From: Chris Wright <chris@wirex.com>
To: Linus Torvalds <torvalds@transmeta.com>
Cc: Chris Wright <chris@wirex.com>, linux-kernel@vger.kernel.org
Subject: [PATCH] remove duplicated assignment from sys_capget.
Date: Tue, 19 Nov 2002 18:49:29 -0800 [thread overview]
Message-ID: <20021119184929.C5801@figure1.int.wirex.com> (raw)
In-Reply-To: <20021119165556.A5806@figure1.int.wirex.com>; from chris@wirex.com on Tue, Nov 19, 2002 at 04:55:56PM -0800
* Chris Wright (chris@wirex.com) wrote:
> I'll follow up with the patch that removes the duplicate code.
This patch, relative to the last patch in this thread, removes the
code from cap_sysget that fills out the capability set being returned
to userspace. The module handles this in a policy specific way. This
updates the dummy.c module to fill in return data according to superuser
policy, and also disables setting capabilities in superuser policy.
[PATCH] remove duplicated assignment from sys_capget.
===== kernel/capability.c 1.6 vs edited =====
--- 1.6/kernel/capability.c Tue Nov 19 15:57:15 2002
+++ edited/kernel/capability.c Tue Nov 19 15:59:38 2002
@@ -63,9 +63,6 @@
} else
target = current;
- data.permitted = cap_t(target->cap_permitted);
- data.inheritable = cap_t(target->cap_inheritable);
- data.effective = cap_t(target->cap_effective);
ret = security_ops->capget(target, &data.effective, &data.inheritable, &data.permitted);
out:
===== security/dummy.c 1.4 vs edited =====
--- 1.4/security/dummy.c Fri Oct 11 14:22:54 2002
+++ edited/security/dummy.c Tue Nov 19 14:58:11 2002
@@ -27,6 +27,17 @@
static int dummy_capget (struct task_struct *target, kernel_cap_t * effective,
kernel_cap_t * inheritable, kernel_cap_t * permitted)
{
+ *effective = *inheritable = *permitted = 0;
+ if (!issecure(SECURE_NOROOT)) {
+ if (target->euid == 0) {
+ *permitted |= (~0 & ~CAP_FS_MASK);
+ *effective |= (~0 & ~CAP_TO_MASK(CAP_SETPCAP) & ~CAP_FS_MASK);
+ }
+ if (target->fsuid == 0) {
+ *permitted |= CAP_FS_MASK;
+ *effective |= CAP_FS_MASK;
+ }
+ }
return 0;
}
@@ -35,7 +46,7 @@
kernel_cap_t * inheritable,
kernel_cap_t * permitted)
{
- return 0;
+ return -EPERM;
}
static void dummy_capset_set (struct task_struct *target,
prev parent reply other threads:[~2002-11-20 2:44 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-10-10 0:15 [PATCH] 2.5.41 capget fix Chris Wright
2002-10-10 19:36 ` Linus Torvalds
2002-10-10 21:47 ` Chris Wright
2002-10-12 2:58 ` Linus Torvalds
2002-11-19 21:14 ` [PATCH] sys_capget should use current if the pid argument is 0 Daniel Jacobowitz
2002-11-20 0:55 ` Chris Wright
2002-11-20 2:49 ` Chris Wright [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20021119184929.C5801@figure1.int.wirex.com \
--to=chris@wirex.com \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@transmeta.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox