[kernel] r10970 - in dists/sid/linux-2.6/debian: . patches/bugfix patches/series

Dann Frazier dannf at alioth.debian.org
Tue Mar 25 07:48:11 UTC 2008


Author: dannf
Date: Tue Mar 25 07:48:10 2008
New Revision: 10970

Log:
* Remove cap_task_kill (closes: #463669)

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/cap-remove-cap_task_kill.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/5

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog	(original)
+++ dists/sid/linux-2.6/debian/changelog	Tue Mar 25 07:48:10 2008
@@ -130,7 +130,10 @@
   * [mips/r4k-ip22] Enable PPP, PPPOE and SLIP.
   * [mips/r5k-ip32] Enable PPP, PPPOE and SLIP.
 
- -- dann frazier <dannf at debian.org>  Mon, 10 Mar 2008 14:03:59 -0600
+  [ dann frazier ]
+  * Remove cap_task_kill (closes: #463669)
+
+ -- dann frazier <dannf at debian.org>  Tue, 25 Mar 2008 01:19:47 -0600
 
 linux-2.6 (2.6.24-4) unstable; urgency=low
 

Added: dists/sid/linux-2.6/debian/patches/bugfix/cap-remove-cap_task_kill.patch
==============================================================================
--- (empty file)
+++ dists/sid/linux-2.6/debian/patches/bugfix/cap-remove-cap_task_kill.patch	Tue Mar 25 07:48:10 2008
@@ -0,0 +1,119 @@
+Backported to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+commit aedb60a67c10a0861af179725d060765262ba0fb
+Author: Serge Hallyn <serge at hallyn.com>
+Date:   Fri Feb 29 15:14:57 2008 +0000
+
+    file capabilities: remove cap_task_kill()
+    
+    The original justification for cap_task_kill() was as follows:
+    
+    	check_kill_permission() does appropriate uid equivalence checks.
+    	However with file capabilities it becomes possible for an
+    	unprivileged user to execute a file with file capabilities
+    	resulting in a more privileged task with the same uid.
+    
+    However now that cap_task_kill() always returns 0 (permission
+    granted) when p->uid==current->uid, the whole hook is worthless,
+    and only likely to create more subtle problems in the corner cases
+    where it might still be called but return -EPERM.  Those cases
+    are basically when uids are different but euid/suid is equivalent
+    as per the check in check_kill_permission().
+    
+    One example of a still-broken application is 'at' for non-root users.
+    
+    This patch removes cap_task_kill().
+    
+    Signed-off-by: Serge Hallyn <serge at hallyn.com>
+    Acked-by: Andrew G. Morgan <morgan at kernel.org>
+    Earlier-version-tested-by: Luiz Fernando N. Capitulino <lcapitulino at mandriva.com.br>
+    Acked-by: Casey Schaufler <casey at schaufler-ca.com>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff -urpN linux-source-2.6.24.orig/include/linux/security.h linux-source-2.6.24/include/linux/security.h
+--- linux-source-2.6.24.orig/include/linux/security.h	2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/include/linux/security.h	2008-03-25 00:12:19.000000000 -0600
+@@ -62,7 +62,6 @@ extern int cap_inode_need_killpriv(struc
+ extern int cap_inode_killpriv(struct dentry *dentry);
+ extern int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags);
+ extern void cap_task_reparent_to_init (struct task_struct *p);
+-extern int cap_task_kill(struct task_struct *p, struct siginfo *info, int sig, u32 secid);
+ extern int cap_task_setscheduler (struct task_struct *p, int policy, struct sched_param *lp);
+ extern int cap_task_setioprio (struct task_struct *p, int ioprio);
+ extern int cap_task_setnice (struct task_struct *p, int nice);
+@@ -2112,7 +2111,7 @@ static inline int security_task_kill (st
+ 				      struct siginfo *info, int sig,
+ 				      u32 secid)
+ {
+-	return cap_task_kill(p, info, sig, secid);
++	return 0;
+ }
+ 
+ static inline int security_task_wait (struct task_struct *p)
+diff -urpN linux-source-2.6.24.orig/security/capability.c linux-source-2.6.24/security/capability.c
+--- linux-source-2.6.24.orig/security/capability.c	2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/security/capability.c	2008-03-25 00:12:19.000000000 -0600
+@@ -40,7 +40,6 @@ static struct security_operations capabi
+ 	.inode_need_killpriv =		cap_inode_need_killpriv,
+ 	.inode_killpriv =		cap_inode_killpriv,
+ 
+-	.task_kill =			cap_task_kill,
+ 	.task_setscheduler =		cap_task_setscheduler,
+ 	.task_setioprio =		cap_task_setioprio,
+ 	.task_setnice =			cap_task_setnice,
+diff -urpN linux-source-2.6.24.orig/security/commoncap.c linux-source-2.6.24/security/commoncap.c
+--- linux-source-2.6.24.orig/security/commoncap.c	2008-03-24 17:45:05.000000000 -0600
++++ linux-source-2.6.24/security/commoncap.c	2008-03-25 00:37:27.000000000 -0600
+@@ -527,40 +527,6 @@ int cap_task_setnice (struct task_struct
+ 	return cap_safe_nice(p);
+ }
+ 
+-int cap_task_kill(struct task_struct *p, struct siginfo *info,
+-				int sig, u32 secid)
+-{
+-	if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
+-		return 0;
+-
+-	/*
+-	 * Running a setuid root program raises your capabilities.
+-	 * Killing your own setuid root processes was previously
+-	 * allowed.
+-	 * We must preserve legacy signal behavior in this case.
+-	 */
+-	if (p->uid == current->uid)
+-		return 0;
+-
+-	/* sigcont is permitted within same session */
+-	if (sig == SIGCONT && (task_session_nr(current) == task_session_nr(p)))
+-		return 0;
+-
+-	if (secid)
+-		/*
+-		 * Signal sent as a particular user.
+-		 * Capabilities are ignored.  May be wrong, but it's the
+-		 * only thing we can do at the moment.
+-		 * Used only by usb drivers?
+-		 */
+-		return 0;
+-	if (cap_issubset(p->cap_permitted, current->cap_permitted))
+-		return 0;
+-	if (capable(CAP_KILL))
+-		return 0;
+-
+-	return -EPERM;
+-}
+ #else
+ int cap_task_setscheduler (struct task_struct *p, int policy,
+ 			   struct sched_param *lp)
+@@ -575,11 +541,6 @@ int cap_task_setnice (struct task_struct
+ {
+ 	return 0;
+ }
+-int cap_task_kill(struct task_struct *p, struct siginfo *info,
+-				int sig, u32 secid)
+-{
+-	return 0;
+-}
+ #endif
+ 
+ void cap_task_reparent_to_init (struct task_struct *p)

Modified: dists/sid/linux-2.6/debian/patches/series/5
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/5	(original)
+++ dists/sid/linux-2.6/debian/patches/series/5	Tue Mar 25 07:48:10 2008
@@ -1,2 +1,3 @@
 + bugfix/all/stable/2.6.24.3.patch
 + bugfix/all/stable/2.6.24.4.patch
++ bugfix/cap-remove-cap_task_kill.patch



More information about the Kernel-svn-changes mailing list