[PATCH 1/1] security: introduce fs caps

[PATCH 1/1] security: introduce fs caps

[Serge E. Hallyn]

This is the full patch as it currently stands to implement file
posix capabilities.  It's my belief this should now be safe for
a -mm spin, but obviously first I'd like to get some more comments.

Compiling with SECURITY_FS_CAPABILITIES=n, or simply not giving
any files fscaps, should preserve existing behavior.

thanks,
-serge

Subject: [PATCH 1/1] security: introduce fs caps

Implement filesystem posix capabilities.  This allows programs to
be given a subset of root's powers regardless of who runs them,
without having to use setuid and giving the binary all of root's
powers.

This version works with Kaigai Kohei's userspace tools, found at
http://www.kaigai.gr.jp/pub/fscaps-1.0-kg.src.rpm under
http://www.kaigai.gr.jp/index.php?FrontPage#b556e50d.

Changelog:
	Sep 05:
	As Seth Arnold points out, uid checks are out of place
	for capability code.

	Sep 01:
	Define task_setscheduler, task_setioprio, cap_task_kill, and
	task_setnice to make sure a user cannot affect a process in which
	they called a program with some fscaps.

	One remaining question is the note under task_setscheduler: are we
	ok with CAP_SYS_NICE being sufficient to confine a process to a
	cpuset?

	It is a semantic change, as without fsccaps, attach_task doesn't
	allow CAP_SYS_NICE to override the uid equivalence check.  But since
	it uses security_task_setscheduler, which elsewhere is used where
	CAP_SYS_NICE can be used to override the uid equivalence check,
	fixing it might be tough.

	     task_setscheduler
		 note: this also controls cpuset:attach_task.  Are we ok with
		     CAP_SYS_NICE being used to confine to a cpuset?
	     task_setioprio
	     task_setnice
		 sys_setpriority uses this (through set_one_prio) for another
		 process.  Need same checks as setrlimit

	Aug 21:
	Updated secureexec implementation to reflect the fact that
	euid and uid might be the same and nonzero, but the process
	might still have elevated caps.

	Aug 15:
	Handle endianness of xattrs.
	Enforce capability version match between kernel and disk.
	Enforce that no bits beyond the known max capability are
	set, else return -EPERM.
	With this extra processing, it may be worth reconsidering
	doing all the work at bprm_set_security rather than
	d_instantiate.

	Aug 10:
	Always call getxattr at bprm_set_security, rather than
	caching it at d_instantiate.

Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
---
 include/linux/capability.h |    2 +
 include/linux/security.h   |   10 ++-
 security/Kconfig           |   10 +++
 security/capability.c      |    4 +
 security/commoncap.c       |  159 ++++++++++++++++++++++++++++++++++++++++++--
 5 files changed, 176 insertions(+), 9 deletions(-)

diff --git a/include/linux/capability.h b/include/linux/capability.h
index 6548b35..8b1932c 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -288,6 +288,8 @@ #define CAP_AUDIT_WRITE      29
 
 #define CAP_AUDIT_CONTROL    30
 
+#define CAP_NUMCAPS	     30
+
 #ifdef __KERNEL__
 /* 
  * Bounding set
diff --git a/include/linux/security.h b/include/linux/security.h
index f753038..7a99930 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -51,6 +51,10 @@ extern int cap_inode_setxattr(struct den
 extern int cap_inode_removexattr(struct dentry *dentry, char *name);
 extern int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags);
 extern void cap_task_reparent_to_init (struct task_struct *p);
+extern int cap_task_kill(struct task_struct *p, struct siginfo *info, int sig, u32 secid);
+extern int cap_task_setscheduler (struct task_struct *p, int policy, struct sched_param *lp);
+extern int cap_task_setioprio (struct task_struct *p, int ioprio);
+extern int cap_task_setnice (struct task_struct *p, int nice);
 extern int cap_syslog (int type);
 extern int cap_vm_enough_memory (long pages);
 
@@ -2522,12 +2526,12 @@ static inline int security_task_setgroup
 
 static inline int security_task_setnice (struct task_struct *p, int nice)
 {
-	return 0;
+	return cap_task_setnice(p, nice);
 }
 
 static inline int security_task_setioprio (struct task_struct *p, int ioprio)
 {
-	return 0;
+	return cap_task_setioprio(p, ioprio);
 }
 
 static inline int security_task_getioprio (struct task_struct *p)
@@ -2562,7 +2566,7 @@ static inline int security_task_kill (st
 				      struct siginfo *info, int sig,
 				      u32 secid)
 {
-	return 0;
+	return cap_task_kill(p, info, sig, secid);
 }
 
 static inline int security_task_wait (struct task_struct *p)
diff --git a/security/Kconfig b/security/Kconfig
index 67785df..ce2bac7 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -80,6 +80,16 @@ config SECURITY_CAPABILITIES
 	  This enables the "default" Linux capabilities functionality.
 	  If you are unsure how to answer this question, answer Y.
 
+config SECURITY_FS_CAPABILITIES
+	bool "Filesystem Capabilities"
+	depends on SECURITY_CAPABILITIES
+	default n
+	help
+	  This enables filesystem capabilities, allowing you to give
+	  binaries a subset of root's powers without using setuid 0.
+
+	  If in doubt, answer N.
+
 config SECURITY_ROOTPLUG
 	tristate "Root Plug Support"
 	depends on USB && SECURITY
diff --git a/security/capability.c b/security/capability.c
index b868e7e..14cb592 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -40,6 +40,10 @@ static struct security_operations capabi
 	.inode_setxattr =		cap_inode_setxattr,
 	.inode_removexattr =		cap_inode_removexattr,
 
+	.task_kill =			cap_task_kill,
+	.task_setscheduler =		cap_task_setscheduler,
+	.task_setioprio =		cap_task_setioprio,
+	.task_setnice =			cap_task_setnice,
 	.task_post_setuid =		cap_task_post_setuid,
 	.task_reparent_to_init =	cap_task_reparent_to_init,
 
diff --git a/security/commoncap.c b/security/commoncap.c
index f50fc29..aee3bd9 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -109,11 +109,55 @@ void cap_capset_set (struct task_struct 
 	target->cap_permitted = *permitted;
 }
 
+#define XATTR_CAPS_SUFFIX "capability"
+#define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX
+struct vfs_cap_data_struct {
+	__u32 version;
+	__u32 effective;
+	__u32 permitted;
+	__u32 inheritable;
+};
+
+static inline void convert_to_le(struct vfs_cap_data_struct *cap)
+{
+	cap->version = le32_to_cpu(cap->version);
+	cap->effective = le32_to_cpu(cap->effective);
+	cap->permitted = le32_to_cpu(cap->permitted);
+	cap->inheritable = le32_to_cpu(cap->inheritable);
+}
+
+static int check_cap_sanity(struct vfs_cap_data_struct *cap)
+{
+	int i;
+
+	if (cap->version != _LINUX_CAPABILITY_VERSION)
+		return -EPERM;
+
+	for (i=CAP_NUMCAPS; i<sizeof(cap->effective); i++) {
+		if (cap->effective & CAP_TO_MASK(i))
+			return -EPERM;
+	}
+	for (i=CAP_NUMCAPS; i<sizeof(cap->permitted); i++) {
+		if (cap->permitted & CAP_TO_MASK(i))
+			return -EPERM;
+	}
+	for (i=CAP_NUMCAPS; i<sizeof(cap->inheritable); i++) {
+		if (cap->inheritable & CAP_TO_MASK(i))
+			return -EPERM;
+	}
+
+	return 0;
+}
+
 int cap_bprm_set_security (struct linux_binprm *bprm)
 {
+	struct dentry *dentry;
+	ssize_t rc;
+	struct vfs_cap_data_struct cap_struct;
+	struct inode *inode;
+
 	/* Copied from fs/exec.c:prepare_binprm. */
 
