Re: [PATCH] bugfix: was Re: [ linus-git ] prctl(PR_SET_KEEPCAPS, ...) is broken for some configs, e.g. CONFIG_SECURITY_SELINUX

From: Dmitry Adamushko
Date: Wed Jun 11 2008 - 10:21:29 EST

Next message: Miquel van Smoorenburg: "Re: [PATCH] 2.6.26-rc: x86: pci-dma.c: use __GFP_NO_OOM instead of__GFP_NORETRY"
Previous message: linux-os (Dick Johnson): "Re: PROBLEM: no cpu MHz in /proc/cpuinfo on 2.6.25.4-rt6"
In reply to: Andrew G. Morgan: "Re: [PATCH] bugfix: was Re: [ linus-git ] prctl(PR_SET_KEEPCAPS,...) is broken for some configs, e.g. CONFIG_SECURITY_SELINUX"
Next in thread: Chris Wright: "Re: [ linus-git ] prctl(PR_SET_KEEPCAPS, ...) is broken for someconfigs, e.g. CONFIG_SECURITY_SELINUX"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

2008/6/11 Andrew G. Morgan <morgan@xxxxxxxxxx>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Chris Wright wrote:
> |> + switch (option) {
> |> + case PR_CAPBSET_READ:
> |> + *rc_p = (cap_valid(arg2) ? 1 : -EINVAL);
> |> + break;
> |
> | Do we need this one? It's new to 2.6.25, so I think we could not
> | worry about emulating it here.
>
> We're talking about 'fixing' 2.6.26 no? I'd rather not open up the
> possibility that I have to 'fix' it again because of dropping a feature
> of 2.6.25... (Forgive me if I sound like I'm climbing out of a septic
> tank here.)
>
> Dmitry: please verify this change addresses your problem...

well, I fixed it on my side with another approach before sending a
report for this "problem".

It was not immediatelly clear to me that the concept of "process
capabilities" (as described in "man prctl" as follows
"Set the state of the process's "keep capabilities" flag...")
is not applicable to all possible configuration, meaning that each
configuration have to support it in some way or another.

Moreover, according to commit's description the changes were supposed
to be 'nop' for all configs besides when one freshly ntroduced is
enabled.

Should it have been explicitly specified that thanks to this commit
prctl(KEEPCAPS, ...) turns into "a good citizen" (i.e. stops lying to
userspace about its support of capabilities -- if that's what is
desired), it'd change a further flow of events :-)

ok, anyway, I don't have access to my machine at the moment and can't
guarantee that I'll be able to do a test today.
You may try it with one of the configs I mentioened + a program doing
prctl(KEEPCAPS, 1, ...).

>From what I see, yes, it should address this issue.

btw., if I recall right capget() is still "lying" now. capset() did
give an error but Ubuntu's dhclient is somewhat inconsistent as it
checks for a return value of prctl() but not capset().

>
> Cheers
>
> Andrew

--
Best regards,
Dmitry Adamushko
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Miquel van Smoorenburg: "Re: [PATCH] 2.6.26-rc: x86: pci-dma.c: use __GFP_NO_OOM instead of__GFP_NORETRY"
Previous message: linux-os (Dick Johnson): "Re: PROBLEM: no cpu MHz in /proc/cpuinfo on 2.6.25.4-rt6"
In reply to: Andrew G. Morgan: "Re: [PATCH] bugfix: was Re: [ linus-git ] prctl(PR_SET_KEEPCAPS,...) is broken for some configs, e.g. CONFIG_SECURITY_SELINUX"
Next in thread: Chris Wright: "Re: [ linus-git ] prctl(PR_SET_KEEPCAPS, ...) is broken for someconfigs, e.g. CONFIG_SECURITY_SELINUX"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]