summaryrefslogtreecommitdiffstats
path: root/security/commoncap.c
diff options
context:
space:
mode:
authorSerge E. Hallyn <serue@us.ibm.com>2007-11-14 17:00:34 -0800
committerLinus Torvalds <torvalds@woody.linux-foundation.org>2007-11-14 18:45:44 -0800
commit91ad997a34d7abca1f04e819e31eb9f3d4e20585 (patch)
treed39e72f2e2ab69ccb6c69acf46173ccd8803fcc4 /security/commoncap.c
parent20a1022d4ac5c53f0956006fd9e30cf4846d5e58 (diff)
downloadlinux-91ad997a34d7abca1f04e819e31eb9f3d4e20585.tar.bz2
file capabilities: allow sigcont within session
Fix http://bugzilla.kernel.org/show_bug.cgi?id=9247 Allow sigcont to be sent to a process with greater capabilities if it is in the same session. Otherwise, a shell from which I've started a root shell and done 'suspend' can't be restarted by the parent shell. Also don't do file-capabilities signaling checks when uids for the processes don't match, since the standard check_kill_permission will have done those checks. [akpm@linux-foundation.org: coding-style cleanups] Signed-off-by: Serge E. Hallyn <serue@us.ibm.com> Acked-by: Andrew Morgan <morgan@kernel.org> Cc: Chris Wright <chrisw@sous-sol.org> Tested-by: "Theodore Ts'o" <tytso@mit.edu> Cc: Stephen Smalley <sds@epoch.ncsc.mil> Cc: "Rafael J. Wysocki" <rjw@sisk.pl> Cc: Chris Wright <chrisw@sous-sol.org> Cc: James Morris <jmorris@namei.org> Cc: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'security/commoncap.c')
-rw-r--r--security/commoncap.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/security/commoncap.c b/security/commoncap.c
index bf67871173ef..302e8d0839a9 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -526,6 +526,10 @@ int cap_task_kill(struct task_struct *p, struct siginfo *info,
if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
return 0;
+ /* sigcont is permitted within same session */
+ if (sig == SIGCONT && (task_session_nr(current) == task_session_nr(p)))
+ return 0;
+
if (secid)
/*
* Signal sent as a particular user.