From: Kohei KaiGai <kaigai@ak.jp.nec.com>
To: "Serge E. Hallyn" <serue@us.ibm.com>
Cc: "Andrew G. Morgan" <morgan@kernel.org>,
greg@kroah.com, linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/3] exporting capability name/code pairs (final#2)
Date: Fri, 07 Mar 2008 13:30:52 +0900 [thread overview]
Message-ID: <47D0C4FC.1020900@ak.jp.nec.com> (raw)
In-Reply-To: <20080226205810.GA4523@sergelap.austin.ibm.com>
Who can pick up this patch to the upstreamed tree?
It's unclear for me, because no one is explicitly listed
as a maintainer of capabilities....
# I believe we need no more technical discussion any more
# in this feature.
Serge E. Hallyn wrote:
> Quoting Andrew G. Morgan (morgan@kernel.org):
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Acked-by: Andrew G. Morgan <morgan@kernel.org>
>> Tested-by: Andrew G. Morgan <morgan@kernel.org>
>
> Also
>
> Acked-by: Serge Hallyn <serue@us.ibm.com>
> Tested-by: Serge Hallyn <serue@us.ibm.com>
>
> thanks,
> -serge
>
> (plus you taught me a thing or two about kernel makefiles...)
Sorry, I made an oversight.
However, I'm not an expert of kernel makefiles.
It follows the bottom of kernel/Makefile as an example.
Thanks,
>> Cheers
>>
>> Andrew
>>
>> Kohei KaiGai wrote:
>> | [PATCH 2/3] exporting capability name/code pairs
>> |
>> | This patch enables to export code/name pairs of capabilities the running
>> | kernel supported.
>> |
>> | A newer kernel sometimes adds new capabilities, like CAP_MAC_ADMIN
>> | at 2.6.25. However, we have no interface to disclose what capabilities
>> | are supported on the running kernel. Thus, we have to maintain libcap
>> | version in appropriate one synchronously.
>> |
>> | This patch enables libcap to collect the list of capabilities at run
>> time,
>> | and provide them for users. It helps to improve portability of library.
>> |
>> | It exports these information as regular files under
>> /sys/kernel/capability.
>> | The numeric node exports its name, the symbolic node exports its code.
>> |
>> | Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
>> | --
>> | Documentation/ABI/testing/sysfs-kernel-capability | 23 +++++
>> | scripts/mkcapnames.sh | 44 +++++++++
>> | security/Makefile | 9 ++
>> | security/commoncap.c | 99
>> +++++++++++++++++++++
>> | 4 files changed, 175 insertions(+), 0 deletions(-)
>> |
>> | diff --git a/Documentation/ABI/testing/sysfs-kernel-capability
>> b/Documentation/ABI/testing/sysfs-kernel-capability
>> | index e69de29..d4a14e7 100644
>> | --- a/Documentation/ABI/testing/sysfs-kernel-capability
>> | +++ b/Documentation/ABI/testing/sysfs-kernel-capability
>> | @@ -0,0 +1,23 @@
>> | +What: /sys/kernel/capability
>> | +Date: Feb 2008
>> | +Contact: KaiGai Kohei <kaigai@ak.jp.nec.com>
>> | +Description:
>> | + The entries under /sys/kernel/capability are used to export
>> | + the list of capabilities the running kernel supports.
>> | +
>> | + - /sys/kernel/capability/version
>> | + returns the most preferable version number for the
>> | + running kernel.
>> | + e.g) $ cat /sys/kernel/capability/version
>> | + 0x20071026
>> | +
>> | + - /sys/kernel/capability/code/<numerical representation>
>> | + returns its symbolic representation, on reading.
>> | + e.g) $ cat /sys/kernel/capability/codes/30
>> | + cap_audit_control
>> | +
>> | + - /sys/kernel/capability/name/<symbolic representation>
>> | + returns its numerical representation, on reading.