-	/* We don't have VFS support for capabilities yet */
 	cap_clear (bprm->cap_inheritable);
 	cap_clear (bprm->cap_permitted);
 	cap_clear (bprm->cap_effective);
@@ -134,6 +178,45 @@ int cap_bprm_set_security (struct linux_
 		if (bprm->e_uid == 0)
 			cap_set_full (bprm->cap_effective);
 	}
+
+#ifdef CONFIG_SECURITY_FS_CAPABILITIES
+	/* Locate any VFS capabilities: */
+
+	dentry = dget(bprm->file->f_dentry);
+	inode = dentry->d_inode;
+	if (!inode->i_op || !inode->i_op->getxattr) {
+		dput(dentry);
+		return 0;
+	}
+
+	rc = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, &cap_struct,
+						sizeof(cap_struct));
+	dput(dentry);
+
+	if (rc == -ENODATA)
+		return 0;
+
+	if (rc < 0) {
+		printk(KERN_NOTICE "%s: Error (%d) getting xattr\n",
+				__FUNCTION__, rc);
+		return rc;
+	}
+
+	if (rc != sizeof(cap_struct)) {
+		printk(KERN_NOTICE "%s: got wrong size for getxattr (%d)\n",
+					__FUNCTION__, rc);
+		return -EPERM;
+	}
+	
+	convert_to_le(&cap_struct);
+	if (check_cap_sanity(&cap_struct))
+		return -EPERM;
+
+	bprm->cap_effective = cap_struct.effective;
+	bprm->cap_permitted = cap_struct.permitted;
+	bprm->cap_inheritable = cap_struct.inheritable;
+
+#endif
 	return 0;
 }
 
@@ -182,11 +265,15 @@ void cap_bprm_apply_creds (struct linux_
 
 int cap_bprm_secureexec (struct linux_binprm *bprm)
 {
-	/* If/when this module is enhanced to incorporate capability
-	   bits on files, the test below should be extended to also perform a 
-	   test between the old and new capability sets.  For now,
-	   it simply preserves the legacy decision algorithm used by
-	   the old userland. */
+	if (current->uid != 0) {
+		if (!cap_isclear(bprm->cap_effective))
+			return 1;
+		if (!cap_isclear(bprm->cap_permitted))
+			return 1;
+		if (!cap_isclear(bprm->cap_inheritable))
+			return 1;
+	}
+
 	return (current->euid != current->uid ||
 		current->egid != current->gid);
 }
@@ -300,6 +387,62 @@ int cap_task_post_setuid (uid_t old_ruid
 	return 0;
 }
 
+/*
+ * Rationale: code calling task_setscheduler, task_setioprio, and
+ * task_setnice, assumes that
+ *   . if capable(cap_sys_nice), then those actions should be allowed
+ *   . if not capable(cap_sys_nice), but acting on your own processes,
+ *   	then those actions should be allowed
+ * This is insufficient now since you can call code without suid, but
+ * yet with increased caps.
+ * So we check for increased caps on the target process.
+ */
+static inline int cap_safe_nice(struct task_struct *p)
+{
+	if (!cap_issubset(p->cap_permitted, current->cap_permitted) &&
+	    !__capable(current, CAP_SYS_NICE))
+		return -EPERM;
+	return 0;
+}
+
+int cap_task_setscheduler (struct task_struct *p, int policy,
+			   struct sched_param *lp)
+{
+	return cap_safe_nice(p);
+}
+
+int cap_task_setioprio (struct task_struct *p, int ioprio)
+{
+	return cap_safe_nice(p);
+}
+
+int cap_task_setnice (struct task_struct *p, int nice)
+{
+	return cap_safe_nice(p);
+}
+
+int cap_task_kill(struct task_struct *p, struct siginfo *info,
+				int sig, u32 secid)
+{
+	if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
+		return 0;
+
+	if (secid)
+		/*
+		 * Signal sent as a particular user.
+		 * Capabilities are ignored.  May be wrong, but it's the
+		 * only thing we can do at the moment.
+		 * Used only by usb drivers?
+		 */
+		return 0;
+	if (capable(CAP_KILL))
+		return 0;
+	if (cap_issubset(p->cap_permitted, current->cap_permitted))
+		return 0;
+
+	return -EPERM;
+}
+
 void cap_task_reparent_to_init (struct task_struct *p)
 {
 	p->cap_effective = CAP_INIT_EFF_SET;
@@ -337,6 +480,10 @@ EXPORT_SYMBOL(cap_bprm_secureexec);
 EXPORT_SYMBOL(cap_inode_setxattr);
 EXPORT_SYMBOL(cap_inode_removexattr);
 EXPORT_SYMBOL(cap_task_post_setuid);
+EXPORT_SYMBOL(cap_task_kill);
+EXPORT_SYMBOL(cap_task_setscheduler);
+EXPORT_SYMBOL(cap_task_setioprio);
+EXPORT_SYMBOL(cap_task_setnice);
 EXPORT_SYMBOL(cap_task_reparent_to_init);
 EXPORT_SYMBOL(cap_syslog);
 EXPORT_SYMBOL(cap_vm_enough_memory);
-- 
1.4.2

Re: [PATCH 1/1] security: introduce fs caps

[Paul Jackson]

Serge wrote:
> 	One remaining question is the note under task_setscheduler: are we
> 	ok with CAP_SYS_NICE being sufficient to confine a process to a
> 	cpuset?

So far as I know (which isn't very far ;), that's ok.

Can you explain to me how this will visibly affect users?

Under what conditions, with what kernel configurations or options
selected or not, and with what permissions settings, would they notice
any difference, before and after this patch, in the behaviour of
cpusets, such as when they do the operation of writing a pid to tasks
file that invokes kernel/cpuset.c:attach_task()?

-- 
                  I won't rest till it's the best ...
                  Programmer, Linux Scalability
                  Paul Jackson <pj@sgi.com> 1.925.600.0401

Re: [PATCH 1/1] security: introduce fs caps

[Serge E. Hallyn]

Quoting Paul Jackson (pj@sgi.com):
> Serge wrote:
> > 	One remaining question is the note under task_setscheduler: are we
> > 	ok with CAP_SYS_NICE being sufficient to confine a process to a
> > 	cpuset?
> 
> So far as I know (which isn't very far ;), that's ok.
> 
> Can you explain to me how this will visibly affect users?

Short answer is that I don't think it should affect users at all.
They still cannot affect tasks belonging to other users (without
CAP_SYS_NICE).

The main change with file capabilities is that it becomes easy to
run with enhanced privilege, but with your non-root uid.  So for
instance /bin/passwd might now be run in your own name.  So permission
checks which until now have mainly checked for uid equivalence
no long suffice.  I could run /bin/passwd (as uid 500), then quickly
stick the process into a cpuset with insufficient memory or no cpus.
(Not sure whether that particular example makes sense or not :)

So after the regular a->uid==b->uid checks, we need to check whether
the victim process is actually running with raised privilege.

Details on changed behavior in for attach_task() below.

> Under what conditions, with what kernel configurations or options
> selected or not, and with what permissions settings, would they notice
> any difference, before and after this patch, in the behaviour of
> cpusets, such as when they do the operation of writing a pid to tasks
> file that invokes kernel/cpuset.c:attach_task()?

First, set_one_prio(), which calls security_task_nice(), checks
for the two tasks being the same uid before doing anything else.
So it remains the case that without having CAP_SYS_NICE you cannot
make a change for another user's tasks.

With SECURITY_CAPABILITIES=n, clearly this patch will have no effect.

With SECURITY_CAPABILITIES=y but (the new) SECURITY_FS_CAPABILITIES=n,
the new cap_task_setnice() function will be called.  The following
condition is checked:

	if (!cap_issubset(p->cap_permitted, current->cap_permitted) &&
		!__capable(current, CAP_SYS_NICE))

The only way, without SECURITY_FS_CAPABILITIES=y, that it can be the
case that p->cap_permitted is not a subset of current->cap_permitted,
and that current does have CAP_SYS_NICE, is for current to have
started setuid root and then dropped capabilities other than
CAP_SYS_NICE.  So a setuid root binary asked to retain CAP_SYS_NICE.

The other way for this function to grant permission is for
p->cap_permitted to be a subset of current->cap_permitted.  If you don't
have CAP_SYS_NICE, then these two facts combined mean that you are
doing attach_task() on behalf of a non-priviliged task owned by
yourself.

With SECURITY_FS_CAPABILITIES=y, what changes is that it is possible for
a binary to be marked as granting CAP_SYS_NICE to anyone running it.  If
you do that, your intent is clear.  If you don't grant CAP_SYS_NICE,
then the fact that p->cap_permitted is a subset of current->cap_permitted 
still means that you cannot affect a more privileged task than your own.
And again, set_one_prio() has already checked that the two processes are
owned by the same uid (or that the caller has CAP_SYS_NICE).

thanks,
-serge

Re: [PATCH 1/1] security: introduce fs caps

[Paul Jackson]

Serge wrote:
> With SECURITY_FS_CAPABILITIES=y, what changes is that it is possible for
> a binary to be marked as granting CAP_SYS_NICE to anyone running it.

Nice explanation - it almost made sense to me.  Thanks.

Sounds like this patch would slightly increase the situations
under which a user task could do a cpuset attach_task on another
user task ... if it had CAP_SYS_NICE, or some such, it could gain
this attach_task ability that it had lacked on older kernels.

Sounds good to me.

My concern would be more if an existing user configuration stopped
working when these filesystem capabilities became available to them,
due to some previously ok operation becoming illegal.

As to exactly which CAP_SYS_* it is that has this power of
allowing a cpuset attach_task, I don't think I really care.

I'm happy.

-- 
                  I won't rest till it's the best ...
                  Programmer, Linux Scalability
                  Paul Jackson <pj@sgi.com> 1.925.600.0401

Re: [PATCH 1/1] security: introduce fs caps

[chris friedhoff]

The patch applies cleanly , compiles and runs smoothly against 2.6.18.1.

I'm running slackware-current with a 2.6.18.1 kernel on an ext3
filesystem.

Background why I use the patch:
With 2.6.18 to create a tuntap interface CAP_NET_ADMIN is required.
Qemu uses tuntap to create a tap interface as a virtual net interface.
Instead now running qemu with root privileges to give it the right
to create a tap interface, i granted qemu with the help of the patch and
Kaigai Kohei's userspace tools the cap-net_admin capability. So qemu
runs again without root privilege but has now the right to create the
tap interface.

Thanks for the patch. It reduces my the need of suid-bit progs.
It should be given a spin in -mm.

I will document my experiences on http://www.friedhoff.org/fscaps.html


Chris

please cc me on my email-address

--------------------
Chris Friedhoff
chris@friedhoff.org

Re: [PATCH 1/1] security: introduce fs caps

[Serge E. Hallyn]

Quoting chris friedhoff (chris@friedhoff.org):
> The patch applies cleanly , compiles and runs smoothly against 2.6.18.1.
> 
> I'm running slackware-current with a 2.6.18.1 kernel on an ext3
> filesystem.
> 
> Background why I use the patch:
> With 2.6.18 to create a tuntap interface CAP_NET_ADMIN is required.
> Qemu uses tuntap to create a tap interface as a virtual net interface.
> Instead now running qemu with root privileges to give it the right
> to create a tap interface, i granted qemu with the help of the patch and
> Kaigai Kohei's userspace tools the cap-net_admin capability. So qemu
> runs again without root privilege but has now the right to create the
> tap interface.
> 
> Thanks for the patch. It reduces my the need of suid-bit progs.
> It should be given a spin in -mm.

One question is, if this were to be tested in -mm, do we want to keep
this mutually exclusive from selinux through config, or should selinux
stack on top of this?

> I will document my experiences on http://www.friedhoff.org/fscaps.html

Cool.

thanks,
-serge

Re: [PATCH 1/1] security: introduce fs caps

[Stephen Smalley]

On Fri, 2006-11-03 at 14:00 -0600, Serge E. Hallyn wrote:
> Quoting chris friedhoff (chris@friedhoff.org):
> > The patch applies cleanly , compiles and runs smoothly against 2.6.18.1.
> > 
> > I'm running slackware-current with a 2.6.18.1 kernel on an ext3
> > filesystem.
> > 
> > Background why I use the patch:
> > With 2.6.18 to create a tuntap interface CAP_NET_ADMIN is required.
> > Qemu uses tuntap to create a tap interface as a virtual net interface.
> > Instead now running qemu with root privileges to give it the right
> > to create a tap interface, i granted qemu with the help of the patch and
> > Kaigai Kohei's userspace tools the cap-net_admin capability. So qemu
> > runs again without root privilege but has now the right to create the
> > tap interface.
> > 
> > Thanks for the patch. It reduces my the need of suid-bit progs.
> > It should be given a spin in -mm.
> 
> One question is, if this were to be tested in -mm, do we want to keep
> this mutually exclusive from selinux through config, or should selinux
> stack on top of this?

Given that SELinux already stacks with capability and you aren't using
the security fields (last I looked), it would seem trivial to enable
stacking with fscaps (just add a few secondary_ops calls to the SELinux
hooks, right?).

-- 
Stephen Smalley
National Security Agency

Re: [PATCH 1/1] security: introduce fs caps

[Serge E. Hallyn]

Quoting Stephen Smalley (sds@tycho.nsa.gov):
> On Fri, 2006-11-03 at 14:00 -0600, Serge E. Hallyn wrote:
> > Quoting chris friedhoff (chris@friedhoff.org):
> > > The patch applies cleanly , compiles and runs smoothly against 2.6.18.1.
> > > 
> > > I'm running slackware-current with a 2.6.18.1 kernel on an ext3
> > > filesystem.
> > > 
> > > Background why I use the patch:
> > > With 2.6.18 to create a tuntap interface CAP_NET_ADMIN is required.
> > > Qemu uses tuntap to create a tap interface as a virtual net interface.
> > > Instead now running qemu with root privileges to give it the right
> > > to create a tap interface, i granted qemu with the help of the patch and
> > > Kaigai Kohei's userspace tools the cap-net_admin capability. So qemu
> > > runs again without root privilege but has now the right to create the
> > > tap interface.
> > > 
> > > Thanks for the patch. It reduces my the need of suid-bit progs.
> > > It should be given a spin in -mm.
> > 
> > One question is, if this were to be tested in -mm, do we want to keep
> > this mutually exclusive from selinux through config, or should selinux
> > stack on top of this?
> 
> Given that SELinux already stacks with capability and you aren't using
> the security fields (last I looked), it would seem trivial to enable
> stacking with fscaps (just add a few secondary_ops calls to the SELinux
> hooks, right?).

Yup, I just wasn't sure if there would be actual objections to the idea
of enabling both at once.

I'll send out a patch - just as soon as I figure out where I left the
src to begin with :)

thanks,
-serge

Re: [PATCH 1/1] security: introduce fs caps

[Kyle Moffett]

On Nov 03, 2006, at 15:47:06, Serge E. Hallyn wrote:
>  Quoting Stephen Smalley (sds@tycho.nsa.gov):
>> On Fri, 2006-11-03 at 14:00 -0600, Serge E. Hallyn wrote:
>>> One question is, if this were to be tested in -mm, do we want to  
>>> keep
>>> this mutually exclusive from selinux through config, or should  
>>> selinux
>>> stack on top of this?
>>
>> Given that SELinux already stacks with capability and you aren't  
>> using
>> the security fields (last I looked), it would seem trivial to enable
>> stacking with fscaps (just add a few secondary_ops calls to the  
>> SELinux
>> hooks, right?).
>
> Yup, I just wasn't sure if there would be actual objections to the  
> idea of enabling both at once.
>
> I'll send out a patch - just as soon as I figure out where I left  
> the src to begin with :)

To be honest from my understanding of SELinux there is no need at all  
to use FS caps on an SELinux system.  Anything that could be done  
with FS caps would be done in a much more fine-grained method with  
SELinux, and the inheritance of filesystem-based capabilities should  
be masked by SELinux-allowed capabilities anyways.  I guess it _can_  
be done, but why?  It's possible to set up an SELinux system so that  
there aren't even any SUID binaries, right?  /etc/passwd can run as  
whatever random user and it will automatically transition to the  
appropriate domain such that it can read and modify /etc/shadow.

Cheers,
Kyle Moffett

Re: [PATCH 1/1] security: introduce fs caps

[James Morris]

On Fri, 3 Nov 2006, Kyle Moffett wrote:

> capabilities anyways.  I guess it _can_ be done, but why?  It's possible to
> set up an SELinux system so that there aren't even any SUID binaries, right?
> /etc/passwd can run as whatever random user and it will automatically
> transition to the appropriate domain such that it can read and modify
> /etc/shadow.

SELinux will not override DAC permissions.  You can theoretically 
configure a system with no effective DAC security and just use MAC, but it 
is definitely not advised.


- James
-- 
James Morris
<jmorris@namei.org>

Re: [PATCH 1/1] security: introduce fs caps

[Stephen Smalley]

On Fri, 2006-11-03 at 21:08 -0500, Kyle Moffett wrote:
> On Nov 03, 2006, at 15:47:06, Serge E. Hallyn wrote:
> >  Quoting Stephen Smalley (sds@tycho.nsa.gov):
> >> On Fri, 2006-11-03 at 14:00 -0600, Serge E. Hallyn wrote:
> >>> One question is, if this were to be tested in -mm, do we want to  
> >>> keep
> >>> this mutually exclusive from selinux through config, or should  
> >>> selinux
> >>> stack on top of this?
> >>
> >> Given that SELinux already stacks with capability and you aren't  
> >> using
> >> the security fields (last I looked), it would seem trivial to enable
> >> stacking with fscaps (just add a few secondary_ops calls to the  
> >> SELinux
> >> hooks, right?).
> >
> > Yup, I just wasn't sure if there would be actual objections to the  
> > idea of enabling both at once.
> >
> > I'll send out a patch - just as soon as I figure out where I left  
> > the src to begin with :)
> 
> To be honest from my understanding of SELinux there is no need at all  
> to use FS caps on an SELinux system.  Anything that could be done  
> with FS caps would be done in a much more fine-grained method with  
> SELinux, and the inheritance of filesystem-based capabilities should  
> be masked by SELinux-allowed capabilities anyways.  I guess it _can_  
> be done, but why?  It's possible to set up an SELinux system so that  
> there aren't even any SUID binaries, right?  /etc/passwd can run as  
> whatever random user and it will automatically transition to the  
> appropriate domain such that it can read and modify /etc/shadow.

Not currently, no.  SELinux typically applies its MAC checks after any
DAC checks have already been applied, and will only further restrict
access.  Hence, you can use SELinux to limit what a process with
capabilities can do, since it must also have the corresponding SELinux
permissions, but you still need a way of gaining those capabilities in
order to pass the usual Linux checks.

Using SELinux to authoritatively grant capabilities based on role/domain
would be useful, and has been done by some people (via custom kernels),
but doing so safely requires quite a bit of work in userspace and policy
configuration.  That wasn't viewed as practical for an initial
deployment of MAC, and we didn't want to expose systems to greater risk.

-- 
Stephen Smalley
National Security Agency

[PATCH 1/1] security: introduce fs caps

[Serge E. Hallyn]

From: Serge E. Hallyn <serue@us.ibm.com>
Date: Tue, 7 Nov 2006 23:16:06 -0600
Subject: [PATCH 1/1] security: introduce fs caps

Implement file posix capabilities.  This allows programs to be given
a subset of root's powers regardless of who runs them, without
having to use setuid and giving the binary all of root's powers.

This version works with Kaigai Kohei's userspace tools, found at
http://www.kaigai.gr.jp/index.php.  For more information on how to
use this patch, Chris Friedhoff has posted a nice page at
http://www.friedhoff.org/fscaps.html.

Changelog:
	Nov 08:
	For pointers to required userspace tools and how to use
	them, see http://www.friedhoff.org/fscaps.html.

	Nov 07:
	Fix the calculation of the highest bit checked in
	check_cap_sanity().

	Nov 07:
	Allow file caps to be enabled without CONFIG_SECURITY, since
	capabilities are the default.
	Hook cap_task_setscheduler when !CONFIG_SECURITY.
	Move capable(TASK_KILL) to end of cap_task_kill to reduce
	audit messages.

	Nov 05:
	Add secondary calls in selinux/hooks.c to task_setioprio and
	task_setscheduler so that selinux and capabilities with file
	cap support can be stacked.

	Sep 05:
	As Seth Arnold points out, uid checks are out of place
	for capability code.

	Sep 01:
	Define task_setscheduler, task_setioprio, cap_task_kill, and
	task_setnice to make sure a user cannot affect a process in which
	they called a program with some fscaps.

	One remaining question is the note under task_setscheduler: are we
	ok with CAP_SYS_NICE being sufficient to confine a process to a
	cpuset?

	It is a semantic change, as without fsccaps, attach_task doesn't
	allow CAP_SYS_NICE to override the uid equivalence check.  But since
	it uses security_task_setscheduler, which elsewhere is used where
	CAP_SYS_NICE can be used to override the uid equivalence check,
	fixing it might be tough.

	     task_setscheduler
		 note: this also controls cpuset:attach_task.  Are we ok with
		     CAP_SYS_NICE being used to confine to a cpuset?
	     task_setioprio
	     task_setnice
		 sys_setpriority uses this (through set_one_prio) for another
		 process.  Need same checks as setrlimit

	Aug 21:
	Updated secureexec implementation to reflect the fact that
	euid and uid might be the same and nonzero, but the process
	might still have elevated caps.

