Re: [PATCH] Properly split capset_check+capset_set

From: Chris Wright
Date: Wed Dec 15 2004 - 18:31:58 EST


* Serge E. Hallyn (serue@xxxxxxxxxx) wrote:
> As Stephen Smalley pointed out, the cap_capset_check code is redundant
> with what is hardcoded in kernel/capability.c:sys_capset(). On the
> other hand, because the security_capset_set hook is responsible for
> doing both an authorization check and doing the actual change,
> (particularly, in the case of a cap_set_all or cap_set_pg), when
> stacking security modules, the first module may complete the
> capset_set before the second module refuses permission.

The problem is that the module was (theoretically) allowed to manage
capability bits all on its own. I think it's a bit of a braindamaged
idea though, and the bits should just stay in the ->cap_* fields.

> The attached patch (against 2.6.10-rc3-mm1 w/ ioctl patch) removes the
> redundant cap_capset_check hook and moves the security_capset_check
> call to just before security_capset_set. The selinux_capset_set hook
> now simply sets the capability (through its secondary), while
> selinux_capset_check checks the authorization permission.

I think Stephen mentioned this already, but you lose an error now,
where you continue in cap_set_all().

thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/