| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 15 Nov 2006 11:06:34 -0600
From: "Bill O'Donnell" <billodo@....com>
To: KaiGai Kohei <kaigai@...jp.nec.com>
Cc: "Serge E. Hallyn" <serue@...ibm.com>,
Chris Friedhoff <chris@...edhoff.org>,
linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org,
Stephen Smalley <sds@...ho.nsa.gov>,
James Morris <jmorris@...ei.org>,
Chris Wright <chrisw@...s-sol.org>,
Andrew Morton <akpm@...l.org>,
KaiGai Kohei <kaigai@...gai.gr.jp>,
Alexey Dobriyan <adobriyan@...il.com>
Subject: Re: [PATCH 1/1] security: introduce fs caps
On Wed, Nov 15, 2006 at 09:08:55PM +0900, KaiGai Kohei wrote:
| Serge E. Hallyn wrote:
| >Quoting Bill O'Donnell (billodo@....com):
| >>8102 execve("/sbin/setfcaps", ["setfcaps", "cap_net_raw=ep",
| >>"/bin/ping"], [/* 67 vars */]) = 0
| - snip -
| >>8102 capget(0x19980330, 0, {0, 0, 0}) = -1 EINVAL (Invalid argument)
| >
| >I don't see why this capget is returning -EINVAL. In fact I don't see
| >why it happens at all - cap_inode_setxattr would check
| >capable(CAP_SYS_ADMIN), but setxattr hasn't been called yet. Looking at
| >both libcap and setfcaps.c, I don't see where the capget comes from.
| >
| >As for the -EINVAL, kernel/capability.c:sys_capget() returns -EINVAL if
| >the _LINUX_CAPABILITY_VERSION is wrong - you have 0x19980330 which is
| >correct - if pid < 0 - but you send in 0 - or if security_capget
| >returns -EINVAL, which cap_capget (and dummy_capget) don't do.
| >
| >Kaigai, do you have any ideas?
|
| Bill said that he uses SLES10/ia64, so the version of libcap is different
| from Fedora Core's one. 'libcap-1.92-499.4.src.rpm' is bandled.
|
| Then, I found a strange code in libcap-1.92-499.4.src.rpm.
|
| The setfcaps calls cap_from_text() which is defined in libcap to parse
| the command line argument. It has the following function call chains:
|
| cap_from_text()
| -> cap_init()
| -> _libcap_establish_api()
- snip -
| capget() is called from _libcap_establish_api() with full-zeroed
| __user_cap_header_struct object at first time.
| The result of this, sys_capget() in kernel will return -EINVAL.
| (Why did strace say the first argument is 0x19980330?)
|
| Probably, Bill didn't update libcap.so.
No, I didn't...
certify:~/libcap-1.10/progs # ls -altr /lib/libcap*
-rwxr-xr-x 1 root root 22672 2006-06-16 09:56 /lib/libcap.so.1.92
-rw-r--r-- 1 root root 53363 2006-11-13 16:04 /lib/libcap.so.1.10
lrwxrwxrwx 1 root root 14 2006-11-13 16:04 /lib/libcap.so.1 ->libcap.so.1.92
lrwxrwxrwx 1 root root 11 2006-11-13 16:04 /lib/libcap.so -> libcap.so.1
|
| But I can't recommend Bill to update libcap immediately.
| As Hawk Xu said, it may cause a serious problem on the distro
| except Fedora Core 6. :(
What version of libcap is on FC6?
|
| I have to recommend to use 'fscaps-1.0-kg.i386.rpm' now.
| It includes the implementation of interaction between application and xattr.
| (Of couse, it's one of the features which should be provided by libcap.)
But that won't work on ia64 will it?
Thanks,
Bill
--
Bill O'Donnell
SGI
651.683.3079
billodo@....com
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists