* Chris Wright (chrisw@xxxxxxxx) wrote:
* Andy Lutomirski (luto@xxxxxxxxxxxxx) wrote:
This version throws out the inheritable mask. There is no change in
behavior with newcaps=0.
Alright, I tried to write up my expectations for all the various modes
w.r.t dropping privs, keeping them, setuid apps, etc. I then wrote some
tests to get a baseline, and well as a way to compare results. Finally
I wrote a patch that meets the requirements I laid out, and compared it
against yours. With one minor exception, the capabilities bits match
up. You drop effective caps when a non-root users execs a non-root
setuid app, and I the caps alone. One side note, you're changes effect
the user/group saved ids unexpectedly.
The tests are available at:
http://developer.osdl.org/~chrisw/capabilities/testcap.tar.bz2
patch is there too and is also inline below:
http://developer.osdl.org/~chrisw/capabilities/2.6.6-mm2/chris_cap.patch
--- linux-2.6.6-mm2-cap/include/linux/capability.h.orig 2004-05-09 19:32:26.000000000 -0700
+++ linux-2.6.6-mm2-cap/include/linux/capability.h 2004-05-17 23:24:08.143860096 -0700
@@ -309,7 +309,9 @@
#define CAP_EMPTY_SET to_cap_t(0)
#define CAP_FULL_SET to_cap_t(~0)
#define CAP_INIT_EFF_SET to_cap_t(~0 & ~CAP_TO_MASK(CAP_SETPCAP))
-#define CAP_INIT_INH_SET to_cap_t(0)
+#define CAP_INIT_INH_SET to_cap_t(~0)
+/* ~0 is legacy inheritable mode and can never be capset by user */
+#define cap_orig_inh(_cap) (cap_t((_cap)) == ~0)
@@ -56,10 +59,13 @@
int cap_capset_check (struct task_struct *target, kernel_cap_t *effective,
kernel_cap_t *inheritable, kernel_cap_t *permitted)
{
+ kernel_cap_t target_inheritable = target->cap_inheritable;
+ if (cap_orig_inh(target_inheritable))
+ target_inheritable = 0;
/* Derived from kernel/capability.c:sys_capset. */
/* verify restrictions on target's new Inheritable set */
if (!cap_issubset (*inheritable,
- cap_combine (target->cap_inheritable,
+ cap_combine (target_inheritable,
current->cap_permitted))) {
return -EPERM;
}