From: Topi Miettinen <toiwoton@gmail.com>
To: linux-kernel@vger.kernel.org
Cc: "Topi Miettinen" <toiwoton@gmail.com>,
"Alexander Viro" <viro@zeniv.linux.org.uk>,
"Ingo Molnar" <mingo@redhat.com>,
"Peter Zijlstra" <peterz@infradead.org>,
"Serge Hallyn" <serge.hallyn@canonical.com>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Kees Cook" <keescook@chromium.org>,
"Christoph Lameter" <cl@linux.com>,
"Serge E. Hallyn" <serge.hallyn@ubuntu.com>,
"Andy Shevchenko" <andriy.shevchenko@linux.intel.com>,
"Richard W.M. Jones" <rjones@redhat.com>,
"Iago López Galeiras" <iago@endocode.com>,
"Chris Metcalf" <cmetcalf@ezchip.com>,
"Andy Lutomirski" <luto@kernel.org>, "Jann Horn" <jann@thejh.net>,
linux-fsdevel@vger.kernel.org (open list:FILESYSTEMS (VFS and
infrastructure)),
linux-security-module@vger.kernel.org (open list:CAPABILITIES)
Subject: [RFC 01/18] capabilities: track actually used capabilities
Date: Mon, 13 Jun 2016 22:44:08 +0300 [thread overview]
Message-ID: <1465847065-3577-2-git-send-email-toiwoton@gmail.com> (raw)
In-Reply-To: <1465847065-3577-1-git-send-email-toiwoton@gmail.com>
Track what capabilities are actually used and present the current
situation in /proc/self/status.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
---
fs/exec.c | 1 +
fs/proc/array.c | 1 +
include/linux/sched.h | 1 +
kernel/capability.c | 1 +
4 files changed, 4 insertions(+)
diff --git a/fs/exec.c b/fs/exec.c
index 887c1c9..ff6f644 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1269,6 +1269,7 @@ void setup_new_exec(struct linux_binprm * bprm)
if (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)
set_dumpable(current->mm, suid_dumpable);
}
+ cap_clear(current->cap_used);
/* An exec changes our domain. We are no longer part of the thread
group */
diff --git a/fs/proc/array.c b/fs/proc/array.c
index 88c7de1..cccc9ee 100644
--- a/fs/proc/array.c
+++ b/fs/proc/array.c
@@ -343,6 +343,7 @@ static inline void task_cap(struct seq_file *m, struct task_struct *p)
render_cap_t(m, "CapEff:\t", &cap_effective);
render_cap_t(m, "CapBnd:\t", &cap_bset);
render_cap_t(m, "CapAmb:\t", &cap_ambient);
+ render_cap_t(m, "CapUsd:\t", &p->cap_used);
}
static inline void task_seccomp(struct seq_file *m, struct task_struct *p)
diff --git a/include/linux/sched.h b/include/linux/sched.h
index 6e42ada..9c48a08 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -1918,6 +1918,7 @@ struct task_struct {
#ifdef CONFIG_MMU
struct task_struct *oom_reaper_list;
#endif
+ kernel_cap_t cap_used; /* Capabilities actually used */
/* CPU-specific state of this task */
struct thread_struct thread;
/*
diff --git a/kernel/capability.c b/kernel/capability.c
index 45432b5..aad8854 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -380,6 +380,7 @@ bool ns_capable(struct user_namespace *ns, int cap)
}
if (security_capable(current_cred(), ns, cap) == 0) {
+ cap_raise(current->cap_used, cap);
current->flags |= PF_SUPERPRIV;
return true;
}
--
2.8.1
