exec: Don't reset euid and egid when the tracee has CAP_SETUID Don't reset euid and egid when the tracee has CAP_SETUID in it's user namespace. I punted on relaxing this permission check long ago but now that I have read this code closely it is clear it is safe to test against CAP_SETUID in the user namespace. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>

commit: 70169420f555210147f3cab74bb0f6debd488bdb [log] [tgz]
author: Eric W. Biederman <ebiederm@xmission.com> Thu Nov 17 01:38:35 2016 -0600
committer: Eric W. Biederman <ebiederm@xmission.com> Tue Jan 24 12:03:07 2017 +1300
tree: 364f9a2a9d576c91178ba0b5d3c1d671da7301ba
parent: 1cce1eea0aff51201753fcaca421df825b0813b6 [diff]
diff --git a/security/commoncap.c b/security/commoncap.c
index 8df676f..feb6044 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c

@@ -550,7 +550,7 @@
 	     !cap_issubset(new->cap_permitted, old->cap_permitted)) &&
 	    bprm->unsafe & ~LSM_UNSAFE_PTRACE_CAP) {
 		/* downgrade; they get no more than they had, and maybe less */
-		if (!capable(CAP_SETUID) ||
+		if (!ns_capable(new->user_ns, CAP_SETUID) ||
 		    (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS)) {
 			new->euid = new->uid;
 			new->egid = new->gid;
commit	70169420f555210147f3cab74bb0f6debd488bdb	[log] [tgz]
author	Eric W. Biederman <ebiederm@xmission.com>	Thu Nov 17 01:38:35 2016 -0600
committer	Eric W. Biederman <ebiederm@xmission.com>	Tue Jan 24 12:03:07 2017 +1300
tree	364f9a2a9d576c91178ba0b5d3c1d671da7301ba
parent	1cce1eea0aff51201753fcaca421df825b0813b6 [diff]