Re: [PATCH] capabilities: Ambient capability set V2

[Serge E. Hallyn]

On Mon, Mar 09, 2015 at 07:05:24AM -0500, Christoph Lameter wrote:
> On Sat, 7 Mar 2015, Serge E. Hallyn wrote:
> 
> > > The ancestor here is ambient_test and when it is run pI will not be set
> > > despite the cap setting.
> >
> > ambient_test is supposed to set it.
> 
> I thought the setcap +i would do it.
> 
> So the setcap and setting of the file inheritance bits has no effect on
> pI? When the process starts pI is off despite fI being set?

Correct, pI must be set through capset().  Again, x in fI is saying
that the certain trusted users may have x in pP when they run the
binary;  x in pi means that the users may have x in pP when they run
certain files.  Other users running the file won't have x in pP, and
the special user running other files won't have x in pP.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/