Re: [RFC] [PATCH] file posix capabilities
From: Serge E. Hallyn
Date: Tue Aug 15 2006 - 22:23:34 EST
Quoting Casey Schaufler (casey@xxxxxxxxxxxxxxxx):
> --- "Serge E. Hallyn" <serue@xxxxxxxxxx> wrote:
> > +
> > + bprm->cap_effective = fscaps;
> > + bprm->cap_inheritable = fscaps;
> > + bprm->cap_permitted = fscaps;
> > +
> It does not appear that you're attempting
> to maintain the POSIX exec semantics for
> capability sets. (If you're doing it
> elsewhere in the code, nevermind) I don't
> know if this is intentional or not.
It should be getting done correctly at bprm_apply_creds.
The code you quote here is just setting it on the
binprm, which represents the executable itself (and as
pointed out in the comment above it).
Now the cap_bprm_secureexec() function needs to be
updated as I believe I pointed out in the original
submission. But if anything else is not getting done
right please correct me.
> I will have a closer look, but just for
> grins, I've attached code from the SGI
> OB1 offering of some years back that
> includes a function, cap_recalc, that
> implements the correct behavior. I will
> also take a stab at working it in, but
> I expect someone will beat me to it.
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/