From dfc138c18dc8ee4ca53a78214a2baa8555926c0c Mon Sep 17 00:00:00 2001
From: Eric Paris <eparis@redhat.com>
Date: Tue, 17 Apr 2012 16:26:54 -0400
Subject: [PATCH] --- yaml --- r: 299325 b: refs/heads/master c:
 d52fc5dde171f030170a6cb78034d166b13c9445 h: refs/heads/master i:   299323:
 96d3519c510f4b3f2bc6bd10cf5e012b62326d5a v: v3

---
 [refs]                     | 2 +-
 trunk/security/commoncap.c | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/[refs] b/[refs]
index 56016115009b..1f957554169a 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: 09c79b60960bdd4b00916219402eabfa5e479c5a
+refs/heads/master: d52fc5dde171f030170a6cb78034d166b13c9445
diff --git a/trunk/security/commoncap.c b/trunk/security/commoncap.c
index 0cf4b53480a7..0ecf4ba321cb 100644
--- a/trunk/security/commoncap.c
+++ b/trunk/security/commoncap.c
@@ -505,6 +505,11 @@ int cap_bprm_set_creds(struct linux_binprm *bprm)
 	}
 skip:
 
+	/* if we have fs caps, clear dangerous personality flags */
+	if (!cap_issubset(new->cap_permitted, old->cap_permitted))
+		bprm->per_clear |= PER_CLEAR_ON_SETID;
+
+
 	/* Don't let someone trace a set[ug]id/setpcap binary with the revised
 	 * credentials unless they have the appropriate permit
 	 */