From 08ff8a2e58eb226015fa68d577121137a7e0953f Mon Sep 17 00:00:00 2001 From: Tom Marshall Date: Wed, 25 Jan 2017 18:01:03 +0100 Subject: kernel: Only expose su when daemon is running It has been claimed that the PG implementation of 'su' has security vulnerabilities even when disabled. Unfortunately, the people that find these vulnerabilities often like to keep them private so they can profit from exploits while leaving users exposed to malicious hackers. In order to reduce the attack surface for vulnerabilites, it is therefore necessary to make 'su' completely inaccessible when it is not in use (except by the root and system users). Change-Id: I79716c72f74d0b7af34ec3a8054896c6559a181d Signed-off-by: Davide Garberi --- kernel/fork.c | 1 + 1 file changed, 1 insertion(+) (limited to 'kernel/fork.c') diff --git a/kernel/fork.c b/kernel/fork.c index 92a0df862115..dcdbb9f7216f 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -360,6 +360,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig, int node) if (err) goto free_stack; + tsk->flags &= ~PF_SU; tsk->stack = stack; err = kaiser_map_thread_stack(tsk->stack); -- cgit v1.2.3