* [PATCH -mm] prctl: Use CAP_SYS_RESOURCE for PR_SET_MM option
@ 2012-03-07 21:22 Cyrill Gorcunov
0 siblings, 0 replies; only message in thread
From: Cyrill Gorcunov @ 2012-03-07 21:22 UTC (permalink / raw)
To: Andrew Morton
Cc: Michael Kerrisk, Kees Cook, Pavel Emelyanov, Tejun Heo,
Oleg Nesterov, Paul Bolle, KOSAKI Motohiro, LKML
CAP_SYS_ADMIN is already overloaded left and right,
so to have more fine-grained access control use
CAP_SYS_RESOURCE here.
The CAP_SYS_RESOUCE is chosen because this prctl
option allows a current process to adjust some
fields of memory map descriptor which rather
represents what the process owns: pointers to
code, data, stack segments, command line,
auxiliary vector data and etc.
Suggested-by: Michael Kerrisk <mtk.manpages@gmail.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Michael Kerrisk <mtk.manpages@gmail.com>
CC: Andrew Morton <akpm@linux-foundation.org>
CC: Pavel Emelyanov <xemul@parallels.com>
CC: Tejun Heo <tj@kernel.org>
CC: Oleg Nesterov <oleg@redhat.com>
CC: Paul Bolle <pebolle@tiscali.nl>
CC: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
---
Typo is fixed.
kernel/sys.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: linux-2.6.git/kernel/sys.c
===================================================================
--- linux-2.6.git.orig/kernel/sys.c
+++ linux-2.6.git/kernel/sys.c
@@ -1712,7 +1712,7 @@ static int prctl_set_mm(int opt, unsigne
if (arg5 || (arg4 && opt != PR_SET_MM_AUXV))
return -EINVAL;
- if (!capable(CAP_SYS_ADMIN))
+ if (!capable(CAP_SYS_RESOURCE))
return -EPERM;
if (addr >= TASK_SIZE)
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2012-03-07 21:22 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-03-07 21:22 [PATCH -mm] prctl: Use CAP_SYS_RESOURCE for PR_SET_MM option Cyrill Gorcunov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.