[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <b647ffbd0806110721v187d2aadxf0e4395ea977f1af@mail.gmail.com>
Date: Wed, 11 Jun 2008 16:21:17 +0200
From: "Dmitry Adamushko" <dmitry.adamushko@...il.com>
To: "Andrew G. Morgan" <morgan@...nel.org>
Cc: "Chris Wright" <chrisw@...s-sol.org>,
"Serge E. Hallyn" <serue@...ibm.com>,
"Andrew Morton" <akpm@...ux-foundation.org>,
"Linus Torvalds" <torvalds@...ux-foundation.org>,
linux-kernel <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] bugfix: was Re: [ linus-git ] prctl(PR_SET_KEEPCAPS, ...) is broken for some configs, e.g. CONFIG_SECURITY_SELINUX
2008/6/11 Andrew G. Morgan <morgan@...nel.org>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Chris Wright wrote:
> |> + switch (option) {
> |> + case PR_CAPBSET_READ:
> |> + *rc_p = (cap_valid(arg2) ? 1 : -EINVAL);
> |> + break;
> |
> | Do we need this one? It's new to 2.6.25, so I think we could not
> | worry about emulating it here.
>
> We're talking about 'fixing' 2.6.26 no? I'd rather not open up the
> possibility that I have to 'fix' it again because of dropping a feature
> of 2.6.25... (Forgive me if I sound like I'm climbing out of a septic
> tank here.)
>
> Dmitry: please verify this change addresses your problem...
well, I fixed it on my side with another approach before sending a
report for this "problem".
It was not immediatelly clear to me that the concept of "process
capabilities" (as described in "man prctl" as follows
"Set the state of the process's "keep capabilities" flag...")
is not applicable to all possible configuration, meaning that each
configuration have to support it in some way or another.
Moreover, according to commit's description the changes were supposed
to be 'nop' for all configs besides when one freshly ntroduced is
enabled.
Should it have been explicitly specified that thanks to this commit
prctl(KEEPCAPS, ...) turns into "a good citizen" (i.e. stops lying to
userspace about its support of capabilities -- if that's what is
desired), it'd change a further flow of events :-)
ok, anyway, I don't have access to my machine at the moment and can't
guarantee that I'll be able to do a test today.
You may try it with one of the configs I mentioened + a program doing
prctl(KEEPCAPS, 1, ...).
>From what I see, yes, it should address this issue.
btw., if I recall right capget() is still "lying" now. capset() did
give an error but Ubuntu's dhclient is somewhat inconsistent as it
checks for a return value of prctl() but not capset().
>
> Cheers
>
> Andrew
--
Best regards,
Dmitry Adamushko
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists