statd drops all capabilities except for CAP_NET_BIND when it starts. It's
possible though that if it ever had a compromise that an attacker would be
able to invoke a setuid process (or something with file capabilities) in
order to reinstate some caps.
In order to prevent that, have statd also prune the bounding set to nothing
prior to dropping capabilities.
Cc: Chuck Lever <chuck.lever@xxxxxxxxxx>
Signed-off-by: Jeff Layton <jlayton@xxxxxxxxxx>
---
support/nsm/file.c | 12 ++++++++++++
1 files changed, 12 insertions(+), 0 deletions(-)
diff --git a/support/nsm/file.c b/support/nsm/file.c
index 5dd52c1..2d86f95 100644
--- a/support/nsm/file.c
+++ b/support/nsm/file.c
@@ -342,8 +342,20 @@ static _Bool
nsm_clear_capabilities(void)
{
#ifdef HAVE_SYS_CAPABILITY_H
+ int ret;
+ unsigned long i;
cap_t caps;
+ /* prune the bounding set to nothing */
+ for (i = 0; i <= CAP_LAST_CAP; ++i) {
+ ret = prctl(PR_CAPBSET_DROP, i);
+ if (ret) {
+ xlog(L_ERROR, "Unable to prune capability %lu from "
+ "bounding set: %m", i);
+ return false;
+ }
+ }
+
caps = cap_from_text("cap_net_bind_service=ep");
if (caps == NULL) {
xlog(L_ERROR, "Failed to allocate capability: %m");
--
1.7.7.6
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
