Re: [PATCH] Document how capability bits work

From: Andy Lutomirski
Date: Fri Dec 07 2012 - 14:32:26 EST


On Fri, Dec 7, 2012 at 11:21 AM, Serge Hallyn
<serge.hallyn@xxxxxxxxxxxxx> wrote:
> Quoting Andy Lutomirski (luto@xxxxxxxxxxxxxx):
>> Signed-off-by: Andy Lutomirski <luto@xxxxxxxxxxxxxx>
>> ---
>> Documentation/security/capabilities.txt | 161 ++++++++++++++++++++++++++++++++
>> 1 file changed, 161 insertions(+)
>> create mode 100644 Documentation/security/capabilities.txt
>
> TBH, I think a pointer to the capabilities.7 man page would be better.
> (plus, if you feel they are needed, updates to the man page)

Updating capabilities.7 wouldn't be a bad idea, but IMO it certainly
needs work. For example, it says:

Inheritable:
This is a set of capabilities preserved across an execve(2). It
provides a mechanism for a process to assign capabilities to the
permitted set of the new program during an execve(2).

This is, at best, misleading.

Permitted says:

If a thread drops a capability from its permitted set, it can
never reacquire that capability (unless it execve(2)s either a
set-user-ID-root program, or a program whose associated file
capabilities grant that capability).

That's just not true (e.g. if uid == 0).

The text later on is better, but I think it would be helpful to have a
detailed and succinct description of what's going on.

I would be happy to revise this patch to reference capabilities.7.

--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/