| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 29 Sep 2015 10:57:43 -0700 From: Kees Cook <keescook@...omium.org> To: Andy Lutomirski <luto@...capital.net> Cc: Andy Lutomirski <luto@...nel.org>, Michael Kerrisk-manpages <mtk.manpages@...il.com>, Serge Hallyn <serge.hallyn@...ntu.com>, Andrew Morton <akpm@...uxfoundation.org>, Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>, "Ted Ts'o" <tytso@....edu>, "Andrew G. Morgan" <morgan@...nel.org>, Linux API <linux-api@...r.kernel.org>, Mimi Zohar <zohar@...ux.vnet.ibm.com>, Austin S Hemmelgarn <ahferroin7@...il.com>, linux-security-module <linux-security-module@...r.kernel.org>, Aaron Jones <aaronmdjones@...il.com>, Serge Hallyn <serge.hallyn@...onical.com>, LKML <linux-kernel@...r.kernel.org>, Markku Savela <msa@...h.iki.fi>, Jonathan Corbet <corbet@....net> Subject: Re: [PATCH v2] capabilities.7, prctl.2: Document ambient capabilities On Tue, Sep 29, 2015 at 10:49 AM, Andy Lutomirski <luto@...capital.net> wrote: > On Tue, Sep 29, 2015 at 10:47 AM, Kees Cook <keescook@...omium.org> wrote: >> On Mon, Sep 28, 2015 at 6:03 PM, Andy Lutomirski <luto@...nel.org> wrote: >>> Signed-off-by: Andy Lutomirski <luto@...nel.org> >>> --- >>> man2/prctl.2 | 12 ++++++++++++ >>> man7/capabilities.7 | 40 ++++++++++++++++++++++++++++++++++------ >>> 2 files changed, 46 insertions(+), 6 deletions(-) >>> >>> diff --git a/man2/prctl.2 b/man2/prctl.2 >>> index e743a6305969..5bcec391c110 100644 >>> --- a/man2/prctl.2 >>> +++ b/man2/prctl.2 >>> @@ -954,6 +954,18 @@ had been called. >>> For further information on Intel MPX, see the kernel source file >>> .IR Documentation/x86/intel_mpx.txt . >>> .\" >>> +.TP >>> +.BR PR_CAP_AMBIENT " (since Linux 4.2)" >>> +Reads or changes the ambient capability set. If arg2 is PR_CAP_AMBIENT_RAISE, >>> +then the capability specified in arg3 is added to the ambient set. This will >>> +fail, returning EPERM, if the capability is not already both permitted and >>> +inheritable or if the SECBIT_NO_CAP_AMBIENT_RAISE securebit is set. If arg2 >>> +is PR_CAP_AMBIENT_LOWER, then the capability specified in arg3 is removed >>> +from the ambient set. If arg2 is PR_CAP_AMBIENT_IS_SET, then >>> +.BR prctl (2) >>> +will return 1 if the capability in arg3 is in the ambient set and 0 if not. >>> +If arg2 is PR_CAP_AMBIENT_CLEAR_ALL, then all capabilities will >>> +be removed from the ambient set. >> >> In the case of CLEAR_ALL, is arg3 "don't care", or must it be set to 0? > > Must be zero. Okay, cool. Probably that should be noted here. -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists