Re: [KERNEL] Re: [KERNEL] Re: [KERNEL] Re: Kernel 4.3 breaks security in systems using capabilities

From: Klaus Ethgen
Date: Thu Nov 05 2015 - 12:17:13 EST

Next message: James Bottomley: "[GIT PULL] first round of SCSI updates for the 4.3+ merge window"
Previous message: Sowmini Varadhan: "Re: [PATCH v6] i40e: Look up MAC address in Open Firmware or IDPROM"
In reply to: Serge E. Hallyn: "Re: [KERNEL] Re: [KERNEL] Re: Kernel 4.3 breaks security in systems using capabilities"
Next in thread: Serge E. Hallyn: "Re: [KERNEL] Re: [KERNEL] Re: [KERNEL] Re: Kernel 4.3 breaks security in systems using capabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Serge,

Am Do den 5. Nov 2015 um 17:15 schrieb Serge E. Hallyn:
> I think if you follow your idea to its logical conclusions, you end
> up wanting set SECURE_ALL_BITS | SECURE_ALL_LOCKS, which will include
> SECURE_NO_CAP_AMBIENT_RAISE, disabling ambient capabilities.

That I did miss out and seems to be the solution for the problem. So
adding cap_secure_all_bits,cap_secure_all_locks=ep to every binary that
gets other caps should solve it?

Regards
Klaus
- --
Klaus Ethgen http://www.ethgen.ch/
pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <Klaus@xxxxxxxxx>
Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQGcBAEBCgAGBQJWO48BAAoJEKZ8CrGAGfasXuML/3a9mYfFg36IW7/OsHpo319P
OSVobV+yobXpou+83BupAI9WYSGzlo35yMdzOTJ0ryEex0CPl/f0HoKQdGRNy+Aj
N5JkTzHGhGHi3j1h+UQqX0qUGrIIdvuEBemeeC+Dq4uMwwJihZQKKVPC/DDJOez8
3YU5PVkcp+4yvMsRLZ1kBcME5m4g5uOI6VPYTnE9ymKKuBDX/XhPKKanG8LL7xm0
qdLy7vj1gOdy828nJfgaEjjYvhYqKU10gfnLQ3Xwws5qtcbitCY9AdAllZri23U5
hXzfMyhYu2GLCwd5plTe4A0u0aCDb8/UtYHXjE32CUgsiqqUulyiDvLHa/kmMBvu
RltvZfArUrE+iDdGtAffsI1a6r6u0816XgAP2ybPBSG+KlNin6qHxNK53rJW1xoq
8BvKvS90/XOzN8/n6AmjfmEqFqGzCWgnzT/vD7NUBHRyUdV+weM6Y1QH5XJ8z6w0
8XftXA0hM9ODo2sIpaXRJdiUJecRwen7X8kbs+61cA==
=QOlH
-----END PGP SIGNATURE-----
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: James Bottomley: "[GIT PULL] first round of SCSI updates for the 4.3+ merge window"
Previous message: Sowmini Varadhan: "Re: [PATCH v6] i40e: Look up MAC address in Open Firmware or IDPROM"
In reply to: Serge E. Hallyn: "Re: [KERNEL] Re: [KERNEL] Re: Kernel 4.3 breaks security in systems using capabilities"
Next in thread: Serge E. Hallyn: "Re: [KERNEL] Re: [KERNEL] Re: [KERNEL] Re: Kernel 4.3 breaks security in systems using capabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]