From: Greg Kroah-Hartman <gregkh@suse.de>
To: linux-kernel@vger.kernel.org
Cc: Ludwig Nussel <ludwig.nussel@suse.de>,
Greg Kroah-Hartman <gregkh@suse.de>
Subject: [PATCH 06/44] kernel/ksysfs.c: expose file_caps_enabled in sysfs
Date: Thu, 19 May 2011 17:10:24 -0700 [thread overview]
Message-ID: <1305850262-9575-6-git-send-email-gregkh@suse.de> (raw)
In-Reply-To: <1305850262-9575-1-git-send-email-gregkh@suse.de>
From: Ludwig Nussel <ludwig.nussel@suse.de>
A kernel booted with no_file_caps allows to install fscaps on a binary
but doesn't actually honor the fscaps when running the binary. Userspace
currently has no sane way to determine whether installing fscaps
actually has any effect. Since parsing /proc/cmdline is fragile this
patch exposes the current setting (1 or 0) via /sys/kernel/fscaps
Signed-off-by: Ludwig Nussel <ludwig.nussel@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
Documentation/ABI/testing/sysfs-kernel-fscaps | 8 ++++++++
kernel/ksysfs.c | 10 ++++++++++
2 files changed, 18 insertions(+), 0 deletions(-)
create mode 100644 Documentation/ABI/testing/sysfs-kernel-fscaps
diff --git a/Documentation/ABI/testing/sysfs-kernel-fscaps b/Documentation/ABI/testing/sysfs-kernel-fscaps
new file mode 100644
index 0000000..50a3033
--- /dev/null
+++ b/Documentation/ABI/testing/sysfs-kernel-fscaps
@@ -0,0 +1,8 @@
+What: /sys/kernel/fscaps
+Date: February 2011
+KernelVersion: 2.6.38
+Contact: Ludwig Nussel <ludwig.nussel@suse.de>
+Description
+ Shows whether file system capabilities are honored
+ when executing a binary
+
diff --git a/kernel/ksysfs.c b/kernel/ksysfs.c
index 0b624e7..3b053c0 100644
--- a/kernel/ksysfs.c
+++ b/kernel/ksysfs.c
@@ -16,6 +16,7 @@
#include <linux/kexec.h>
#include <linux/profile.h>
#include <linux/sched.h>
+#include <linux/capability.h>
#define KERNEL_ATTR_RO(_name) \
static struct kobj_attribute _name##_attr = __ATTR_RO(_name)
@@ -131,6 +132,14 @@ KERNEL_ATTR_RO(vmcoreinfo);
#endif /* CONFIG_KEXEC */
+/* whether file capabilities are enabled */
+static ssize_t fscaps_show(struct kobject *kobj,
+ struct kobj_attribute *attr, char *buf)
+{
+ return sprintf(buf, "%d\n", file_caps_enabled);
+}
+KERNEL_ATTR_RO(fscaps);
+
/*
* Make /sys/kernel/notes give the raw contents of our kernel .notes section.
*/
@@ -158,6 +167,7 @@ struct kobject *kernel_kobj;
EXPORT_SYMBOL_GPL(kernel_kobj);
static struct attribute * kernel_attrs[] = {
+ &fscaps_attr.attr,
#if defined(CONFIG_HOTPLUG)
&uevent_seqnum_attr.attr,
&uevent_helper_attr.attr,
--
1.7.4.2
next prev parent reply other threads:[~2011-05-20 0:21 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-20 0:08 [GIT PATCH] driver core merge for .40 Greg KH
2011-05-20 0:10 ` [PATCH 01/44] device: add dev_WARN_ONCE Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 02/44] efivars: memory leak on error in create_efivars_bin_attributes() Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 03/44] efivars: handle errors from register_efivars() Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 04/44] firmware: Fix grammar in sysfs-firmware-dmi doc Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 05/44] drivers: make device_type const Greg Kroah-Hartman
2011-05-20 0:10 ` Greg Kroah-Hartman [this message]
2011-05-20 0:10 ` [PATCH 07/44] HOWTO: sync up Documentaion/ja_JP/HOWTO Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 08/44] uio_netx: Add support for netPLC cards Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 09/44] uio: fix finding mm index for vma Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 10/44] uio: fix allocating minor id for uio device Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 11/44] uio: clean uioinfo when uninstall uio driver Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 12/44] printk: /dev/kmsg - properly support writev() to avoid interleaved printk() lines Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 13/44] kmsg: properly support writev to avoid interleaved printk lines fix Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 14/44] drivers:misc:ti-st: handle delayed tty receive Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 15/44] drivers:misc:ti-st: remove rfkill dependency Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 16/44] driver-core: fix race between device_register and driver_register Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 17/44] drivers/base/core.c: Fixed brace coding style issue Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 18/44] driver core/platform_device_add_data: set platform_data to NULL if !data Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 19/44] driver core/platform_device_add_data: free platform data before overwriting Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 20/44] driver core/platform_device_add_resources: set resource to NULL if !res Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 21/44] driver core/platform_device_add_resources: free resource before overwriting Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 22/44] driver core: let dev_set_drvdata return int instead of void as it can fail Greg Kroah-Hartman
2011-05-20 7:53 ` [22/44] " Milton Miller
2011-05-20 8:01 ` Uwe Kleine-König
2011-05-20 0:10 ` [PATCH 23/44] drivers:base:fix the coding format of memory.c Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 24/44] Add a strtobool function matching semantics of existing in kernel equivalents Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 25/44] debugfs: move to new strtobool Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 26/44] params.c: Use new strtobool function to process boolean inputs Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 27/44] misc: fix ti-st build issues Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 28/44] x86: get_bios_ebda_length() Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 29/44] x86: Better comments for get_bios_ebda() Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 30/44] driver: Google EFI SMI Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 31/44] driver: Google Memory Console Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 32/44] Introduce CONFIG_GOOGLE_FIRMWARE Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 33/44] Allow setting of number of raw devices as a module parameter Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 34/44] efivars: prevent oops on unload when efi is not enabled Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 35/44] reboot: disable usermodehelper to prevent fs access Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 36/44] RAW driver: Remove call to kobject_put() Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 37/44] Translated Documentation/email-clients.txt Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 38/44] driver core: Add the device driver-model structures to kerneldoc Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 39/44] driver core: remove the driver-model structures from the documentation Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 40/44] SYSFS: Fix erroneous comments for sysfs_update_group() Greg Kroah-Hartman
2011-05-20 0:10 ` [PATCH 41/44] memory hotplug: Speed up add/remove when blocks are larger than PAGES_PER_SECTION Greg Kroah-Hartman
2011-05-20 0:11 ` [PATCH 42/44] drivers/base/memory.c: fix warning due to "memory hotplug: Speed up add/remove when blocks are larger than PAGES_PER_SECTION" Greg Kroah-Hartman
2011-05-20 0:11 ` [PATCH 43/44] sysfs: remove "last sysfs file:" line from the oops messages Greg Kroah-Hartman
2011-05-20 0:11 ` [PATCH 44/44] debugfs: Silence DEBUG_STRICT_USER_COPY_CHECKS=y warning Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1305850262-9575-6-git-send-email-gregkh@suse.de \
--to=gregkh@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=ludwig.nussel@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox