niansa-misc/linux
1
0
Fork 0
mirror of synced 2025-03-06 20:59:54 +01:00
Code Issues Projects Releases Packages Wiki Activity

kernel.sys.v5.15

Browse source 
-----BEGIN PGP SIGNATURE-----
 
 iHUEABYKAB0WIQRAhzRXHqcMeLMyaSiRxhvAZXjcogUCYS3lRQAKCRCRxhvAZXjc
 oqH9AP999iWN7nOOr4QpnQZVMEbwYlZksdjJso0i2Nd87rNMWQEAgKYsnm00dlLm
 uV/X21a9W6RJYgOGP4+BY4DAyVezpgk=
 =vSMk
 -----END PGP SIGNATURE-----

Merge tag 'kernel.sys.v5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux

Pull set_user()  update from Christian Brauner:
 "This contains a single fix to set_user() which aligns permission
  checks with the corresponding fork() codepath. No one involved in this
  could come up with a reason for the difference.

  A capable caller can already circumvent the check when they fork where
  the permission checks are already for the relevant capabilities in
  addition to also allowing to exceed nproc when it is the init user.

  So apply the same logic to set_user()"

* tag 'kernel.sys.v5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux:
  set_user: add capability check when rlimit(RLIMIT_NPROC) exceeds
This commit is contained in:
Linus Torvalds 2021-08-31 12:16:05 -07:00
commit e55f0c439a
1 changed files with 2 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
kernel/sys.c
View file

@ -480,7 +480,8 @@ static int set_user(struct cred *new)
* failure to the execve() stage.
*/
if (is_ucounts_overlimit(new->ucounts, UCOUNT_RLIMIT_NPROC, rlimit(RLIMIT_NPROC)) &&
new_user != INIT_USER)
new_user != INIT_USER &&
!capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN))
current->flags |= PF_NPROC_EXCEEDED;
else
current->flags &= ~PF_NPROC_EXCEEDED;