>> | + e.g) $ cat /sys/kernel/capability/names/cap_sys_pacct
>> | + 20
>> | +
>> | diff --git a/scripts/mkcapnames.sh b/scripts/mkcapnames.sh
>> | index e69de29..5d36d52 100644
>> | --- a/scripts/mkcapnames.sh
>> | +++ b/scripts/mkcapnames.sh
>> | @@ -0,0 +1,44 @@
>> | +#!/bin/sh
>> | +
>> | +#
>> | +# generate a cap_names.h file from include/linux/capability.h
>> | +#
>> | +
>> | +CAPHEAD="`dirname $0`/../include/linux/capability.h"
>> | +REGEXP='^#define CAP_[A-Z_]+[ ]+[0-9]+$'
>> | +NUMCAP=`cat "$CAPHEAD" | egrep -c "$REGEXP"`
>> | +
>> | +echo '#ifndef CAP_NAMES_H'
>> | +echo '#define CAP_NAMES_H'
>> | +echo
>> | +echo '/*'
>> | +echo ' * Do NOT edit this file directly.'
>> | +echo ' * This file is generated from include/linux/capability.h
>> automatically'
>> | +echo ' */'
>> | +echo
>> | +echo '#if !defined(SYSFS_CAP_NAME_ENTRY) ||
>> !defined(SYSFS_CAP_CODE_ENTRY)'
>> | +echo '#error cap_names.h should be included from security/capability.c'
>> | +echo '#else'
>> | +echo "#if $NUMCAP != CAP_LAST_CAP + 1"
>> | +echo '#error mkcapnames.sh cannot collect capabilities correctly'
>> | +echo '#else'
>> | +cat "$CAPHEAD" | egrep "$REGEXP" \
>> | + | awk '{ printf("SYSFS_CAP_NAME_ENTRY(%s,%s);\n", tolower($2),
>> $2); }'
>> | +echo
>> | +echo 'static struct attribute *capability_name_attrs[] = {'
>> | +cat "$CAPHEAD" | egrep "$REGEXP" \
>> | + | awk '{ printf("\t&%s_name_attr.attr,\n", tolower($2)); } END {
>> print "\tNULL," }'
>> | +echo '};'
>> | +
>> | +echo
>> | +cat "$CAPHEAD" | egrep "$REGEXP" \
>> | + | awk '{ printf("SYSFS_CAP_CODE_ENTRY(%s,%s);\n", tolower($2),
>> $2); }'
>> | +echo
>> | +echo 'static struct attribute *capability_code_attrs[] = {'
>> | +cat "$CAPHEAD" | egrep "$REGEXP" \
>> | + | awk '{ printf("\t&%s_code_attr.attr,\n", tolower($2)); } END {
>> print "\tNULL," }'
>> | +echo '};'
>> | +
>> | +echo '#endif'
>> | +echo '#endif'
>> | +echo '#endif'
>> | diff --git a/security/Makefile b/security/Makefile
>> | index 9e8b025..4093e3e 100644
>> | --- a/security/Makefile
>> | +++ b/security/Makefile
>> | @@ -18,3 +18,12 @@ obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o
>> | obj-$(CONFIG_SECURITY_SMACK) += commoncap.o smack/built-in.o
>> | obj-$(CONFIG_SECURITY_CAPABILITIES) += commoncap.o capability.o
>> | obj-$(CONFIG_SECURITY_ROOTPLUG) += commoncap.o root_plug.o
>> | +
>> | +# cap_names.h contains the code/name pair of capabilities.
>> | +# It is generated using include/linux/capability.h automatically.
>> | +$(obj)/commoncap.o: $(obj)/cap_names.h
>> | +quiet_cmd_cap_names = CAPS $@
>> | + cmd_cap_names = /bin/sh $(srctree)/scripts/mkcapnames.sh > $@
>> | +targets += cap_names.h
>> | +$(obj)/cap_names.h: $(srctree)/scripts/mkcapnames.sh
>> $(srctree)/include/linux/capability.h FORCE
>> | + $(call if_changed,cap_names)
>> | diff --git a/security/commoncap.c b/security/commoncap.c
>> | index 5aba826..9483fa9 100644
>> | --- a/security/commoncap.c
>> | +++ b/security/commoncap.c
>> | @@ -24,6 +24,8 @@
>> | #include <linux/hugetlb.h>
>> | #include <linux/mount.h>
>> | #include <linux/sched.h>
>> | +#include <linux/kobject.h>
>> | +#include <linux/sysfs.h>
>> |
>> | /* Global security state */
>> |
>> | @@ -637,3 +639,100 @@ int cap_vm_enough_memory(struct mm_struct *mm,
>> long pages)
>> | return __vm_enough_memory(mm, pages, cap_sys_admin);
>> | }
>> |
>> | +/*
>> | + * Export the list of capabilities on /sys/kernel/capability
>> | + */
>> | +static struct kobject *capability_kobj;
>> | +
>> | +static ssize_t capability_name_show(struct kobject *kobj,
>> | + struct kobj_attribute *attr,
>> | + char *buffer)
>> | +{
>> | + /* It returns numerical representation of capability. */
>> | + return scnprintf(buffer, PAGE_SIZE, "%ld\n", (long) attr->data);
>> | +}
>> | +
>> | +static ssize_t capability_code_show(struct kobject *kobj,
>> | + struct kobj_attribute *attr,
>> | + char *buffer)
>> | +{
>> | + /* It returns symbolic representation of capability. */
>> | + return scnprintf(buffer, PAGE_SIZE, "%s\n", (char *) attr->data);
>> | +}
>> | +
>> | +static ssize_t capability_version_show(struct kobject *kobj,
>> | + struct kobj_attribute *attr,
>> | + char *buffer)
>> | +{
>> | + return scnprintf(buffer, PAGE_SIZE, "0x%08x\n",
>> | + _LINUX_CAPABILITY_VERSION);
>> | +}
>> | +
>> | +#define SYSFS_CAP_NAME_ENTRY(_name,_code) \
>> | + static struct kobj_attribute _name##_name_attr = \
>> | + __ATTR_DATA(_name, 0444, capability_name_show, NULL, (long)(_code))
>> | +
>> | +#define SYSFS_CAP_CODE_ENTRY(_name,_code) \
>> | + static struct kobj_attribute _name##_code_attr = \
>> | + __ATTR_DATA(_code, 0444, capability_code_show, NULL,
>> __stringify(_name))
>> | +
>> | +/*
>> | + * capability_attrs[] is generated automatically by
>> scripts/mkcapnames.sh
>> | + * This script parses include/linux/capability.h
>> | + */
>> | +#include "cap_names.h"
>> | +
>> | +static struct attribute_group capability_name_attr_group = {
>> | + .name = "names",
>> | + .attrs = capability_name_attrs,
>> | +};
>> | +
>> | +static struct attribute_group capability_code_attr_group = {
>> | + .name = "codes",
>> | + .attrs = capability_code_attrs,
>> | +};
>> | +
>> | +static struct kobj_attribute cap_version_attr =
>> | + __ATTR(version, 0444, capability_version_show, NULL);
>> | +
>> | +static int __init capability_export_names(void)
>> | +{
>> | + int rc = -ENOMEM;
>> | +
>> | + /* make /sys/kernel/capability */
>> | + capability_kobj = kobject_create_and_add("capability", kernel_kobj);
>> | + if (!capability_kobj)
>> | + goto error0;
>> | +
>> | + /* make /sys/kernel/capability/names */
>> | + rc = sysfs_create_group(capability_kobj,
>> | + &capability_name_attr_group);
>> | + if (rc)
