[PATCH] security/commoncap: don't assume "setid" if all ids are identical
Max Kellermann
max.kellermann at ionos.com
Fri May 9 17:50:12 UTC 2025
On Wed, May 7, 2025 at 8:33 AM Max Kellermann <max.kellermann at ionos.com> wrote:
> What protection do you mean, and what behavior do you expect when
> setid execs itself? I see this affects:
>
> 1. reset effective ids to real ids (only affects NO_NEW_PRIVS)
> 2. new cap_permitted cannot be higher than old cap_permitted
> 3. clear cap_ambient
> 4. clear pdeath_signal (in begin_new_exec)
> 5. reset stack limits (in begin_new_exec)
>
[...]
>
> Did I miss anything?
Indeed I missed something (but this was apparently so hard to find
that nobody could answer my question, until I found out myself).
The "secureexec" flag is not just used for resetting pdeath_signal and
stack limits; its primary purpose is to set the AT_SECURE ELF flag.
So yes, my patch is wrong. The "secureexec" setting must be excluded
from my patch.
Max
More information about the Linux-security-module-archive
mailing list