[<prev] [next>] [day] [month] [year] [list]
Message-ID: <b647ffbd0806080540w6dde917di1d7b812f01a4d81a@mail.gmail.com>
Date: Sun, 8 Jun 2008 14:40:29 +0200
From: "Dmitry Adamushko" <dmitry.adamushko@...il.com>
To: "Andrew G. Morgan" <morgan@...nel.org>
Cc: "Andrew Morton" <akpm@...ux-foundation.org>,
"Linus Torvalds" <torvalds@...ux-foundation.org>,
linux-kernel <linux-kernel@...r.kernel.org>
Subject: [ linus-git ] prctl(PR_SET_KEEPCAPS, ...) is broken for some configs, e.g. CONFIG_SECURITY_SELINUX
Hi,
the commit 3898b1b4ebff8dcfbcf1807e0661585e06c9a91c has broken (always
-EINVAL as a return value)
prctl(PR_SET_KEEPCAPS, {1 | 0}, 0, 0, 0);
for the following configs:
1) CONFIG_SECURITY but without any of CONFIG_SECURITY_* modules;
2) CONFIG_SECURITY + CONFIG_SECURITY_SELINUX + CONFIG_SECURITY_SELINUX_DISABLE
both fall back to 'dummy' implementation.
3) CONFIG_SECURITY + CONFIG_SECURITY_SELINUX
for this config it will work when there is a secondary security module.
Here is what happens:
Processing of PR_SET_KEEPCAPS (and a couple of other options) has been
moved from kernel/sys.c::sys_prctl()
to security/commoncap.c::cap_task_prctl().
For the aforementioned configs cap_task_prctl() is not called
(moreover, security/commoncap.c is not compiled).
SELinux's implementation of .task_prctl callback resorts to
secondary_ops->task_prctl() which is dummy_task_prctl() (in the
absence of CONFIG_SECURITY_CAPABILITIES (or any other) as a secondary
module).
So the relevant code should be either moved back to sys_prctl() or
placed in some generic function (not in security/commoncap.c) which is
accessible for all configs.
p.s. perhaps, some would argue that such behavior might have its own
advantages. e.g. 'dhclient' on Ubuntu (for sure on 7.04) refuses to
work and, as a result, a crowd of Ubuntu followers turn their backs on
the virtual world and finally spend more time with their families. It
might be also good for the noble cause of fighting global warming...
heh, provided people don't escape into another virtual world by means
of shiny plasma-TVs :-)
--
Best regards,
Dmitry Adamushko
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists