linux/security
Andrew G. Morgan a6dbb1ef2f Fix filesystem capability support
In linux-2.6.24-rc1, security/commoncap.c:cap_inh_is_capped() was
introduced. It has the exact reverse of its intended behavior. This
led to an unintended privilege esculation involving a process'
inheritable capability set.

To be exposed to this bug, you need to have Filesystem Capabilities
enabled and in use. That is:

- CONFIG_SECURITY_FILE_CAPABILITIES must be defined for the buggy code
  to be compiled in.

- You also need to have files on your system marked with fI bits raised.

Signed-off-by: Andrew G. Morgan <morgan@kernel.org>

Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@akpm@linux-foundation.org>
2008-01-21 19:39:41 -08:00
..
keys KEYS: Make request_key() and co fundamentally asynchronous 2007-10-17 08:42:57 -07:00
selinux SELinux: detect dead booleans 2007-12-06 00:24:09 +11:00
capability.c Implement file posix capabilities 2007-10-17 08:43:07 -07:00
commoncap.c Fix filesystem capability support 2008-01-21 19:39:41 -08:00
dummy.c Security: allow capable check to permit mmap or low vm space 2007-12-06 00:24:30 +11:00
inode.c security/ cleanups 2007-10-17 08:43:07 -07:00
Kconfig Implement file posix capabilities 2007-10-17 08:43:07 -07:00
Makefile [PATCH] LSM: remove BSD secure level security module 2006-09-29 09:18:10 -07:00
root_plug.c security: Convert LSM into a static interface 2007-10-17 08:43:07 -07:00
security.c security/ cleanups 2007-10-17 08:43:07 -07:00