Bug 497047

Summary: kernel: add some long-missing capabilities to fs_mask
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: atangrin, bhu, dhoward, ekeck, eparis, jbacik, lgoncalv, rkhan, tao, vgaikwad, vgoyal, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-19 09:07:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 497268, 497269, 497270, 497271, 497272    
Bug Blocks:    

Description Eugene Teo (Security Response) 2009-04-22 06:54:49 UTC 
Description of problem:
When POSIX capabilities were introduced during the 2.1 Linux cycle, the fs mask, which represents the capabilities which having fsuid==0 is supposed to grant, did not include CAP_MKNOD and CAP_LINUX_IMMUTABLE.  However, before capabilities the privilege to call these did in fact depend upon fsuid==0.

This patch introduces those capabilities into the fsmask, restoring the old behavior.

See the thread starting at http://lkml.org/lkml/2009/3/11/157 for reference.

Note that if this fix is deemed valid, then earlier kernel versions (2.4 and 2.2) ought to be fixed too.

Changelog:
	[Mar 23] Actually delete old CAP_FS_SET definition...
	[Mar 20] Updated against J. Bruce Fields's patch

Upstream commit:
http://git.kernel.org/linus/0ad30b8fd5fe798aae80df6344b415d8309342cc
Comment 2 Eugene Teo (Security Response) 2009-04-23 03:37:35 UTC 
http://lwn.net/Articles/328572/
Comment 4 Eugene Teo (Security Response) 2009-04-23 05:16:41 UTC 
Upstream commit for 2.4:
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git;a=commitdiff;h=1c06d5237647db43cb2043a19cb393f4ed4d942f
Comment 9 Lachlan McIlroy 2009-05-29 01:34:08 UTC 
Add issue 296769.
Comment 10 errata-xmlrpc 2009-06-03 15:37:00 UTC 
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2009:1081 https://rhn.redhat.com/errata/RHSA-2009-1081.html