lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <b647ffbd0806110721v187d2aadxf0e4395ea977f1af@mail.gmail.com>
Date:	Wed, 11 Jun 2008 16:21:17 +0200
From:	"Dmitry Adamushko" <dmitry.adamushko@...il.com>
To:	"Andrew G. Morgan" <morgan@...nel.org>
Cc:	"Chris Wright" <chrisw@...s-sol.org>,
	"Serge E. Hallyn" <serue@...ibm.com>,
	"Andrew Morton" <akpm@...ux-foundation.org>,
	"Linus Torvalds" <torvalds@...ux-foundation.org>,
	linux-kernel <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] bugfix: was Re: [ linus-git ] prctl(PR_SET_KEEPCAPS, ...) is broken for some configs, e.g. CONFIG_SECURITY_SELINUX

2008/6/11 Andrew G. Morgan <morgan@...nel.org>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Chris Wright wrote:
> |> +    switch (option) {
> |> +    case PR_CAPBSET_READ:
> |> +            *rc_p = (cap_valid(arg2) ? 1 : -EINVAL);
> |> +            break;
> |
> | Do we need this one?  It's new to 2.6.25, so I think we could not
> | worry about emulating it here.
>
> We're talking about 'fixing' 2.6.26 no? I'd rather not open up the
> possibility that I have to 'fix' it again because of dropping a feature
> of 2.6.25... (Forgive me if I sound like I'm climbing out of a septic
> tank here.)
>
> Dmitry: please verify this change addresses your problem...

well, I fixed it on my side with another approach before sending a
report for this "problem".

It was not immediatelly clear to me that the concept of "process
capabilities" (as described in "man prctl" as follows
"Set  the state of the process's "keep capabilities" flag...")
is not applicable to all possible configuration, meaning that each
configuration have to support it in some way or another.

Moreover, according to commit's description the changes were supposed
to be 'nop' for all configs besides when one freshly ntroduced is
enabled.

Should it have been explicitly specified that thanks to this commit
prctl(KEEPCAPS, ...) turns into "a good citizen" (i.e. stops lying to
userspace about its support of capabilities -- if that's what is
desired), it'd change a further flow of events :-)

ok, anyway, I don't have access to my machine at the moment and can't
guarantee that I'll be able to do a test today.
You may try it with one of the configs I mentioened + a program doing
prctl(KEEPCAPS, 1, ...).

>From what I see, yes, it should address this issue.

btw., if I recall right capget() is still "lying" now. capset() did
give an error but Ubuntu's dhclient is somewhat inconsistent as it
checks for a return value of prctl() but not capset().


>
> Cheers
>
> Andrew


-- 
Best regards,
Dmitry Adamushko
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