packages/lxc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
lxc/0059-remove-process-inheritable-capability.patch
zhangxiaoyu 7bcfe31bee remove process inheritable capabilities 
Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
(cherry picked from commit f10a758ebd8f96de1f6a5f578f69907291a3f8c1)
2023-02-21 10:55:41 +08:00

28 lines
1.0 KiB
Diff
Raw Blame History

From 581c6ae008a3ff1f36f00572371326b0d86efd9c Mon Sep 17 00:00:00 2001
From: zhangxiaoyu <zhangxiaoyu58@huawei.com>
Date: Tue, 21 Feb 2023 10:38:45 +0800
Subject: [PATCH] remove process inheritable capability
Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
---
src/lxc/conf.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 7f98811..19cf5e3 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -5284,7 +5284,8 @@ int lxc_drop_caps(struct lxc_conf *conf)
if (caplist[i]) {
cap_data[CAP_TO_INDEX(i)].effective = cap_data[CAP_TO_INDEX(i)].effective | (i > 31 ? __DEF_CAP_TO_MASK(i % 32) : __DEF_CAP_TO_MASK(i));
cap_data[CAP_TO_INDEX(i)].permitted = cap_data[CAP_TO_INDEX(i)].permitted | (i > 31 ? __DEF_CAP_TO_MASK(i % 32) : __DEF_CAP_TO_MASK(i));
- cap_data[CAP_TO_INDEX(i)].inheritable = cap_data[CAP_TO_INDEX(i)].inheritable | (i > 31 ? __DEF_CAP_TO_MASK(i % 32) : __DEF_CAP_TO_MASK(i));
+ // fix CVE-2022-24769
+ // inheritable capability should be empty
}
}
--
2.25.1
Reference in New Issue View Git Blame Copy Permalink