Re: [PATCH] capabilities: introduce per-process capability boundingset (v10)

[KaiGai Kohei]

Andrew Morgan wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> KaiGai Kohei wrote:
> > Andrew Morgan wrote:
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > KaiGai Kohei wrote:
> > > > > +    if (!!cap_issubset(*inheritable,
> > > > > +               cap_combine(target->cap_inheritable,
> > > > > +                       current->cap_bset))) {
> > > > > +        /* no new pI capabilities outside bounding set */
> > > > > +        return -EPERM;
> > > > > +    }
> > > > >  
>
> > > Yes, the !! was a bug. The correct check is a single !.
> > I was in trouble with getting -EPERM at pam_cap.so :-)
> >
> > > (Thus, the correct check says no 'new' pI bits can be outside cap_bset.)
> > If this condition intends to dominate 'new' pI bits by 'old' pI bits masked
> > with bounding set, we should not apply cap_combine() here.
> > I think applying cap_intersect() is correct for the purpose.
>
> The check is not meant to limit existing pI bits.
>
> The check is meant to limit what new bits can be 'added' to pI (in the
> case that pE & CAP_SETPCAP is true).

Thanks, I got understood as I wrote in the previous reply.

BTW, could you tell me your intention about pam_cap.c is implemented
with pam_sm_authenticate() and pam_sm_setcred()?
I think it can be done with pam_sm_open_session(), and this approach
enables to reduce the iteration of reading /etc/security/capability.conf.

How do you think the idea?
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@xxxxxxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/