	Aug 15:
	Handle endianness of xattrs.
	Enforce capability version match between kernel and disk.
	Enforce that no bits beyond the known max capability are
	set, else return -EPERM.
	With this extra processing, it may be worth reconsidering
	doing all the work at bprm_set_security rather than
	d_instantiate.

	Aug 10:
	Always call getxattr at bprm_set_security, rather than
	caching it at d_instantiate.

Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
---
 include/linux/capability.h |    2 +
 include/linux/security.h   |   12 ++-
 security/Kconfig           |    9 +++
 security/capability.c      |    4 +
 security/commoncap.c       |  159 ++++++++++++++++++++++++++++++++++++++++++--
 security/selinux/hooks.c   |   12 +++
 6 files changed, 188 insertions(+), 10 deletions(-)

diff --git a/include/linux/capability.h b/include/linux/capability.h
index 6548b35..76a6e87 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -288,6 +288,8 @@ typedef __u32 kernel_cap_t;
 
 #define CAP_AUDIT_CONTROL    30
 
+#define CAP_NUMCAPS	     31
+
 #ifdef __KERNEL__
 /* 
  * Bounding set
diff --git a/include/linux/security.h b/include/linux/security.h
index b200b98..2718aeb 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -53,6 +53,10 @@ extern int cap_inode_setxattr(struct den
 extern int cap_inode_removexattr(struct dentry *dentry, char *name);
 extern int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags);
 extern void cap_task_reparent_to_init (struct task_struct *p);
+extern int cap_task_kill(struct task_struct *p, struct siginfo *info, int sig, u32 secid);
+extern int cap_task_setscheduler (struct task_struct *p, int policy, struct sched_param *lp);
+extern int cap_task_setioprio (struct task_struct *p, int ioprio);
+extern int cap_task_setnice (struct task_struct *p, int nice);
 extern int cap_syslog (int type);
 extern int cap_vm_enough_memory (long pages);
 
@@ -2594,12 +2598,12 @@ static inline int security_task_setgroup
 
 static inline int security_task_setnice (struct task_struct *p, int nice)
 {
-	return 0;
+	return cap_task_setnice(p, nice);
 }
 
 static inline int security_task_setioprio (struct task_struct *p, int ioprio)
 {
-	return 0;
+	return cap_task_setioprio(p, ioprio);
 }
 
 static inline int security_task_getioprio (struct task_struct *p)
@@ -2617,7 +2621,7 @@ static inline int security_task_setsched
 					      int policy,
 					      struct sched_param *lp)
 {
-	return 0;
+	return cap_task_setscheduler(p, policy, lp);
 }
 
 static inline int security_task_getscheduler (struct task_struct *p)
@@ -2634,7 +2638,7 @@ static inline int security_task_kill (st
 				      struct siginfo *info, int sig,
 				      u32 secid)
 {
-	return 0;
+	return cap_task_kill(p, info, sig, secid);
 }
 
 static inline int security_task_wait (struct task_struct *p)
diff --git a/security/Kconfig b/security/Kconfig
index 460e5c9..6c9d69e 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -80,6 +80,15 @@ config SECURITY_CAPABILITIES
 	  This enables the "default" Linux capabilities functionality.
 	  If you are unsure how to answer this question, answer Y.
 
+config SECURITY_FS_CAPABILITIES
+	bool "File POSIX Capabilities"
+	default n
+	help
+	  This enables filesystem capabilities, allowing you to give
+	  binaries a subset of root's powers without using setuid 0.
+
+	  If in doubt, answer N.
+
 config SECURITY_ROOTPLUG
 	tristate "Root Plug Support"
 	depends on USB && SECURITY
diff --git a/security/capability.c b/security/capability.c
index b868e7e..14cb592 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -40,6 +40,10 @@ static struct security_operations capabi
 	.inode_setxattr =		cap_inode_setxattr,
 	.inode_removexattr =		cap_inode_removexattr,
 
+	.task_kill =			cap_task_kill,
+	.task_setscheduler =		cap_task_setscheduler,
+	.task_setioprio =		cap_task_setioprio,
+	.task_setnice =			cap_task_setnice,
 	.task_post_setuid =		cap_task_post_setuid,
 	.task_reparent_to_init =	cap_task_reparent_to_init,
 
diff --git a/security/commoncap.c b/security/commoncap.c
index 5a5ef5c..6f5e46c 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -109,11 +109,55 @@ void cap_capset_set (struct task_struct
 	target->cap_permitted = *permitted;
 }
 
+#define XATTR_CAPS_SUFFIX "capability"
+#define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX
+struct vfs_cap_data_struct {
+	__u32 version;
+	__u32 effective;
+	__u32 permitted;
+	__u32 inheritable;
+};
+
+static inline void convert_to_le(struct vfs_cap_data_struct *cap)
+{
+	cap->version = le32_to_cpu(cap->version);
+	cap->effective = le32_to_cpu(cap->effective);
+	cap->permitted = le32_to_cpu(cap->permitted);
+	cap->inheritable = le32_to_cpu(cap->inheritable);
+}
+
+static int check_cap_sanity(struct vfs_cap_data_struct *cap)
+{
+	int i;
+
+	if (cap->version != _LINUX_CAPABILITY_VERSION)
+		return -EPERM;
+
+	for (i=CAP_NUMCAPS; i<8*sizeof(cap->effective); i++) {
+		if (cap->effective & CAP_TO_MASK(i))
+			return -EPERM;
+	}
+	for (i=CAP_NUMCAPS; i<8*sizeof(cap->permitted); i++) {
+		if (cap->permitted & CAP_TO_MASK(i))
+			return -EPERM;
+	}
+	for (i=CAP_NUMCAPS; i<8*sizeof(cap->inheritable); i++) {
+		if (cap->inheritable & CAP_TO_MASK(i))
+			return -EPERM;
+	}
+
+	return 0;
+}
+
 int cap_bprm_set_security (struct linux_binprm *bprm)
 {
+	struct dentry *dentry;
+	ssize_t rc;
+	struct vfs_cap_data_struct cap_struct;
+	struct inode *inode;
+
 	/* Copied from fs/exec.c:prepare_binprm. */
 
-	/* We don't have VFS support for capabilities yet */
 	cap_clear (bprm->cap_inheritable);
 	cap_clear (bprm->cap_permitted);
 	cap_clear (bprm->cap_effective);
@@ -134,6 +178,45 @@ int cap_bprm_set_security (struct linux_
 		if (bprm->e_uid == 0)
 			cap_set_full (bprm->cap_effective);
 	}
+
+#ifdef CONFIG_SECURITY_FS_CAPABILITIES
+	/* Locate any VFS capabilities: */
+
+	dentry = dget(bprm->file->f_dentry);
+	inode = dentry->d_inode;
+	if (!inode->i_op || !inode->i_op->getxattr) {
+		dput(dentry);
+		return 0;
+	}
+
+	rc = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, &cap_struct,
+						sizeof(cap_struct));
+	dput(dentry);
+
+	if (rc == -ENODATA)
+		return 0;
+
+	if (rc < 0) {
+		printk(KERN_NOTICE "%s: Error (%d) getting xattr\n",
+				__FUNCTION__, rc);
+		return rc;
+	}
+
+	if (rc != sizeof(cap_struct)) {
+		printk(KERN_NOTICE "%s: got wrong size for getxattr (%d)\n",
+					__FUNCTION__, rc);
+		return -EPERM;
+	}
+	
+	convert_to_le(&cap_struct);
+	if (check_cap_sanity(&cap_struct))
+		return -EPERM;
+
+	bprm->cap_effective = cap_struct.effective;
+	bprm->cap_permitted = cap_struct.permitted;
+	bprm->cap_inheritable = cap_struct.inheritable;
+
+#endif
 	return 0;
 }
 
@@ -182,11 +265,15 @@ void cap_bprm_apply_creds (struct linux_
 
 int cap_bprm_secureexec (struct linux_binprm *bprm)
 {
-	/* If/when this module is enhanced to incorporate capability
-	   bits on files, the test below should be extended to also perform a 
-	   test between the old and new capability sets.  For now,
-	   it simply preserves the legacy decision algorithm used by
-	   the old userland. */
+	if (current->uid != 0) {
+		if (!cap_isclear(bprm->cap_effective))
+			return 1;
+		if (!cap_isclear(bprm->cap_permitted))
+			return 1;
+		if (!cap_isclear(bprm->cap_inheritable))
+			return 1;
+	}
+
 	return (current->euid != current->uid ||
 		current->egid != current->gid);
 }
@@ -300,6 +387,62 @@ int cap_task_post_setuid (uid_t old_ruid
 	return 0;
 }
 
+/*
+ * Rationale: code calling task_setscheduler, task_setioprio, and
+ * task_setnice, assumes that
+ *   . if capable(cap_sys_nice), then those actions should be allowed
+ *   . if not capable(cap_sys_nice), but acting on your own processes,
+ *   	then those actions should be allowed
+ * This is insufficient now since you can call code without suid, but
+ * yet with increased caps.
+ * So we check for increased caps on the target process.
+ */
+static inline int cap_safe_nice(struct task_struct *p)
+{
+	if (!cap_issubset(p->cap_permitted, current->cap_permitted) &&
+	    !__capable(current, CAP_SYS_NICE))
+		return -EPERM;
+	return 0;
+}
+
+int cap_task_setscheduler (struct task_struct *p, int policy,
+			   struct sched_param *lp)
+{
+	return cap_safe_nice(p);
+}
+
+int cap_task_setioprio (struct task_struct *p, int ioprio)
+{
+	return cap_safe_nice(p);
+}
+
+int cap_task_setnice (struct task_struct *p, int nice)
+{
+	return cap_safe_nice(p);
+}
+
+int cap_task_kill(struct task_struct *p, struct siginfo *info,
+				int sig, u32 secid)
+{
+	if (info != SEND_SIG_NOINFO && (is_si_special(info) || SI_FROMKERNEL(info)))
+		return 0;
+
+	if (secid)
+		/*
+		 * Signal sent as a particular user.
+		 * Capabilities are ignored.  May be wrong, but it's the
+		 * only thing we can do at the moment.
+		 * Used only by usb drivers?
+		 */
+		return 0;
+	if (cap_issubset(p->cap_permitted, current->cap_permitted))
+		return 0;
+	if (capable(CAP_KILL))
+		return 0;
+
+	return -EPERM;
+}
+
 void cap_task_reparent_to_init (struct task_struct *p)
 {
 	p->cap_effective = CAP_INIT_EFF_SET;
@@ -337,6 +480,10 @@ EXPORT_SYMBOL(cap_bprm_secureexec);
 EXPORT_SYMBOL(cap_inode_setxattr);
 EXPORT_SYMBOL(cap_inode_removexattr);
 EXPORT_SYMBOL(cap_task_post_setuid);
+EXPORT_SYMBOL(cap_task_kill);
+EXPORT_SYMBOL(cap_task_setscheduler);
+EXPORT_SYMBOL(cap_task_setioprio);
+EXPORT_SYMBOL(cap_task_setnice);
 EXPORT_SYMBOL(cap_task_reparent_to_init);
 EXPORT_SYMBOL(cap_syslog);
 EXPORT_SYMBOL(cap_vm_enough_memory);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 8ab5679..2fcc60f 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2775,6 +2775,12 @@ static int selinux_task_setnice(struct t
 
 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
 {
+	int rc;
+
+	rc = secondary_ops->task_setioprio(p, ioprio);
+	if (rc)
+		return rc;
+
 	return task_has_perm(current, p, PROCESS__SETSCHED);
 }
 
@@ -2804,6 +2810,12 @@ static int selinux_task_setrlimit(unsign
 
 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
 {
+	int rc;
+
+	rc = secondary_ops->task_setscheduler(p, policy, lp);
+	if (rc)
+		return rc;
+
 	return task_has_perm(current, p, PROCESS__SETSCHED);
 }
 
-- 
1.4.3.3

Re: [PATCH 1/1] security: introduce fs caps

[Alexey Dobriyan]

On Wed, Nov 08, 2006 at 04:24:53PM -0600, Serge E. Hallyn wrote:
> +struct vfs_cap_data_struct {

"_struct" suffix is useless here: "struct" is already typed.

> +	__u32 version;
> +	__u32 effective;
> +	__u32 permitted;
> +	__u32 inheritable;
> +};
> +
> +static inline void convert_to_le(struct vfs_cap_data_struct *cap)
> +{
> +	cap->version = le32_to_cpu(cap->version);
> +	cap->effective = le32_to_cpu(cap->effective);
> +	cap->permitted = le32_to_cpu(cap->permitted);
> +	cap->inheritable = le32_to_cpu(cap->inheritable);
> +}

This pretty much defeats sparse endian checking. You will get warnings
regardless of whether u32 or le32 are used.

One solution is to fork vfs_cap_data into __le* variant outside of
__KERNEL__ and u* variant internal to kernel (obviously inside
__KERNEL__). Then convert_to_le(), takes 2 arguments:
struct vfs_cap_data_core * and struct vfs_cap_data *. check_cap_sanity()
operates on core structure, et al.

As a side effect you can do interesting things with core structure
later.

Here is one part of GFS2 endian annotations I'm currently doing (still
not finally ready) which should demonstrate all I've said. Note that
after this patch in-core part of GFS2 rindex can lose all padding
on-disk version has.

>From 69254b2cd50d72220133c1e6f0a7ceba53cf5293 Mon Sep 17 00:00:00 2001
From: Alexey Dobriyan <adobriyan@gmail.com>
Date: Tue, 7 Nov 2006 02:58:28 +0300
Subject: [PATCH 8/11] gfs2: struct gfs2_rindex
---
 fs/gfs2/ondisk.c            |   15 +++++++--------
 fs/gfs2/rgrp.c              |   10 +++++-----
 include/linux/gfs2_ondisk.h |   18 +++++++++++++++---
 3 files changed, 27 insertions(+), 16 deletions(-)

index 1701829..139f977 100644
--- a/fs/gfs2/ondisk.c
+++ b/fs/gfs2/ondisk.c
@@ -95,15 +95,14 @@ void gfs2_sb_in(struct gfs2_sb *sb, cons
 	memcpy(sb->sb_locktable, str->sb_locktable, GFS2_LOCKNAME_LEN);
 }
 
