On Fri, Jan 27, 2012 at 3:24 PM, Will Drewry <wad@xxxxxxxxxxxx> wrote: > Filter programs will be inherited across fork/clone and execve. > However, if the task attaching the filter is unprivileged > (!CAP_SYS_ADMIN) the no_new_privs bit will be set on the task. This > ensures that unprivileged tasks cannot attach filters that affect > privileged tasks (e.g., setuid binary). This makes me nervous -- I don't think that the behavior of any new API should be different depending on privilege level -- adding a privilege should just make things work that would otherwise fail. You might end up with bugs where a program is completely safe if run without CAP_SYS_ADMIN but, if run with CAP_SYS_ADMIN, bad things happen. (The behavior of setuid(geteuid()) is an example of this problem.) One way to fix it is to make setting a filter program fail unless capable(CAP_SYS_ADMIN ) || no_new_privs. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
