capabilities: do not special case exec of init

When the global init task is exec'd we have special case logic to make sure the pE is not reduced. There is no reason for this. If init wants to drop it's pE is should be allowed to do so. Remove this special logic. Signed-off-by: N Eric Paris <eparis@redhat.com> Acked-by: N Serge Hallyn <serge@hallyn.com> Acked-by: N David Howells <dhowells@redhat.com> Acked-by: N Andrew G. Morgan <morgan@kernel.org> Signed-off-by: N James Morris <jmorris@namei.org>

capabilities: do not special case exec of init
When the global init task is exec'd we have special case logic to make sure the pE is not reduced. There is no reason for this. If init wants to drop it's pE is should be allowed to do so. Remove this special logic. Signed-off-by: N Eric Paris <eparis@redhat.com> Acked-by: N Serge Hallyn <serge@hallyn.com> Acked-by: N David Howells <dhowells@redhat.com> Acked-by: N Andrew G. Morgan <morgan@kernel.org> Signed-off-by: N James Morris <jmorris@namei.org>
4bf2ea77 · Eric Paris · James Morris · 17f60a7d · 4bf2ea77
隐藏空白更改
内联并排

Showing with 4 addition and 9 deletion

security/commoncap.c security/commoncap.c +4 -9

未找到文件。
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -529,15 +529,10 @@ int cap_bprm_set_creds(struct linux_binprm *bprm)
 	new->suid = new->fsuid = new->euid;
 	new->sgid = new->fsgid = new->egid;

-	/* For init, we want to retain the capabilities set in the initial
-	 * task.  Thus we skip the usual capability rules
-	 */
-	if (!is_global_init(current)) {
-		if (effective)
-			new->cap_effective = new->cap_permitted;
-		else
-			cap_clear(new->cap_effective);
-	}
+	if (effective)
+		new->cap_effective = new->cap_permitted;
+	else
+		cap_clear(new->cap_effective);
 	bprm->cap_effective = effective;

 	/*