Re: [PATCH V4 07/10] capabilities: remove a layer of conditional logic
On Mon, Sep 4, 2017 at 11:46 PM, Richard Guy Briggs <rgb(a)redhat.com> wrote:
Remove a layer of conditional logic to make the use of conditions
easier to read and analyse.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
Reviewed-by: Serge Hallyn <serge(a)hallyn.com>
Acked-by: James Morris <james.l.morris(a)oracle.com>
Acked-by: Kees Cook <keescook(a)chromium.org>
-Kees
---
security/commoncap.c | 23 ++++++++++-------------
1 files changed, 10 insertions(+), 13 deletions(-)
diff --git a/security/commoncap.c b/security/commoncap.c
index eae7431..cf95d73 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -543,13 +543,12 @@ static inline bool nonroot_raised_pE(struct cred *cred, kuid_t
root)
{
bool ret = false;
- if (__cap_grew(effective, ambient, cred)) {
- if (!__cap_full(effective, cred) ||
- !__is_eff(root, cred) || !__is_real(root, cred) ||
- !root_privileged()) {
- ret = true;
- }
- }
+ if (__cap_grew(effective, ambient, cred) &&
+ (!__cap_full(effective, cred) ||
+ !__is_eff(root, cred) ||
+ !__is_real(root, cred) ||
+ !root_privileged()))
+ ret = true;
return ret;
}
@@ -643,13 +642,11 @@ int cap_bprm_set_creds(struct linux_binprm *bprm)
/* Check for privilege-elevated exec. */
bprm->cap_elevated = 0;
- if (is_setid) {
+ if (is_setid ||
+ (!__is_real(root_uid, new) &&
+ (effective ||
+ __cap_grew(permitted, ambient, new))))
bprm->cap_elevated = 1;
- } else if (!__is_real(root_uid, new)) {
- if (effective ||
- __cap_grew(permitted, ambient, new))
- bprm->cap_elevated = 1;
- }
return 0;
}
--
1.7.1
--
Kees Cook
Pixel Security