From aa5c0514d913d924b1469679776bdcfb1a3594c2 Mon Sep 17 00:00:00 2001 From: "Eric W. Biederman" Date: Tue, 22 Sep 2020 10:21:07 +0800 Subject: [PATCH] exec: Always set cap_ambient in cap_bprm_set_creds stable inclusion from linux-4.19.126 commit 6c45ea17efe78addf03c586690cf8ba9cc0a1839 -------------------------------- [ Upstream commit a4ae32c71fe90794127b32d26d7ad795813b502e ] An invariant of cap_bprm_set_creds is that every field in the new cred structure that cap_bprm_set_creds might set, needs to be set every time to ensure the fields does not get a stale value. The field cap_ambient is not set every time cap_bprm_set_creds is called, which means that if there is a suid or sgid script with an interpreter that has neither the suid nor the sgid bits set the interpreter should be able to accept ambient credentials. Unfortuantely because cap_ambient is not reset to it's original value the interpreter can not accept ambient credentials. Given that the ambient capability set is expected to be controlled by the caller, I don't think this is particularly serious. But it is definitely worth fixing so the code works correctly. I have tested to verify my reading of the code is correct and the interpreter of a sgid can receive ambient capabilities with this change and cannot receive ambient capabilities without this change. Cc: stable@vger.kernel.org Cc: Andy Lutomirski Fixes: 58319057b784 ("capabilities: ambient capabilities") Signed-off-by: "Eric W. Biederman" Signed-off-by: Sasha Levin Signed-off-by: Yang Yingliang --- security/commoncap.c | 1 + 1 file changed, 1 insertion(+) diff --git a/security/commoncap.c b/security/commoncap.c index 2e489d6a3ac8..4ab1c37f2d19 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -820,6 +820,7 @@ int cap_bprm_set_creds(struct linux_binprm *bprm) int ret; kuid_t root_uid; + new->cap_ambient = old->cap_ambient; if (WARN_ON(!cap_ambient_invariant_ok(old))) return -EPERM; -- GitLab