lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 03 Dec 2007 22:14:43 -0800 From: Andrew Morgan <morgan@...nel.org> To: KaiGai Kohei <kaigai@...jp.nec.com> CC: "Serge E. Hallyn" <serue@...ibm.com>, lkml <linux-kernel@...r.kernel.org>, linux-security-module@...r.kernel.org, Chris Wright <chrisw@...s-sol.org>, Stephen Smalley <sds@...ch.ncsc.mil>, jmorris@...gelap.austin.ibm.com, Andrew Morton <akpm@...l.org> Subject: Re: [PATCH] capabilities: introduce per-process capability bounding set (v10) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 KaiGai Kohei wrote: > Serge, > > Please tell me the meanings of the following condition. > >> diff --git a/security/commoncap.c b/security/commoncap.c >> index 3a95990..cb71bb0 100644 >> --- a/security/commoncap.c >> +++ b/security/commoncap.c >> @@ -133,6 +119,12 @@ int cap_capset_check (struct task_struct *target, >> kernel_cap_t *effective, >> /* incapable of using this inheritable set */ >> return -EPERM; >> } >> + if (!!cap_issubset(*inheritable, >> + cap_combine(target->cap_inheritable, >> + current->cap_bset))) { >> + /* no new pI capabilities outside bounding set */ >> + return -EPERM; >> + } >> >> /* verify restrictions on target's new Permitted set */ >> if (!cap_issubset (*permitted, > > It seems to me this condition requires the new inheritable capability > set must have a capability more than bounding set, at least. > What is the purpose of this checking? Yes, the !! was a bug. The correct check is a single !. (Thus, the correct check says no 'new' pI bits can be outside cap_bset.) Cheers Andrew > > In the initial state, any process have no inheritable capability set > and full bounding set. Thus, we cannot do capset() always. > > Thanks, -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHVPBS+bHCR3gb8jsRAnxQAJ0Vna82bl9M11OL/uuEe21nF5+9TACfSzGi aY0SUvMmLZCIF0KovBTpihE= =wT9N -----END PGP SIGNATURE----- -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists