Re: 2.6.6-mm2

From: Chris Wright
Date: Thu May 13 2004 - 14:36:58 EST


* Andrew Morton (akpm@xxxxxxxx) wrote:
> Christoph Hellwig <hch@xxxxxxxxxxxxx> wrote:
> >
> > > +hugetlb_shm_group-sysctl-gid-0-fix.patch
> > >
> > > Don't make gid 0 special for hugetlb shm.
> >
> > As Oracle has agreed on fixing their DB to use hugetlbfs could we
> > please stop doctoring around on this broken patch and revert it.
>
> Once I'm convinced that kernel.org kernels will be able to run applications
> which vendor kernels will run, sure.

What about something that's just simple and generic? This is similar to
Andrea's disable_cap_mlock patch and the disabling capabilities patch
that wli produced back in that thread. It would remove the hack, and
buy us some time to find better solutions. Downside of course (as all
of these have) is reduced security value.

Against -mm2, thoughts?

thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net


--- linux-2.6.6-mm2/security/capability.c 2004-05-13 11:19:44.000000000 -0700
+++ linux-2.6.6-mm2-cap_mask_disable/security/capability.c 2004-05-13 12:01:04.167511552 -0700
@@ -24,12 +24,24 @@
#include <linux/ptrace.h>
#include <linux/moduleparam.h>

+static int capability_mask;
+module_param_named(mask, capability_mask, int, 0);
+MODULE_PARM_DESC(mask, "Mask of capability checks to ignore");
+
+static int capability_capable(struct task_struct *task, int cap)
+{
+ if (CAP_TO_MASK(cap) & capability_mask)
+ return 0;
+ else
+ return cap_capable(task, cap);
+}
+
static struct security_operations capability_ops = {
.ptrace = cap_ptrace,
.capget = cap_capget,
.capset_check = cap_capset_check,
.capset_set = cap_capset_set,
- .capable = cap_capable,
+ .capable = capability_capable,
.netlink_send = cap_netlink_send,
.netlink_recv = cap_netlink_recv,

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/