git » linux-kernel » commit cbea47d

diff --git a/fs/exec.c b/fs/exec.c
index d49be6bc179..8758b0436a8 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1104,6 +1104,9 @@ int check_unsafe_exec(struct linux_binprm *bprm)
 	return res;
 }
 
+/* Whether we honor execution of suid binaries at all */
+int __read_mostly suid_enable = 1;
+
 /* 
  * Fill the binprm structure from the inode. 
  * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes
@@ -1124,7 +1127,8 @@ int prepare_binprm(struct linux_binprm *bprm)
 	bprm->cred->euid = current_euid();
 	bprm->cred->egid = current_egid();
 
-	if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)) {
+	if (suid_enable &&
+			!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)) {
 		/* Set-uid? */
 		if (mode & S_ISUID) {
 			bprm->per_clear |= PER_CLEAR_ON_SETID;
diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h
index aece486ac73..b925a58552c 100644
--- a/include/linux/binfmts.h
+++ b/include/linux/binfmts.h
@@ -107,6 +107,8 @@ extern int suid_dumpable;
 #define SUID_DUMP_USER		1	/* Dump as user of process */
 #define SUID_DUMP_ROOT		2	/* Dump as root */
 
+extern int suid_enable;
+
 /* Stack area protections */
 #define EXSTACK_DEFAULT   0	/* Whatever the arch defaults to */
 #define EXSTACK_DISABLE_X 1	/* Disable executable stacks */
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 0d949c51741..f4d375b522c 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -1582,6 +1582,16 @@ static struct ctl_table fs_table[] = {
 		.extra1		= &zero,
 		.extra2		= &two,
 	},
+	{
+		.procname	= "suid_enable",
+		.data		= &suid_enable,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec_minmax,
+		.strategy	= &sysctl_intvec,
+		.extra1		= &zero,
+		.extra2		= &one,
+	},
 #if defined(CONFIG_BINFMT_MISC) || defined(CONFIG_BINFMT_MISC_MODULE)
 	{
 		.ctl_name	= CTL_UNNUMBERED,