diff options
author | Richard Guy Briggs <rgb@redhat.com> | 2017-10-11 20:57:11 -0400 |
---|---|---|
committer | James Morris <james.l.morris@oracle.com> | 2017-10-20 15:22:45 +1100 |
commit | 02ebbaf48cf211498a9bd2c6b65e7d1b0a901807 (patch) | |
tree | 221b71178b5a3ccea7364ec5907e2a626a020fe0 /security/commoncap.c | |
parent | 9fbc2c79644a88a1cc40a2628ccff1bbbbc9ecc5 (diff) | |
download | lwn-02ebbaf48cf211498a9bd2c6b65e7d1b0a901807.tar.gz lwn-02ebbaf48cf211498a9bd2c6b65e7d1b0a901807.zip |
capabilities: remove a layer of conditional logic
Remove a layer of conditional logic to make the use of conditions
easier to read and analyse.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
Acked-by: James Morris <james.l.morris@oracle.com>
Acked-by: Kees Cook <keescook@chromium.org>
Okay-ished-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Diffstat (limited to 'security/commoncap.c')
-rw-r--r-- | security/commoncap.c | 23 |
1 files changed, 10 insertions, 13 deletions
diff --git a/security/commoncap.c b/security/commoncap.c index d7f0cbdf04c4..eac70e2b400b 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -781,13 +781,12 @@ static inline bool nonroot_raised_pE(struct cred *cred, kuid_t root) { bool ret = false; - if (__cap_grew(effective, ambient, cred)) { - if (!__cap_full(effective, cred) || - !__is_eff(root, cred) || !__is_real(root, cred) || - !root_privileged()) { - ret = true; - } - } + if (__cap_grew(effective, ambient, cred) && + (!__cap_full(effective, cred) || + !__is_eff(root, cred) || + !__is_real(root, cred) || + !root_privileged())) + ret = true; return ret; } @@ -880,13 +879,11 @@ int cap_bprm_set_creds(struct linux_binprm *bprm) /* Check for privilege-elevated exec. */ bprm->cap_elevated = 0; - if (is_setid) { + if (is_setid || + (!__is_real(root_uid, new) && + (effective || + __cap_grew(permitted, ambient, new)))) bprm->cap_elevated = 1; - } else if (!__is_real(root_uid, new)) { - if (effective || - __cap_grew(permitted, ambient, new)) - bprm->cap_elevated = 1; - } return 0; } |