Re: [RFC] capabilities: Ambient capabilities

From: Andy Lutomirski
Date: Mon Mar 30 2015 - 10:31:52 EST


On Mar 30, 2015 7:55 AM, "Christoph Lameter" <cl@xxxxxxxxx> wrote:
>
> On Sat, 14 Mar 2015, Andrew G. Morgan wrote:
>
> >
> > I thought I did. Please implement a lockable secure bit and I will
>
> Would this suffice? It puts the CAP_SETPCAP limitation back to how it
> was in my earlier patch.
>

I really don't like that variant. CAP_SETPCAP is dangerous and so
absurdly powerful that people really shouldn't hand it out.

I'll submit a new version this week with the securebits. Sorry for the delay.

--Andy

>
>
> Subject: ambient caps: Allow disabling with SETPCAP
>
> Do not allow setting ambient caps if CAP_SETPCAP is not set.
>
> Signed-off-by: Christoph Lameter <cl@xxxxxxxxx>
>
> Index: linux/security/commoncap.c
> ===================================================================
> --- linux.orig/security/commoncap.c
> +++ linux/security/commoncap.c
> @@ -962,6 +962,9 @@ int cap_task_prctl(int option, unsigned
> if (((!cap_valid(arg3)) | arg4 | arg5))
> return -EINVAL;
>
> + if (!ns_capable(current_user_ns(), CAP_SETPCAP))
> + return -EPERM;
> +
> if (arg2 == PR_CAP_AMBIENT_GET) {
> return !!cap_raised(current_cred()->cap_ambient, arg3);
> } else if (arg2 != PR_CAP_AMBIENT_RAISE &&
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/