next prev parent reply other threads:[~2016-06-13 19:45 UTC|newest]
Thread overview: 96+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-13 19:44 [RFC 00/18] Present useful limits to user Topi Miettinen
2016-06-13 19:44 ` Topi Miettinen [this message]
2016-06-13 20:32 ` [RFC 01/18] capabilities: track actually used capabilities Andy Lutomirski
2016-06-13 20:45 ` Topi Miettinen
2016-06-13 21:12 ` Andy Lutomirski
2016-06-13 21:48 ` Topi Miettinen
2016-06-13 19:44 ` [RFC 02/18] cgroup_pids: track maximum pids Topi Miettinen
2016-06-13 19:44 ` Topi Miettinen
[not found] ` <1465847065-3577-3-git-send-email-toiwoton-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-06-13 21:12 ` Tejun Heo
2016-06-13 21:12 ` Tejun Heo
[not found] ` <20160613211227.GG31708-piEFEHQLUPpN0TnZuCh8vA@public.gmane.org>
2016-06-13 21:29 ` Topi Miettinen
2016-06-13 21:29 ` Topi Miettinen
[not found] ` <17cb1a37-47b1-dbd4-6835-efad3cf6c12f-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-06-13 21:33 ` Tejun Heo
2016-06-13 21:33 ` Tejun Heo
[not found] ` <20160613213354.GH31708-piEFEHQLUPpN0TnZuCh8vA@public.gmane.org>
2016-06-13 21:59 ` Topi Miettinen
2016-06-13 21:59 ` Topi Miettinen
[not found] ` <15ef1041-35b6-cb31-ff98-8b0be7780bc3-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-06-13 22:09 ` Tejun Heo
2016-06-13 22:09 ` Tejun Heo
2016-07-17 20:11 ` Topi Miettinen
2016-07-17 20:11 ` Topi Miettinen
[not found] ` <3b03822f-c5d0-5b84-79c3-edeb8e78e2dd-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-07-19 1:09 ` Tejun Heo
2016-07-19 1:09 ` Tejun Heo
2016-07-19 16:59 ` Topi Miettinen
[not found] ` <45e50dcb-7446-d203-de6e-0a59dc09a874-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-07-19 18:13 ` Tejun Heo
2016-07-19 18:13 ` Tejun Heo
2016-06-13 19:44 ` [RFC 03/18] memcontrol: present maximum used memory also for cgroup-v2 Topi Miettinen
2016-06-13 19:44 ` Topi Miettinen
[not found] ` <1465847065-3577-4-git-send-email-toiwoton-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-06-14 7:01 ` Michal Hocko
2016-06-14 7:01 ` Michal Hocko
2016-06-14 7:01 ` Michal Hocko
[not found] ` <20160614070130.GB5681-2MMpYkNvuYDjFM9bn6wA6Q@public.gmane.org>
2016-06-14 15:47 ` Topi Miettinen
2016-06-14 15:47 ` Topi Miettinen
2016-06-14 15:47 ` Topi Miettinen
[not found] ` <b9d04ccd-28d2-993a-2a40-bbed7b6289d4-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-06-14 16:04 ` Johannes Weiner
2016-06-14 16:04 ` Johannes Weiner
2016-06-14 16:04 ` Johannes Weiner
[not found] ` <20160614160410.GB14279-druUgvl0LCNAfugRpC6u6w@public.gmane.org>
2016-06-14 17:15 ` Topi Miettinen
2016-06-14 17:15 ` Topi Miettinen
2016-06-14 17:15 ` Topi Miettinen
[not found] ` <db6a51eb-d1f7-691b-11a6-ef0b7c1c9462-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-06-16 10:27 ` Michal Hocko
2016-06-16 10:27 ` Michal Hocko
2016-06-16 10:27 ` Michal Hocko
2016-06-13 19:44 ` [RFC 04/18] device_cgroup: track and present accessed devices Topi Miettinen
2016-06-17 15:22 ` Serge E. Hallyn
2016-06-13 19:44 ` [RFC 05/18] limits: track and present RLIMIT_NOFILE actual max Topi Miettinen
2016-06-13 20:40 ` Andy Lutomirski
2016-06-13 21:13 ` Topi Miettinen
2016-06-13 21:16 ` Andy Lutomirski
2016-06-14 15:21 ` Topi Miettinen
2016-06-13 19:44 ` [RFC 06/18] limits: present RLIMIT_CPU and RLIMIT_RTTIMER current status Topi Miettinen
2016-06-14 9:14 ` Alexey Dobriyan
2016-06-13 19:44 ` [RFC 07/18] limits: track RLIMIT_FSIZE actual max Topi Miettinen
2016-06-13 19:44 ` Topi Miettinen
2016-06-13 19:44 ` Topi Miettinen
2016-06-13 19:44 ` [RFC 08/18] limits: track RLIMIT_DATA " Topi Miettinen
2016-06-13 19:44 ` Topi Miettinen
2016-06-13 19:44 ` Topi Miettinen
2016-06-13 19:44 ` [RFC 09/18] limits: track RLIMIT_CORE " Topi Miettinen
2016-06-13 19:44 ` [RFC 10/18] limits: track RLIMIT_STACK " Topi Miettinen
2016-06-13 19:44 ` Topi Miettinen
2016-06-13 19:44 ` [RFC 11/18] limits: track and present RLIMIT_NPROC " Topi Miettinen
2016-06-13 22:27 ` Jann Horn
2016-06-14 15:40 ` Topi Miettinen
2016-06-14 23:15 ` Jann Horn
2016-06-13 19:44 ` [RFC 12/18] limits: track RLIMIT_MEMLOCK " Topi Miettinen
2016-06-13 19:44 ` Topi Miettinen
2016-06-13 19:44 ` Topi Miettinen
2016-06-13 20:43 ` Alex Williamson
2016-06-13 20:43 ` Alex Williamson
2016-06-13 20:43 ` Alex Williamson
2016-06-13 21:17 ` Topi Miettinen
2016-06-13 21:17 ` Topi Miettinen
2016-06-13 21:17 ` Topi Miettinen
2016-06-18 0:59 ` Doug Ledford
2016-06-18 0:59 ` Doug Ledford
2016-06-18 7:00 ` Topi Miettinen
2016-06-18 7:00 ` Topi Miettinen
2016-06-18 7:00 ` Topi Miettinen
2016-06-13 19:44 ` [RFC 13/18] limits: track RLIMIT_AS " Topi Miettinen
2016-06-13 19:44 ` Topi Miettinen
2016-06-13 19:44 ` [RFC 14/18] limits: track RLIMIT_SIGPENDING " Topi Miettinen
2016-06-14 14:50 ` Oleg Nesterov
2016-06-14 15:51 ` Topi Miettinen
2016-06-13 19:44 ` [RFC 15/18] limits: track RLIMIT_MSGQUEUE " Topi Miettinen
2016-06-17 19:52 ` Doug Ledford
2016-06-13 19:44 ` [RFC 16/18] limits: track RLIMIT_NICE " Topi Miettinen
2016-06-13 19:44 ` [RFC 17/18] limits: track RLIMIT_RTPRIO " Topi Miettinen
2016-06-13 19:44 ` [RFC 18/18] proc: present VM_LOCKED memory in /proc/self/maps Topi Miettinen
2016-06-13 20:43 ` Kees Cook
2016-06-13 20:52 ` Topi Miettinen
2016-06-14 19:03 ` [RFC 00/18] Present useful limits to user Konstantin Khlebnikov
2016-06-14 19:46 ` Topi Miettinen
2016-06-15 14:47 ` Austin S. Hemmelgarn
2016-06-18 14:45 ` Konstantin Khlebnikov
2016-06-19 6:38 ` Topi Miettinen
2016-06-20 17:37 ` Austin S. Hemmelgarn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1465847065-3577-2-git-send-email-toiwoton@gmail.com \
--to=toiwoton@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=cl@linux.com \
--cc=cmetcalf@ezchip.com \
--cc=iago@endocode.com \
--cc=jann@thejh.net \
--cc=keescook@chromium.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=rjones@redhat.com \
--cc=serge.hallyn@canonical.com \
--cc=serge.hallyn@ubuntu.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.