Re: [RFC] capabilities: Ambient capabilities

From: Christoph Lameter
Date: Mon Mar 30 2015 - 08:55:20 EST

Next message: Octavian Purdila: "Re: [PATCH] IIO: Adds ACPI support for ST gyroscopes"
Previous message: Peter Zijlstra: "Re: [PATCH V2] sched: Improve load balancing in the presence of idle CPUs"
Next in thread: Andy Lutomirski: "Re: [RFC] capabilities: Ambient capabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 14 Mar 2015, Andrew G. Morgan wrote:

>
> I thought I did. Please implement a lockable secure bit and I will

Would this suffice? It puts the CAP_SETPCAP limitation back to how it
was in my earlier patch.

Subject: ambient caps: Allow disabling with SETPCAP

Do not allow setting ambient caps if CAP_SETPCAP is not set.

Signed-off-by: Christoph Lameter <cl@xxxxxxxxx>

Index: linux/security/commoncap.c
===================================================================
--- linux.orig/security/commoncap.c
+++ linux/security/commoncap.c
@@ -962,6 +962,9 @@ int cap_task_prctl(int option, unsigned
if (((!cap_valid(arg3)) | arg4 | arg5))
return -EINVAL;

+ if (!ns_capable(current_user_ns(), CAP_SETPCAP))
+ return -EPERM;
+
if (arg2 == PR_CAP_AMBIENT_GET) {
return !!cap_raised(current_cred()->cap_ambient, arg3);
} else if (arg2 != PR_CAP_AMBIENT_RAISE &&
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Octavian Purdila: "Re: [PATCH] IIO: Adds ACPI support for ST gyroscopes"
Previous message: Peter Zijlstra: "Re: [PATCH V2] sched: Improve load balancing in the presence of idle CPUs"
Next in thread: Andy Lutomirski: "Re: [RFC] capabilities: Ambient capabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]