[PATCH] cap_inode_getsecurity: use d_find_any_alias() instead of d_find_alias()

Serge E. Hallyn serge at hallyn.com
Fri Jun 29 02:53:26 UTC 2018


On Fri, Jun 29, 2018 at 09:57:11AM +0800, Eddie.Horng wrote:
> On Thu, 2018-06-28 at 13:28 -0500, Serge E. Hallyn wrote:
> > Ah - I just tried his reproducer, and in fact got:
> > 
> > 0 ✓ serge at sl ~/test $ getcap execveat
> > execveat = cap_sys_admin+ep
> > 0 ✓ serge at sl ~/test $ ./execveat
> > execveat: Bad file descriptor
> > 
> > on ext4, with 4.15.0-22-generic #24~16.04.1-Ubuntu
> > 
> > Without the filecap, it works.
> > 
> > -serge
> 
> The simple reproducer expected /bin/echo exists in the same 
> dir of execveat executable and does not check the return fd 
> of open("echo", ...). I'm not sure if you run into this case,
> but I tried to run execveat without echo exists, got same result:
> "execveat: Bad file descriptor".

Hah!  Yes, i was in too much of a hurry;  I ran it once with
./echo existing and no caps, that worked;  then i set the caps
on execveat instead of ./echo, and echo had gotten deleted by the
previous test causing the failure like you said.

So, the same thing does happen with setuid anyway, so while that
seems worth addressing one day,

Acked-by: Serge Hallyn <serge at hallyn.com>

thanks,
-serge
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



More information about the Linux-security-module-archive mailing list