[PATCH] capabilities not inherited

From: Manfred Georg
Date: Wed Jun 08 2005 - 15:28:29 EST


Hi,

I was working with passing capabilities through an exec and it
didn't do what I expected it to. That is, if I set a bit in
the inherited capabilities, it is not "inherited" after an
exec(). After going through the code many times, and still not
understanding it, I hacked together this patch. It probably
has unforseen side effects and there was probably some
reason it was not done in the first place.

Thanks for the kernel, I have a new found appreciation for it.

Manfred

Patch against 2.6.12-rc6:

Signed-off-by: Manfred Georg <mgeorg@xxxxxxxxxxxxx>

diff -uprN -X dontdiff linux-2.6.12-rc6/security/commoncap.c linux/security/commoncap.c
--- linux-2.6.12-rc6/security/commoncap.c 2005-03-02 01:38:07.000000000 -0600
+++ linux/security/commoncap.c 2005-06-08 14:02:21.000000000 -0500
@@ -113,10 +113,11 @@ int cap_bprm_set_security (struct linux_
{
/* Copied from fs/exec.c:prepare_binprm. */

- /* We don't have VFS support for capabilities yet */
- cap_clear (bprm->cap_inheritable);
- cap_clear (bprm->cap_permitted);
- cap_clear (bprm->cap_effective);
+ bprm->cap_inheritable = current->cap_inheritable;
+ bprm->cap_permitted = cap_intersect(current->cap_inheritable,
+ current->cap_permitted);
+ bprm->cap_effective = cap_intersect(bprm->cap_permitted,
+ current->cap_effective);

/* To support inheritance of root-permissions and suid-root
* executables under compatibility mode, we raise all three

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/