Re: [PATCH] track capabilities in default dummy security module code
From: Chris Wright
Date: Tue Jan 04 2005 - 18:53:31 EST
* Chris Wright (chrisw@xxxxxxxx) wrote:
> Switch dummy logic around to set cap_* bits during exec and set*uid based
> on basic uid check. Then check cap_* bits during capable() (rather than
> doing basic uid check). This ensures that capability bits are properly
> initialized in case the capability module is later loaded.
OK, somehow I managed to botch this one. It happens to work fine, but I
should have been more careful with forward porting this 1+ year old patch.
The exec-time calc should go in bprm_apply_creds, not bprm_free_security.
Thanks to Stephen for spotting my mistake.
Signed-off-by: Chris Wright <chrisw@xxxxxxxx>
===== security/dummy.c 1.50 vs edited =====
--- 1.50/security/dummy.c 2005-01-04 13:14:10 -08:00
+++ edited/security/dummy.c 2005-01-04 14:45:31 -08:00
@@ -180,7 +180,6 @@ static int dummy_bprm_alloc_security (st
static void dummy_bprm_free_security (struct linux_binprm *bprm)
{
- dummy_capget(current, ¤t->cap_effective, ¤t->cap_inheritable, ¤t->cap_permitted);
return;
}
@@ -197,6 +196,8 @@ static void dummy_bprm_apply_creds (stru
current->suid = current->euid = current->fsuid = bprm->e_uid;
current->sgid = current->egid = current->fsgid = bprm->e_gid;
+
+ dummy_capget(current, ¤t->cap_effective, ¤t->cap_inheritable, ¤t->cap_permitted);
}
static int dummy_bprm_set_security (struct linux_binprm *bprm)
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/