lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Tue,  7 Jul 2015 17:06:52 +0100
From:	Ian Abbott <abbotti@....co.uk>
To:	<driverdev-devel@...uxdriverproject.org>
Cc:	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Ian Abbott <abbotti@....co.uk>,
	H Hartley Sweeten <hsweeten@...ionengravers.com>,
	<linux-kernel@...r.kernel.org>
Subject: [PATCH] staging: comedi: use CAP_SYS_ADMIN instead of CAP_NET_ADMIN

If the "comedi" module has been loaded with the
"comedi_num_legacy_minors" module parameter set to a non-zero value,
some reserved comedi devices get created.  These can be attached to a
low-level comedi driver using the `COMEDI_DEVCONFIG` ioctl command,
which checks for the `CAP_SYS_ADMIN` capability.  Of course, the comedi
device needs to be opened before the ioctl command can be sent.  If the
comedi device is unattached, `comedi_open()` currently requires the
`CAP_NET_ADMIN` capability.  It makes more sense to just require the
`CAP_SYS_ADMIN` capability here, so change it.

For the curious, commit a8f80e8ff94e ("Networking: use CAP_NET_ADMIN
when deciding to call request_module") changed this capability from
`CAP_SYS_MODULE` to `CAP_NET_ADMIN`, even though it doesn't seem
relevant here.  The original `CAP_SYS_MODULE` capability was due to the
function having some code to request a module using a "char-major-%i-%i"
alias, but that was never compiled in and was removed by commit
f30f2c2d417b ("staging: comedi: remove check for CONFIG_KMOD").

Signed-off-by: Ian Abbott <abbotti@....co.uk>
---
 drivers/staging/comedi/comedi_fops.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
index 985d94b..1679bfb 100644
--- a/drivers/staging/comedi/comedi_fops.c
+++ b/drivers/staging/comedi/comedi_fops.c
@@ -2599,8 +2599,8 @@ static int comedi_open(struct inode *inode, struct file *file)
 	cfp->dev = dev;
 
 	mutex_lock(&dev->mutex);
-	if (!dev->attached && !capable(CAP_NET_ADMIN)) {
-		dev_dbg(dev->class_dev, "not attached and not CAP_NET_ADMIN\n");
+	if (!dev->attached && !capable(CAP_SYS_ADMIN)) {
+		dev_dbg(dev->class_dev, "not attached and not CAP_SYS_ADMIN\n");
 		rc = -ENODEV;
 		goto out;
 	}
-- 
2.1.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