>From 2a0af2a5364ab568fa603cc9fdaeeef67d82dc56 Mon Sep 17 00:00:00 2001 From: Serge E. Hallyn <serue@xxxxxxxxxx> Date: Fri, 28 Sep 2007 14:07:03 -0500 Subject: [PATCH 3/3] capabilities: reduce current's caps when reducing bset When a task sets it's capability bounding set, ensure that pI pE and pP are subsets of the new bounding set. (note the new bset is a subset of the original) Signed-off-by: Serge E. Hallyn <serue@xxxxxxxxxx> --- security/commoncap.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) diff --git a/security/commoncap.c b/security/commoncap.c index 324ff2a..dcd5af4 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -585,6 +585,12 @@ int cap_prctl_setbset(unsigned long new_bset) if (!cap_issubset(new_bset, current->cap_bset)) return -EPERM; current->cap_bset = new_bset; + current->cap_effective = cap_intersect(current->cap_effective, + new_bset); + current->cap_permitted = cap_intersect(current->cap_permitted, + new_bset); + current->cap_inheritable = cap_intersect(current->cap_inheritable, + new_bset); return 0; } -- 1.5.1.6 _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers