From patchwork Tue Apr 24 22:03:21 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Steve Conklin <sconklin@canonical.com>
X-Patchwork-Id: 154766
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from chlorine.canonical.com (chlorine.canonical.com
	[91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id C4B03B6EF1
	for <incoming@patchwork.ozlabs.org>;
	Wed, 25 Apr 2012 08:03:58 +1000 (EST)
Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com)
	by chlorine.canonical.com with esmtp (Exim 4.71)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1SMnpm-0005DD-2Z; Tue, 24 Apr 2012 22:03:42 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by chlorine.canonical.com with esmtp (Exim 4.71)
	(envelope-from <sconklin@canonical.com>) id 1SMnpk-0005Co-C7
	for kernel-team@lists.ubuntu.com; Tue, 24 Apr 2012 22:03:40 +0000
Received: from user-69-73-1-154.knology.net ([69.73.1.154]
	helo=[172.31.0.160]) by youngberry.canonical.com with esmtpsa
	(TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71)
	(envelope-from <sconklin@canonical.com>) id 1SMnpk-0000v2-4a
	for kernel-team@lists.ubuntu.com; Tue, 24 Apr 2012 22:03:40 +0000
Message-ID: <4F972329.60400@canonical.com>
Date: Tue, 24 Apr 2012 17:03:21 -0500
From: Steve Conklin <sconklin@canonical.com>
User-Agent: Mozilla/5.0 (X11; Linux i686;
	rv:11.0) Gecko/20120411 Thunderbird/11.0.1
MIME-Version: 1.0
To: kernel-team@lists.ubuntu.com
Subject: [CVE-2012-2123] lucid/natty fcaps: clear the same personality flags
	as suid when fcaps are used
X-Enigmail-Version: 1.4
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Sender: kernel-team-bounces@lists.ubuntu.com
Errors-To: kernel-team-bounces@lists.ubuntu.com

This is a clean application of an upstream patch. The same fix has
already come from upstream stable for Oneiric and Precise.

-Steve

From c825bb675aea46fe858b58d1d31dccc6bb7c03c1 Mon Sep 17 00:00:00 2001
From: Eric Paris <eparis@redhat.com>
Date: Tue, 17 Apr 2012 16:26:54 -0400
Subject: [PATCH] fcaps: clear the same personality flags as suid when fcaps
 are used

CVE-2012-2123

BugLink: http://bugs.launchpad.net/bugs/987571

If a process increases permissions using fcaps all of the dangerous
personality flags which are cleared for suid apps should also be cleared.
Thus programs given priviledge with fcaps will continue to have address
space
randomization enabled even if the parent tried to disable it to make it
easier to attack.

Signed-off-by: Eric Paris <eparis@redhat.com>
Reviewed-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>

(cherry picked from commit d52fc5dde1)
Signed-off-by: Steve Conklin <sconklin@canonical.com>
---
 security/commoncap.c |    5 +++++
 1 file changed, 5 insertions(+)

diff --git a/security/commoncap.c b/security/commoncap.c
index 50be79b..5d5f64b 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -512,6 +512,11 @@ int cap_bprm_set_creds(struct linux_binprm *bprm)
 	}
 skip:

+	/* if we have fs caps, clear dangerous personality flags */
+	if (!cap_issubset(new->cap_permitted, old->cap_permitted))
+		bprm->per_clear |= PER_CLEAR_ON_SETID;
+
+
 	/* Don't let someone trace a set[ug]id/setpcap binary with the revised
 	 * credentials unless they have the appropriate permit
 	 */