Quoting Kohei KaiGai (kaigai@xxxxxxxxxxxxx):diff --git a/security/Kconfig b/security/Kconfig
index 25ffe1b..b79e830 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -91,6 +91,15 @@ config SECURITY_FILE_CAPABILITIES
If in doubt, answer N.
+config SECURITY_CAPABILITIES_EXPORT
+ bool "Exporting capabilities kernel supported"
+ depends on SECURITY_CAPABILITIES && SYSFS
Oh no, we're being bit by this again... When SECURITY=n, capabilities
are compiled in but SECURITY_CAPABILITIES=n.
Months ago I floated the following patch so we'd have a CONFIG variable
to let us know whether commoncap is compiled in. You might want to use
this and depend on CONFIG_COMMONCAP? (Though really I personally don't
think you need your own config variable for this)
Other than that, this tested fine for me.
thanks,
-serge
From 54c70ca7671750fe8986451fae91d42107d0ca90 Mon Sep 17 00:00:00 2001From: Serge E. Hallyn <serue@xxxxxxxxxx>
Date: Fri, 28 Sep 2007 10:33:33 -0500
Subject: [PATCH 1/2] capabilities: define CONFIG_COMMONCAP
currently the compilation of commoncap.c is determined
through Makefile logic. So there is no single CONFIG
variable which can be relied upon to know whether it
will be compiled.
Define CONFIG_COMMONCAP to be true when lsm is not
compiled in, or when the capability or rootplug modules
are compiled. These are the cases when commoncap is
currently compiled. Use this variable in security/Makefile
to determine commoncap.c's compilation.
Apart from being a logic cleanup, this is needed by the
upcoming cap_bset patch so that prctl can know whether
PR_SET_BSET should be allowed.
Signed-off-by: Serge E. Hallyn <serue@xxxxxxxxxx>
---
security/Kconfig | 4 ++++
security/Makefile | 9 +++------
2 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/security/Kconfig b/security/Kconfig
index 8086e61..02b33fa 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -103,6 +103,10 @@ config SECURITY_ROOTPLUG
If you are unsure how to answer this question, answer N.
+config COMMONCAP
+ bool
+ default !SECURITY || SECURITY_CAPABILITIES || SECURITY_ROOTPLUG
+
source security/selinux/Kconfig
endmenu
diff --git a/security/Makefile b/security/Makefile
index ef87df2..7cccc81 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -5,14 +5,11 @@
obj-$(CONFIG_KEYS) += keys/
subdir-$(CONFIG_SECURITY_SELINUX) += selinux
-# if we don't select a security model, use the default capabilities
-ifneq ($(CONFIG_SECURITY),y)
-obj-y += commoncap.o
-endif
+obj-$(CONFIG_COMMONCAP) += commoncap.o
# Object file lists
obj-$(CONFIG_SECURITY) += security.o dummy.o inode.o
# Must precede capability.o in order to stack properly.
obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o
-obj-$(CONFIG_SECURITY_CAPABILITIES) += commoncap.o capability.o
-obj-$(CONFIG_SECURITY_ROOTPLUG) += commoncap.o root_plug.o
+obj-$(CONFIG_SECURITY_CAPABILITIES) += capability.o
+obj-$(CONFIG_SECURITY_ROOTPLUG) += root_plug.o