>> | + goto error1;
>> | +
>> | + /* make /sys/kernel/capability/codes */
>> | + rc = sysfs_create_group(capability_kobj,
>> | + &capability_code_attr_group);
>> | + if (rc)
>> | + goto error2;
>> | +
>> | + /* make /sys/kernel/capability/version */
>> | + rc = sysfs_create_file(capability_kobj,
>> | + &cap_version_attr.attr);
>> | + if (rc)
>> | + goto error3;
>> | +
>> | + return 0;
>> | +
>> | +error3:
>> | + sysfs_remove_group(capability_kobj, &capability_code_attr_group);
>> | +error2:
>> | + sysfs_remove_group(capability_kobj, &capability_name_attr_group);
>> | +error1:
>> | + kobject_put(capability_kobj);
>> | +error0:
>> | + printk(KERN_ERR "Unable to export capabilities\n");
>> | +
>> | + return rc;
>> | +}
>> | +__initcall(capability_export_names);
>> |
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.2.6 (GNU/Linux)
>>
>> iD8DBQFHxChT+bHCR3gb8jsRAtnIAJ9EZKZ8Uw1WZE0GdGc2SRuuEdqm5QCcCUm2
>> Dp+6/phU4jLCDo6jsNKJd9A=
>> =6DqN
>> -----END PGP SIGNATURE-----
>> -
>> To unsubscribe from this list: send the line "unsubscribe
>> linux-security-module" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
> -
> To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
>
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>
next prev parent reply other threads:[~2008-03-07 4:31 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-02-25 6:06 [PATCH 0/3] exporting capability name/code pairs (final#2) Kohei KaiGai
2008-02-25 6:10 ` [PATCH 1/3] add a private data field within kobj_attribute structure (final#2) Kohei KaiGai
2008-02-25 6:51 ` Greg KH
2008-02-25 6:57 ` Kohei KaiGai
2008-02-25 7:47 ` Greg KH
2008-02-25 10:04 ` Kohei KaiGai
2008-02-26 20:09 ` Greg KH
2008-02-28 5:49 ` Valdis.Kletnieks
2008-03-03 4:42 ` Kohei KaiGai
2008-02-25 6:10 ` [PATCH 2/3] exporting capability name/code pairs (final#2) Kohei KaiGai
2008-02-26 14:55 ` Andrew G. Morgan
2008-02-26 20:58 ` Serge E. Hallyn
2008-03-07 4:30 ` Kohei KaiGai [this message]
2008-03-07 4:53 ` Greg KH
2008-02-25 6:10 ` [PATCH 3/3] a new example to use kobject/kobj_attribute (final#2) Kohei KaiGai
2008-04-22 11:12 ` [PATCH 0/3] exporting capability name/code pairs (for 2.6.26) KaiGai Kohei
2008-04-22 11:17 ` [PATCH 1/3] add a private data field within kobj_attribute structure KaiGai Kohei
2008-04-22 11:18 ` [PATCH 2/3] exporting capability name/code pairs KaiGai Kohei
2008-04-22 11:18 ` [PATCH 3/3] a new example to use kobject/kobj_attribute KaiGai Kohei
2008-04-22 19:29 ` [PATCH 0/3] exporting capability name/code pairs (for 2.6.26) Alexey Dobriyan
2008-04-23 0:38 ` KaiGai Kohei
2008-04-23 7:03 ` Alexey Dobriyan
2008-04-23 7:37 ` KaiGai Kohei
2008-05-13 22:12 ` Alexey Dobriyan
2008-05-14 0:34 ` KaiGai Kohei
2008-04-23 5:37 ` Chris Wright
2008-04-23 7:15 ` KaiGai Kohei
2008-05-14 0:36 ` KaiGai Kohei
2008-05-14 0:52 ` Chris Wright
2008-05-14 5:57 ` KaiGai Kohei
2008-05-15 5:48 ` Andrew Morgan
2008-05-15 7:47 ` KaiGai Kohei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47D0C4FC.1020900@ak.jp.nec.com \
--to=kaigai@ak.jp.nec.com \
--cc=greg@kroah.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=morgan@kernel.org \
--cc=serue@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.