Re: Is CAP_SYS_ADMIN checked by every program !?

From: Stephen Smalley
Date: Mon Jan 03 2005 - 09:01:23 EST

Next message: Diego: "Re: About NFS4 in kernel 2.6.9"
Previous message: Adrian Bunk: "Re: Reviving the concept of a stable series (was Re: starting with 2.7)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2004-12-30 at 02:40, Tetsuo Handa wrote:
> I'm developing a kernel patch that provides simple and handy
> MAC(mandatory access control) functionality, much easier than SELinux.
> And now I'm porting the patch from 2.4 to 2.6,
> though the patch can't support LSM, for it refers 'struct vfsmount'.
>
> At first, I doubted that some kernel function (do_execve(), memory management
> functions, or any kernel functions that are always called by every process) is
> doing this CAP_SYS_ADMIN checking. But may be this CAP_SYS_ADMIN checking is
> caused by the Fedora Core 3's libc, not by the kernel.
> I don't have 2.6 kernel environment other than Fedora Core 3.
>
> But anyway, I have to give up checking for CAP_SYS_ADMIN .

Just override the vm_enough_memory security hook with your own function,
as we do in SELinux, to avoid auditing the CAP_SYS_ADMIN check there.
Note that this issue has also come up again on the linux-security-module
mailing list recently, and might be addressed through a change to the
cap_vm_enough_memory hook function.

--
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Diego: "Re: About NFS4 in kernel 2.6.9"
Previous message: Adrian Bunk: "Re: Reviving the concept of a stable series (was Re: starting with 2.7)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]