linux capabilities oddity

From: Frank v Waveren
Date: Sun Jul 23 2006 - 10:34:39 EST

I sent this to linux-privs-discuss, but that list appears to be dead.
Perhaps someone here can help me?

While debugging an odd problem where /proc/sys/kernel/cap-bound wasn't
working, I came across the following code at

void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
/* Derived from fs/exec.c:compute_creds. */
kernel_cap_t new_permitted, working;

new_permitted = cap_intersect (bprm->cap_permitted, cap_bset);
working = cap_intersect (bprm->cap_inheritable,
new_permitted = cap_combine (new_permitted, working);

Here the new permitted set gets limited to the bits in cap_bset, which
is as it should be, but then the intersection of the of the current
and exec inheritable masks get added to that set, whereas as I
understand it, cap_bset should always be the bounding set.

This triggered a problem where the /sbin/init on a gentoo install disk
(which I was using as an quick&dirty UML root disk for testing) for
some reason did something to set its inheritable mask to ~0, which
then propagated to all the processes that ran as root, which meant
that the cap bound didn't apply to them.

I took out the cap_combine and didn't notice any ill effects on some
quick tests, though I don't know POSIX capabilities well enough to say
all the behaviour was per the standard. If someone could tell me what
those lines are for, and if its foiling of cap-bound limits is on
purpose, I'd be most grateful.

Frank v Waveren Key fingerprint: BDD7 D61E
fvw@xxxxxx 5D39 CF05 4BFC F57A
Public key: hkp:// FA00 7D51 468D 62C8

Attachment: signature.asc
Description: Digital signature