Integrate parts of meta-intel-iot-security

[AGL/meta-agl.git] / meta-security / recipes-security / libcap-ng / libcap-ng / CVE-2014-3215.patch

Upstream-Status: Pending

diff --git a/docs/capng_lock.3 b/docs/capng_lock.3
index 7683119..a070c1e 100644
--- a/docs/capng_lock.3
+++ b/docs/capng_lock.3
@@ -8,12 +8,13 @@ int capng_lock(void);
 
 .SH "DESCRIPTION"
 
-capng_lock will take steps to prevent children of the current process to regain full privileges if the uid is 0. This should be called while possessing the CAP_SETPCAP capability in the kernel. This function will do the following if permitted by the kernel: Set the NOROOT option on for PR_SET_SECUREBITS, set the NOROOT_LOCKED option to on for PR_SET_SECUREBITS, set the PR_NO_SETUID_FIXUP option on for PR_SET_SECUREBITS, and set the PR_NO_SETUID_FIXUP_LOCKED option on for PR_SET_SECUREBITS.
+capng_lock will take steps to prevent children of the current process from gaining privileges by executing setuid programs.  This should be called while possessing the CAP_SETPCAP capability in the kernel.
 
+This function will do the following if permitted by the kernel:  If the kernel supports PR_SET_NO_NEW_PRIVS, it will use it.  Otherwise it will set the NOROOT option on for PR_SET_SECUREBITS, set the NOROOT_LOCKED option to on for PR_SET_SECUREBITS, set the PR_NO_SETUID_FIXUP option on for PR_SET_SECUREBITS, and set the PR_NO_SETUID_FIXUP_LOCKED option on for PR_SET_SECUREBITS.  If both fail, it will return an error.
 
 .SH "RETURN VALUE"
 
-This returns 0 on success and a negative number on failure. -1 means a failure setting any of the PR_SET_SECUREBITS options.
+This returns 0 on success and a negative number on failure. -1 means a failure to use PR_SET_NO_NEW_PRIVS and a failure setting any of the PR_SET_SECUREBITS options.
 
 .SH "SEE ALSO"
 
diff --git a/src/cap-ng.c b/src/cap-ng.c
index bd105ba..422f2bc 100644
--- a/src/cap-ng.c
+++ b/src/cap-ng.c
@@ -45,6 +45,7 @@
  * 2.6.24 kernel       XATTR_NAME_CAPS
  * 2.6.25 kernel       PR_CAPBSET_DROP, CAPABILITY_VERSION_2
  * 2.6.26 kernel       PR_SET_SECUREBITS, SECURE_*_LOCKED, VERSION_3
+ * 3.5    kernel       PR_SET_NO_NEW_PRIVS
  */
 
 /* External syscall prototypes */
@@ -122,6 +123,14 @@ extern int capget(cap_user_header_t header, const cap_user_data_t data);
 #define SECURE_NO_SETUID_FIXUP_LOCKED   3  /* make bit-2 immutable */
 #endif
 
+/* prctl values that we use */
+#ifndef PR_SET_SECUREBITS
+#define PR_SET_SECUREBITS              28
+#endif
+#ifndef PR_SET_NO_NEW_PRIVS
+#define PR_SET_NO_NEW_PRIVS            38
+#endif
+
 // States: new, allocated, initted, updated, applied
 typedef enum { CAPNG_NEW, CAPNG_ERROR, CAPNG_ALLOCATED, CAPNG_INIT,
        CAPNG_UPDATED, CAPNG_APPLIED } capng_states_t;
@@ -663,15 +672,22 @@ int capng_change_id(int uid, int gid, capng_flags_t flag)
 
 int capng_lock(void)
 {
-#ifdef PR_SET_SECUREBITS
-       int rc = prctl(PR_SET_SECUREBITS,
-                       1 << SECURE_NOROOT |
-                       1 << SECURE_NOROOT_LOCKED |
-                       1 << SECURE_NO_SETUID_FIXUP |
-                       1 << SECURE_NO_SETUID_FIXUP_LOCKED, 0, 0, 0);
+       int rc;
+
+       // On Linux 3.5 and up, we can directly prevent ourselves and
+       // our descendents from gaining privileges.
+       if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) == 0)
+               return 0;
+
+       // This kernel is too old or otherwise doesn't support
+       // PR_SET_NO_NEW_PRIVS.  Fall back to using securebits.
+       rc = prctl(PR_SET_SECUREBITS,
+                  1 << SECURE_NOROOT |
+                  1 << SECURE_NOROOT_LOCKED |
+                  1 << SECURE_NO_SETUID_FIXUP |
+                  1 << SECURE_NO_SETUID_FIXUP_LOCKED, 0, 0, 0);
        if (rc)
                return -1;
-#endif
 
        return 0;
 }