lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <47B2A3F3.8060701@ak.jp.nec.com>
Date:	Wed, 13 Feb 2008 17:01:55 +0900
From:	Kohei KaiGai <kaigai@...jp.nec.com>
To:	"Serge E. Hallyn" <serue@...ibm.com>
CC:	"Andrew G. Morgan" <morgan@...nel.org>, akpm@...l.org,
	jmorris@...ei.org, linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org
Subject: Re: [PATCH] exporting capability code/name pairs (try #4)

Serge E. Hallyn wrote:
> Quoting Kohei KaiGai (kaigai@...jp.nec.com):
>> diff --git a/security/Kconfig b/security/Kconfig
>> index 25ffe1b..b79e830 100644
>> --- a/security/Kconfig
>> +++ b/security/Kconfig
>> @@ -91,6 +91,15 @@ config SECURITY_FILE_CAPABILITIES
>>
>>  	  If in doubt, answer N.
>>
>> +config SECURITY_CAPABILITIES_EXPORT
>> +	bool "Exporting capabilities kernel supported"
>> +	depends on SECURITY_CAPABILITIES && SYSFS
> 
> Oh no, we're being bit by this again...  When SECURITY=n, capabilities
> are compiled in but SECURITY_CAPABILITIES=n.
> 
> Months ago I floated the following patch so we'd have a CONFIG variable
> to let us know whether commoncap is compiled in.  You might want to use
> this and depend on CONFIG_COMMONCAP?  (Though really I personally don't
> think you need your own config variable for this)

I also think its own config variable is not necessary to turn on/off
exporting the list of capabilities in actually.
Do you want this feture to be moved into security/commoncap.c and
enabled unconditionally? I can agree this suggestion.

Is there any complaint for this idea?

Thanks,

> Other than that, this tested fine for me.
> 
> thanks,
> -serge
> 
>>>From 54c70ca7671750fe8986451fae91d42107d0ca90 Mon Sep 17 00:00:00 2001
> From: Serge E. Hallyn <serue@...ibm.com>
> Date: Fri, 28 Sep 2007 10:33:33 -0500
> Subject: [PATCH 1/2] capabilities: define CONFIG_COMMONCAP
> 
> currently the compilation of commoncap.c is determined
> through Makefile logic.  So there is no single CONFIG
> variable which can be relied upon to know whether it
> will be compiled.
> 
> Define CONFIG_COMMONCAP to be true when lsm is not
> compiled in, or when the capability or rootplug modules
> are compiled.  These are the cases when commoncap is
> currently compiled.  Use this variable in security/Makefile
> to determine commoncap.c's compilation.
> 
> Apart from being a logic cleanup, this is needed by the
> upcoming cap_bset patch so that prctl can know whether
> PR_SET_BSET should be allowed.
> 
> Signed-off-by: Serge E. Hallyn <serue@...ibm.com>
> ---
>  security/Kconfig  |    4 ++++
>  security/Makefile |    9 +++------
>  2 files changed, 7 insertions(+), 6 deletions(-)
> 
> diff --git a/security/Kconfig b/security/Kconfig
> index 8086e61..02b33fa 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -103,6 +103,10 @@ config SECURITY_ROOTPLUG
>  	  
>  	  If you are unsure how to answer this question, answer N.
>  
> +config COMMONCAP
> +	bool
> +	default !SECURITY || SECURITY_CAPABILITIES || SECURITY_ROOTPLUG
> +
>  source security/selinux/Kconfig
>  
>  endmenu
> diff --git a/security/Makefile b/security/Makefile
> index ef87df2..7cccc81 100644
> --- a/security/Makefile
> +++ b/security/Makefile
> @@ -5,14 +5,11 @@
>  obj-$(CONFIG_KEYS)			+= keys/
>  subdir-$(CONFIG_SECURITY_SELINUX)	+= selinux
>  
> -# if we don't select a security model, use the default capabilities
> -ifneq ($(CONFIG_SECURITY),y)
> -obj-y		+= commoncap.o
> -endif
> +obj-$(CONFIG_COMMONCAP)			+= commoncap.o
>  
>  # Object file lists
>  obj-$(CONFIG_SECURITY)			+= security.o dummy.o inode.o
>  # Must precede capability.o in order to stack properly.
>  obj-$(CONFIG_SECURITY_SELINUX)		+= selinux/built-in.o
> -obj-$(CONFIG_SECURITY_CAPABILITIES)	+= commoncap.o capability.o
> -obj-$(CONFIG_SECURITY_ROOTPLUG)		+= commoncap.o root_plug.o
> +obj-$(CONFIG_SECURITY_CAPABILITIES)	+= capability.o
> +obj-$(CONFIG_SECURITY_ROOTPLUG)		+= root_plug.o


-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@...jp.nec.com>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