On Wed, 26 Jul 2000, Linus Torvalds wrote:
> If somebody sends me a patch to change CAP_SYS_ADMIN into CAP_SYS_RAWIO,
> I'll apply it in a jiffy.
Vojtech Pavlik posted this for IDE:
--- ide.c.old Sat Jul 22 10:19:37 2000
+++ ide.c Sat Jul 22 10:22:02 2000
@@ -2557,7 +2557,7 @@
byte args[4], *argbuf = args;
byte xfer_rate = 0;
int argsize = 4;
- if (!capable(CAP_SYS_ADMIN)) return -EACCES;
+ if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_RAWIO)) return -EACCES;
if (NULL == (void *) arg)
return ide_do_drive_cmd(drive, &rq, ide_wait);
if (copy_from_user(args, (void *)arg, 4))
@@ -2595,7 +2595,7 @@
{
byte args[7], *argbuf = args;
int argsize = 7;
- if (!capable(CAP_SYS_ADMIN)) return -EACCES;
+ if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_RAWIO)) return -EACCES;
if (copy_from_user(args, (void *)arg, 7))
return -EFAULT;
err = ide_wait_cmd_task(drive, argbuf);
And I posted this for SCSI:
--- scsi_ioctl.c~ Tue Mar 14 00:15:03 2000
+++ scsi_ioctl.c Sat Jul 22 11:21:36 2000
@@ -410,7 +410,7 @@
case SCSI_IOCTL_PROBE_HOST:
return ioctl_probe(dev->host, arg);
case SCSI_IOCTL_SEND_COMMAND:
- if (!capable(CAP_SYS_ADMIN))
+ if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SYS_RAWIO))
return -EACCES;
return scsi_ioctl_send_command((Scsi_Device *) dev,
(Scsi_Ioctl_Command *) arg);
Arguably RAWIO subsumes ADMIN in theory, but I'll leave it to capabilities
experts to decide whether this should have only one check.
-- "Love the dolphins," she advised him. "Write by W.A.S.T.E.."- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon Jul 31 2000 - 21:00:22 EST