CVE-2014-3215.patch « libcap-ng « libcap-ng « recipes-security « meta-security - meta-agl

blob: d7a868d2ca5b4e21c4d6fc27eb4df742fd616e83 (plain) @media only all and (prefers-color-scheme: dark) { .highlight .hll { background-color: #49483e } .highlight .c { color: #75715e } /* Comment */ .highlight .err { color: #960050; background-color: #1e0010 } /* Error */ .highlight .k { color: #66d9ef } /* Keyword */ .highlight .l { color: #ae81ff } /* Literal */ .highlight .n { color: #f8f8f2 } /* Name */ .highlight .o { color: #f92672 } /* Operator */ .highlight .p { color: #f8f8f2 } /* Punctuation */ .highlight .ch { color: #75715e } /* Comment.Hashbang */ .highlight .cm { color: #75715e } /* Comment.Multiline */ .highlight .cp { color: #75715e } /* Comment.Preproc */ .highlight .cpf { color: #75715e } /* Comment.PreprocFile */ .highlight .c1 { color: #75715e } /* Comment.Single */ .highlight .cs { color: #75715e } /* Comment.Special */ .highlight .gd { color: #f92672 } /* Generic.Deleted */ .highlight .ge { font-style: italic } /* Generic.Emph */ .highlight .gi { color: #a6e22e } /* Generic.Inserted */ .highlight .gs { font-weight: bold } /* Generic.Strong */ .highlight .gu { color: #75715e } /* Generic.Subheading */ .highlight .kc { color: #66d9ef } /* Keyword.Constant */ .highlight .kd { color: #66d9ef } /* Keyword.Declaration */ .highlight .kn { color: #f92672 } /* Keyword.Namespace */ .highlight .kp { color: #66d9ef } /* Keyword.Pseudo */ .highlight .kr { color: #66d9ef } /* Keyword.Reserved */ .highlight .kt { color: #66d9ef } /* Keyword.Type */ .highlight .ld { color: #e6db74 } /* Literal.Date */ .highlight .m { color: #ae81ff } /* Literal.Number */ .highlight .s { color: #e6db74 } /* Literal.String */ .highlight .na { color: #a6e22e } /* Name.Attribute */ .highlight .nb { color: #f8f8f2 } /* Name.Builtin */ .highlight .nc { color: #a6e22e } /* Name.Class */ .highlight .no { color: #66d9ef } /* Name.Constant */ .highlight .nd { color: #a6e22e } /* Name.Decorator */ .highlight .ni { color: #f8f8f2 } /* Name.Entity */ .highlight .ne { color: #a6e22e } /* Name.Exception */ .highlight .nf { color: #a6e22e } /* Name.Function */ .highlight .nl { color: #f8f8f2 } /* Name.Label */ .highlight .nn { color: #f8f8f2 } /* Name.Namespace */ .highlight .nx { color: #a6e22e } /* Name.Other */ .highlight .py { color: #f8f8f2 } /* Name.Property */ .highlight .nt { color: #f92672 } /* Name.Tag */ .highlight .nv { color: #f8f8f2 } /* Name.Variable */ .highlight .ow { color: #f92672 } /* Operator.Word */ .highlight .w { color: #f8f8f2 } /* Text.Whitespace */ .highlight .mb { color: #ae81ff } /* Literal.Number.Bin */

Upstream-Status: Pending

diff --git a/docs/capng_lock.3 b/docs/capng_lock.3
index 7683119..a070c1e 100644
--- a/docs/capng_lock.3
+++ b/docs/capng_lock.3
@@ -8,12 +8,13 @@ int capng_lock(void);
 
 .SH "DESCRIPTION"
 
-capng_lock will take steps to prevent children of the current process to regain full privileges if the uid is 0. This should be called while possessing the CAP_SETPCAP capability in the kernel. This function will do the following if permitted by the kernel: Set the NOROOT option on for PR_SET_SECUREBITS, set the NOROOT_LOCKED option to on for PR_SET_SECUREBITS, set the PR_NO_SETUID_FIXUP option on for PR_SET_SECUREBITS, and set the PR_NO_SETUID_FIXUP_LOCKED option on for PR_SET_SECUREBITS.
+capng_lock will take steps to prevent children of the current process from gaining privileges by executing setuid programs.  This should be called while possessing the CAP_SETPCAP capability in the kernel.
 
+This function will do the following if permitted by the kernel:  If the kernel supports PR_SET_NO_NEW_PRIVS, it will use it.  Otherwise it will set the NOROOT option on for PR_SET_SECUREBITS, set the NOROOT_LOCKED option to on for PR_SET_SECUREBITS, set the PR_NO_SETUID_FIXUP option on for PR_SET_SECUREBITS, and set the PR_NO_SETUID_FIXUP_LOCKED option on for PR_SET_SECUREBITS.  If both fail, it will return an error.
 
 .SH "RETURN VALUE"
 
-This returns 0 on success and a negative number on failure. -1 means a failure setting any of the PR_SET_SECUREBITS options.
+This returns 0 on success and a negative number on failure. -1 means a failure to use PR_SET_NO_NEW_PRIVS and a failure setting any of the PR_SET_SECUREBITS options.
 
 .SH "SEE ALSO"
 
diff --git a/src/cap-ng.c b/src/cap-ng.c
index bd105ba..422f2bc 100644
--- a/src/cap-ng.c
+++ b/src/cap-ng.c
@@ -45,6 +45,7 @@
  * 2.6.24 kernel	XATTR_NAME_CAPS
  * 2.6.25 kernel	PR_CAPBSET_DROP, CAPABILITY_VERSION_2
  * 2.6.26 kernel	PR_SET_SECUREBITS, SECURE_*_LOCKED, VERSION_3
+ * 3.5    kernel	PR_SET_NO_NEW_PRIVS
  */
 
 /* External syscall prototypes */
@@ -122,6 +123,14 @@ extern int capget(cap_user_header_t header, const cap_user_data_t data);
 #define SECURE_NO_SETUID_FIXUP_LOCKED   3  /* make bit-2 immutable */
 #endif
 
+/* prctl values that we use */
+#ifndef PR_SET_SECUREBITS
+#define PR_SET_SECUREBITS		28
+#endif
+#ifndef PR_SET_NO_NEW_PRIVS
+#define PR_SET_NO_NEW_PRIVS		38
+#endif
+
 // States: new, allocated, initted, updated, applied
 typedef enum { CAPNG_NEW, CAPNG_ERROR, CAPNG_ALLOCATED, CAPNG_INIT,
 	CAPNG_UPDATED, CAPNG_APPLIED } capng_states_t;
@@ -663,15 +672,22 @@ int capng_change_id(int uid, int gid, capng_flags_t flag)
 
 int capng_lock(void)
 {
-#ifdef PR_SET_SECUREBITS
-	int rc = prctl(PR_SET_SECUREBITS,
-			1 << SECURE_NOROOT |
-			1 << SECURE_NOROOT_LOCKED |
-			1 << SECURE_NO_SETUID_FIXUP |
-			1 << SECURE_NO_SETUID_FIXUP_LOCKED, 0, 0, 0);
+	int rc;
+
+	// On Linux 3.5 and up, we can directly prevent ourselves and
+	// our descendents from gaining privileges.
+	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == 0)
+		return 0;
+
+	// This kernel is too old or otherwise doesn't support
+	// PR_SET_NO_NEW_PRIVS.  Fall back to using securebits.
+	rc = prctl(PR_SET_SECUREBITS,
+		   1 << SECURE_NOROOT |
+		   1 << SECURE_NOROOT_LOCKED |
+		   1 << SECURE_NO_SETUID_FIXUP |
+		   1 << SECURE_NO_SETUID_FIXUP_LOCKED, 0, 0, 0);
 	if (rc)
 		return -1;
-#endif
 
 	return 0;
 }