
security/commoncap.c
··· 993 993 if (arg2 == PR_CAP_AMBIENT_RAISE && 994 994 (!cap_raised(current_cred()->cap_permitted, arg3) || 995 995 !cap_raised(current_cred()->cap_inheritable, 996 - arg3))) 996 + arg3) || 997 + issecure(SECURE_NO_CAP_AMBIENT_RAISE))) 997 998 return -EPERM; 998 999 999 1000 new = prepare_creds();