Re: 2.6.6-mm2

From: Andrew Morton
Date: Thu May 13 2004 - 14:47:57 EST


Chris Wright <chrisw@xxxxxxxx> wrote:
>
> * Andrew Morton (akpm@xxxxxxxx) wrote:
> > Christoph Hellwig <hch@xxxxxxxxxxxxx> wrote:
> > >
> > > > +hugetlb_shm_group-sysctl-gid-0-fix.patch
> > > >
> > > > Don't make gid 0 special for hugetlb shm.
> > >
> > > As Oracle has agreed on fixing their DB to use hugetlbfs could we
> > > please stop doctoring around on this broken patch and revert it.
> >
> > Once I'm convinced that kernel.org kernels will be able to run applications
> > which vendor kernels will run, sure.
>
> What about something that's just simple and generic? This is similar to
> Andrea's disable_cap_mlock patch and the disabling capabilities patch
> that wli produced back in that thread. It would remove the hack, and
> buy us some time to find better solutions. Downside of course (as all
> of these have) is reduced security value.


-ENODOCCO.

I assume one does

modprobe capability mask=32768

and this squashes CAP_IPC_LOCK system-wide?

> Against -mm2, thoughts?

Seems feasible, thanks. It replaces /proc/sys/vm/disable-mlock.

What does Andrea think?

>
> thanks,
> -chris
> --
> Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
>
>
> --- linux-2.6.6-mm2/security/capability.c 2004-05-13 11:19:44.000000000 -0700
> +++ linux-2.6.6-mm2-cap_mask_disable/security/capability.c 2004-05-13 12:01:04.167511552 -0700
> @@ -24,12 +24,24 @@
> #include <linux/ptrace.h>
> #include <linux/moduleparam.h>
>
> +static int capability_mask;
> +module_param_named(mask, capability_mask, int, 0);
> +MODULE_PARM_DESC(mask, "Mask of capability checks to ignore");
> +
> +static int capability_capable(struct task_struct *task, int cap)
> +{
> + if (CAP_TO_MASK(cap) & capability_mask)
> + return 0;
> + else
> + return cap_capable(task, cap);
> +}
> +
> static struct security_operations capability_ops = {
> .ptrace = cap_ptrace,
> .capget = cap_capget,
> .capset_check = cap_capset_check,
> .capset_set = cap_capset_set,
> - .capable = cap_capable,
> + .capable = capability_capable,
> .netlink_send = cap_netlink_send,
> .netlink_recv = cap_netlink_recv,
>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/