From mboxrd@z Thu Jan 1 00:00:00 1970 From: Andrew Morgan Subject: Re: [PATCH RFC] capabilities: introduce per-process capability bounding set Date: Wed, 19 Sep 2007 21:16:58 -0700 Message-ID: <46F1F43A.8080003@kernel.org> References: <20070914185257.GA11064@sergelap.austin.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20070914185257.GA11064-6s5zFf/epYLPQpwDFJZrxKsjOiXwFzmk@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: "Serge E. Hallyn" Cc: containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org, "Eric W. Biederman" List-Id: containers.vger.kernel.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Serge E. Hallyn wrote: > + case PR_GET_CAPBSET: > + error = put_user(current->cap_bset, (unsigned long __user *)arg2); > + break; > + case PR_SET_CAPBSET: > + if (!capable(CAP_SYS_ADMIN)) > + return -EPERM; > + if (!cap_issubset(arg2, current->cap_bset)) > + return -EINVAL; > + current->cap_bset = arg2; > + break; You need to pass the capability magic value in both get and set directions... Otherwise, you'll not be able to tell what vintage of cap_bset you are manipulating. Cheers Andrew -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFG8fQ0QheEq9QabfIRApzJAKCUSxj72X4F++kNGy29oO6FE/OGAgCeIrBw dzyfE/XF2Fl71WQvIwu/E9s= =hkFZ -----END PGP SIGNATURE-----