* Grzegorz Jaskiewicz (gj@pointblue.com.pl) wrote:
> On Mon, 2 Jun 2003, Chris Wright wrote:
>
> > @@ -91,7 +92,7 @@
> > * Superuser processes are usually more important, so we make it
> > * less likely that we kill those.
> > */
> > - if (cap_t(p->cap_effective) & CAP_TO_MASK(CAP_SYS_ADMIN) ||
> > + if (!security_capable(p,CAP_SYS_ADMIN) ||
> > p->uid == 0 || p->euid == 0)
> > points /= 4;
> ..............
> > - if (cap_t(p->cap_effective) & CAP_TO_MASK(CAP_SYS_RAWIO))
> > + if (!security_capable(p,CAP_SYS_RAWIO))
> > points /= 4;
>
> Correct me if i am wrong, but I think it is not a good idea to favor
> applications with more
> capabilities, as ussualy those are most wanted target on a system.
security_capable() returns 0 if that capability bit is set. so there is
no functional change here, just allows the security module to see the
capability check that was hand coded.
thanks,
-chris
-- Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sat Jun 07 2003 - 22:00:16 EST