Re: [PATCH] capabilities: introduce per-process capability boundingset (v10)
From: KaiGai Kohei
Date: Tue Dec 04 2007 - 10:47:32 EST
Andrew Morgan wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
KaiGai Kohei wrote:
Serge,
Please tell me the meanings of the following condition.
diff --git a/security/commoncap.c b/security/commoncap.c
index 3a95990..cb71bb0 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -133,6 +119,12 @@ int cap_capset_check (struct task_struct *target,
kernel_cap_t *effective,
/* incapable of using this inheritable set */
return -EPERM;
}
+ if (!!cap_issubset(*inheritable,
+ cap_combine(target->cap_inheritable,
+ current->cap_bset))) {
+ /* no new pI capabilities outside bounding set */
+ return -EPERM;
+ }
/* verify restrictions on target's new Permitted set */
if (!cap_issubset (*permitted,
It seems to me this condition requires the new inheritable capability
set must have a capability more than bounding set, at least.
What is the purpose of this checking?
Yes, the !! was a bug. The correct check is a single !.
I was in trouble with getting -EPERM at pam_cap.so :-)
(Thus, the correct check says no 'new' pI bits can be outside cap_bset.)
If this condition intends to dominate 'new' pI bits by 'old' pI bits masked
with bounding set, we should not apply cap_combine() here.
I think applying cap_intersect() is correct for the purpose.
Thanks,
--
KaiGai Kohei
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/