1 files changed, 38 insertions, 0 deletions

diff --git a/freed-ora/tags/f16/3.3.2-5.fc16.gnu/fcaps-clear-the-same-personality-flags-as-suid-when-.patch b/freed-ora/tags/f16/3.3.2-5.fc16.gnu/fcaps-clear-the-same-personality-flags-as-suid-when-.patch
new file mode 100644
index 000000000..1cf2ac208
--- /dev/null
+++ b/freed-ora/tags/f16/3.3.2-5.fc16.gnu/fcaps-clear-the-same-personality-flags-as-suid-when-.patch
@@ -0,0 +1,38 @@
+From d52fc5dde171f030170a6cb78034d166b13c9445 Mon Sep 17 00:00:00 2001
+From: Eric Paris <eparis@redhat.com>
+Date: Tue, 17 Apr 2012 16:26:54 -0400
+Subject: [PATCH] fcaps: clear the same personality flags as suid when fcaps
+ are used
+
+If a process increases permissions using fcaps all of the dangerous
+personality flags which are cleared for suid apps should also be cleared.
+Thus programs given priviledge with fcaps will continue to have address space
+randomization enabled even if the parent tried to disable it to make it
+easier to attack.
+
+Signed-off-by: Eric Paris <eparis@redhat.com>
+Reviewed-by: Serge Hallyn <serge.hallyn@canonical.com>
+Signed-off-by: James Morris <james.l.morris@oracle.com>
+---
+ security/commoncap.c |    5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+diff --git a/security/commoncap.c b/security/commoncap.c
+index 0cf4b53..0ecf4ba 100644
+--- a/security/commoncap.c
++++ b/security/commoncap.c
+@@ -505,6 +505,11 @@ int cap_bprm_set_creds(struct linux_binprm *bprm)
+ 	}
+ skip:
+ 
++	/* if we have fs caps, clear dangerous personality flags */
++	if (!cap_issubset(new->cap_permitted, old->cap_permitted))
++		bprm->per_clear |= PER_CLEAR_ON_SETID;
++
++
+ 	/* Don't let someone trace a set[ug]id/setpcap binary with the revised
+ 	 * credentials unless they have the appropriate permit
+ 	 */
+-- 
+1.7.7.6
+