-void gfs2_rindex_in(struct gfs2_rindex *ri, const void *buf)
+void gfs2_rindex_in(struct gfs2_rindex *ri,
+		    const struct gfs2_rindex_disk *ri_disk)
 {
-	const struct gfs2_rindex *str = buf;
-
-	ri->ri_addr = be64_to_cpu(str->ri_addr);
-	ri->ri_length = be32_to_cpu(str->ri_length);
-	ri->ri_data0 = be64_to_cpu(str->ri_data0);
-	ri->ri_data = be32_to_cpu(str->ri_data);
-	ri->ri_bitbytes = be32_to_cpu(str->ri_bitbytes);
+	ri->ri_addr = be64_to_cpu(ri_disk->ri_addr);
+	ri->ri_length = be32_to_cpu(ri_disk->ri_length);
+	ri->ri_data0 = be64_to_cpu(ri_disk->ri_data0);
+	ri->ri_data = be32_to_cpu(ri_disk->ri_data);
+	ri->ri_bitbytes = be32_to_cpu(ri_disk->ri_bitbytes);
 
 }
 
index 2c67ea6..d6d3752 100644
--- a/fs/gfs2/rgrp.c
+++ b/fs/gfs2/rgrp.c
@@ -442,12 +442,12 @@ static int gfs2_ri_update(struct gfs2_in
 	struct gfs2_sbd *sdp = GFS2_SB(&ip->i_inode);
 	struct inode *inode = &ip->i_inode;
 	struct gfs2_rgrpd *rgd;
-	struct gfs2_rindex ri_disk;
+	struct gfs2_rindex_disk ri_disk;
 	struct file_ra_state ra_state;
 	u64 junk = ip->i_di.di_size;
 	int error;
 
-	if (do_div(junk, sizeof(struct gfs2_rindex))) {
+	if (do_div(junk, sizeof(struct gfs2_rindex_disk))) {
 		gfs2_consist_inode(ip);
 		return -EIO;
 	}
@@ -456,12 +456,12 @@ static int gfs2_ri_update(struct gfs2_in
 
 	file_ra_state_init(&ra_state, inode->i_mapping);
 	for (sdp->sd_rgrps = 0;; sdp->sd_rgrps++) {
-		loff_t pos = sdp->sd_rgrps * sizeof(struct gfs2_rindex);
+		loff_t pos = sdp->sd_rgrps * sizeof(struct gfs2_rindex_disk);
 		error = gfs2_internal_read(ip, &ra_state, (char *)&ri_disk, &pos,
-					    sizeof(struct gfs2_rindex));
+					    sizeof(struct gfs2_rindex_disk));
 		if (!error)
 			break;
-		if (error != sizeof(struct gfs2_rindex)) {
+		if (error != sizeof(struct gfs2_rindex_disk)) {
 			if (error > 0)
 				error = -EIO;
 			goto fail;
index 91d066a..ebab0f0 100644
--- a/include/linux/gfs2_ondisk.h
+++ b/include/linux/gfs2_ondisk.h
@@ -140,7 +140,7 @@ struct gfs2_sb {
  * resource index structure
  */
 
-struct gfs2_rindex {
+struct gfs2_rindex_disk {
 	__be64 ri_addr;	/* grp block disk address */
 	__be32 ri_length;	/* length of rgrp header in fs blocks */
 	__u32 __pad;
@@ -153,6 +153,19 @@ struct gfs2_rindex {
 	__u8 ri_reserved[64];
 };
 
+struct gfs2_rindex {
+	__u64 ri_addr;	/* grp block disk address */
+	__u32 ri_length;	/* length of rgrp header in fs blocks */
+	__u32 __pad;
+
+	__u64 ri_data0;	/* first data location */
+	__u32 ri_data;	/* num of data blocks in rgrp */
+
+	__u32 ri_bitbytes;	/* number of bytes in data bitmaps */
+
+	__u8 ri_reserved[64];
+};
+
 /*
  * resource group header structure
  */
@@ -441,8 +454,7 @@ #ifdef __KERNEL__
 extern void gfs2_inum_in(struct gfs2_inum *no, const void *buf);
 extern void gfs2_inum_out(const struct gfs2_inum *no, void *buf);
 extern void gfs2_sb_in(struct gfs2_sb *sb, const void *buf);
-extern void gfs2_rindex_in(struct gfs2_rindex *ri, const void *buf);
-extern void gfs2_rindex_out(const struct gfs2_rindex *ri, void *buf);
+extern void gfs2_rindex_in(struct gfs2_rindex *ri, const struct gfs2_rindex_disk *ri_disk);
 extern void gfs2_rgrp_in(struct gfs2_rgrp *rg, const void *buf);
 extern void gfs2_rgrp_out(const struct gfs2_rgrp *rg, void *buf);
 extern void gfs2_dinode_in(struct gfs2_dinode *di, const void *buf);
-- 
1.4.1

Re: [PATCH 1/1] security: introduce fs caps

[Serge E. Hallyn]

Quoting Alexey Dobriyan (adobriyan@gmail.com):
> On Wed, Nov 08, 2006 at 04:24:53PM -0600, Serge E. Hallyn wrote:
> > +struct vfs_cap_data_struct {
> 
> "_struct" suffix is useless here: "struct" is already typed.

Good point.

> > +	__u32 version;
> > +	__u32 effective;
> > +	__u32 permitted;
> > +	__u32 inheritable;
> > +};
> > +
> > +static inline void convert_to_le(struct vfs_cap_data_struct *cap)
> > +{
> > +	cap->version = le32_to_cpu(cap->version);
> > +	cap->effective = le32_to_cpu(cap->effective);
> > +	cap->permitted = le32_to_cpu(cap->permitted);
> > +	cap->inheritable = le32_to_cpu(cap->inheritable);
> > +}
> 
> This pretty much defeats sparse endian checking. You will get warnings
> regardless of whether u32 or le32 are used.

But I don't get any sparse warnings with make C=1.  Am I doing something
wrong?  Will it give warnings only on some architectures?

thanks,
-serge

Re: [PATCH 1/1] security: introduce fs caps

[Alexey Dobriyan]

On Wed, Nov 08, 2006 at 05:52:03PM -0600, Serge E. Hallyn wrote:
> > > +	__u32 version;
> > > +	__u32 effective;
> > > +	__u32 permitted;
> > > +	__u32 inheritable;
> > > +};
> > > +
> > > +static inline void convert_to_le(struct vfs_cap_data_struct *cap)
> > > +{
> > > +	cap->version = le32_to_cpu(cap->version);
> > > +	cap->effective = le32_to_cpu(cap->effective);
> > > +	cap->permitted = le32_to_cpu(cap->permitted);
> > > +	cap->inheritable = le32_to_cpu(cap->inheritable);
> > > +}
> >
> > This pretty much defeats sparse endian checking. You will get warnings
> > regardless of whether u32 or le32 are used.
>
> But I don't get any sparse warnings with make C=1.  Am I doing something
> wrong?

You need (temporarily) to use CF:

	make C=1 CF=-D__CHECK_ENDIAN__ ...

Re: [PATCH 1/1] security: introduce fs caps

[Serge E. Hallyn]

Sorry, I should have noticed and fixed this much sooner.  This
patch is against the latest full fscaps patch which I'm replying
to.

From: Serge E. Hallyn <serue@us.ibm.com>
Date: Thu, 9 Nov 2006 00:01:49 -0600
Subject: security: file caps: fix unused variable warnings

Address warnings of unused variables at cap_bprm_set_security
when file capabilities are disabled, and simultaneously clean
up the code a little, by pulling the new code into a helper
function.

Rename vfs_cap_data_struct to remove redundant '_struct'.

Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
---
 security/commoncap.c |   73 ++++++++++++++++++++++++++++----------------------
 1 files changed, 41 insertions(+), 32 deletions(-)

diff --git a/security/commoncap.c b/security/commoncap.c
index 6f5e46c..4b50b4d 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -109,16 +109,17 @@ void cap_capset_set (struct task_struct 
 	target->cap_permitted = *permitted;
 }
 
+#ifdef CONFIG_SECURITY_FS_CAPABILITIES
 #define XATTR_CAPS_SUFFIX "capability"
 #define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX
-struct vfs_cap_data_struct {
+struct vfs_cap_data {
 	__u32 version;
 	__u32 effective;
 	__u32 permitted;
 	__u32 inheritable;
 };
 
-static inline void convert_to_le(struct vfs_cap_data_struct *cap)
+static inline void convert_to_le(struct vfs_cap_data *cap)
 {
 	cap->version = le32_to_cpu(cap->version);
 	cap->effective = le32_to_cpu(cap->effective);
@@ -126,7 +127,7 @@ static inline void convert_to_le(struct 
 	cap->inheritable = le32_to_cpu(cap->inheritable);
 }
 
-static int check_cap_sanity(struct vfs_cap_data_struct *cap)
+static int check_cap_sanity(struct vfs_cap_data *cap)
 {
 	int i;
 
@@ -149,39 +150,14 @@ static int check_cap_sanity(struct vfs_c
 	return 0;
 }
 
-int cap_bprm_set_security (struct linux_binprm *bprm)
+/* Locate any VFS capabilities: */
+static int set_file_caps(struct linux_binprm *bprm)
 {
 	struct dentry *dentry;
 	ssize_t rc;
-	struct vfs_cap_data_struct cap_struct;
+	struct vfs_cap_data cap_struct;
 	struct inode *inode;
 
-	/* Copied from fs/exec.c:prepare_binprm. */
-
-	cap_clear (bprm->cap_inheritable);
-	cap_clear (bprm->cap_permitted);
-	cap_clear (bprm->cap_effective);
-
-	/*  To support inheritance of root-permissions and suid-root
-	 *  executables under compatibility mode, we raise all three
-	 *  capability sets for the file.
-	 *
-	 *  If only the real uid is 0, we only raise the inheritable
-	 *  and permitted sets of the executable file.
-	 */
-
-	if (!issecure (SECURE_NOROOT)) {
-		if (bprm->e_uid == 0 || current->uid == 0) {
-			cap_set_full (bprm->cap_inheritable);
-			cap_set_full (bprm->cap_permitted);
-		}
-		if (bprm->e_uid == 0)
-			cap_set_full (bprm->cap_effective);
-	}
-
-#ifdef CONFIG_SECURITY_FS_CAPABILITIES
-	/* Locate any VFS capabilities: */
-
 	dentry = dget(bprm->file->f_dentry);
 	inode = dentry->d_inode;
 	if (!inode->i_op || !inode->i_op->getxattr) {
@@ -216,9 +192,42 @@ #ifdef CONFIG_SECURITY_FS_CAPABILITIES
 	bprm->cap_permitted = cap_struct.permitted;
 	bprm->cap_inheritable = cap_struct.inheritable;
 
-#endif
 	return 0;
 }
+#else
+static int set_file_caps(struct linux_binprm *bprm)
+{
+	return 0;
+}
+#endif
+
+int cap_bprm_set_security (struct linux_binprm *bprm)
+{
+	/* Copied from fs/exec.c:prepare_binprm. */
+
+	cap_clear (bprm->cap_inheritable);
+	cap_clear (bprm->cap_permitted);
+	cap_clear (bprm->cap_effective);
+
+	/*  To support inheritance of root-permissions and suid-root
+	 *  executables under compatibility mode, we raise all three
+	 *  capability sets for the file.
+	 *
+	 *  If only the real uid is 0, we only raise the inheritable
+	 *  and permitted sets of the executable file.
+	 */
+
+	if (!issecure (SECURE_NOROOT)) {
+		if (bprm->e_uid == 0 || current->uid == 0) {
+			cap_set_full (bprm->cap_inheritable);
+			cap_set_full (bprm->cap_permitted);
+		}
+		if (bprm->e_uid == 0)
+			cap_set_full (bprm->cap_effective);
+	}
+
+	return set_file_caps(bprm);
+}
 
 void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
 {
-- 
1.4.1

Re: [PATCH 1/1] security: introduce fs caps

[Serge E. Hallyn]

Quoting Alexey Dobriyan (adobriyan@gmail.com):
> On Wed, Nov 08, 2006 at 05:52:03PM -0600, Serge E. Hallyn wrote:
> > > > +	__u32 version;
> > > > +	__u32 effective;
> > > > +	__u32 permitted;
> > > > +	__u32 inheritable;
> > > > +};
> > > > +
> > > > +static inline void convert_to_le(struct vfs_cap_data_struct *cap)
> > > > +{
> > > > +	cap->version = le32_to_cpu(cap->version);
> > > > +	cap->effective = le32_to_cpu(cap->effective);
> > > > +	cap->permitted = le32_to_cpu(cap->permitted);
> > > > +	cap->inheritable = le32_to_cpu(cap->inheritable);
> > > > +}
> > >
> > > This pretty much defeats sparse endian checking. You will get warnings
> > > regardless of whether u32 or le32 are used.
> >
> > But I don't get any sparse warnings with make C=1.  Am I doing something
> > wrong?
> 
> You need (temporarily) to use CF:
> 
> 	make C=1 CF=-D__CHECK_ENDIAN__ ...

Ah, cool, now I see it, will try to fix.

thanks,
-serge

Re: [PATCH 1/1] security: introduce fs caps

[Chris Friedhoff]

Page http://www.friedhoff.org/fscaps.html updated ...
Kernel 2.6.18.2 updated ...
System keeps on humming ...
Is anyone else using/testing the patch? Please give feedback ...
Thanks ...

Chris


On Thu, 9 Nov 2006 00:10:21 -0600
"Serge E. Hallyn" <serue@us.ibm.com> wrote:

> Sorry, I should have noticed and fixed this much sooner.  This
> patch is against the latest full fscaps patch which I'm replying
> to.
> 
> From: Serge E. Hallyn <serue@us.ibm.com>
> Date: Thu, 9 Nov 2006 00:01:49 -0600
> Subject: security: file caps: fix unused variable warnings
> 
> Address warnings of unused variables at cap_bprm_set_security
> when file capabilities are disabled, and simultaneously clean
> up the code a little, by pulling the new code into a helper
> function.
> 
> Rename vfs_cap_data_struct to remove redundant '_struct'.
> 
> Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
> ---
>  security/commoncap.c |   73 ++++++++++++++++++++++++++++----------------------
>  1 files changed, 41 insertions(+), 32 deletions(-)
> 
> diff --git a/security/commoncap.c b/security/commoncap.c
> index 6f5e46c..4b50b4d 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -109,16 +109,17 @@ void cap_capset_set (struct task_struct 
>  	target->cap_permitted = *permitted;
>  }
>  
> +#ifdef CONFIG_SECURITY_FS_CAPABILITIES
>  #define XATTR_CAPS_SUFFIX "capability"
>  #define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX
> -struct vfs_cap_data_struct {
> +struct vfs_cap_data {
>  	__u32 version;
>  	__u32 effective;
>  	__u32 permitted;
>  	__u32 inheritable;
>  };
>  
> -static inline void convert_to_le(struct vfs_cap_data_struct *cap)
> +static inline void convert_to_le(struct vfs_cap_data *cap)
>  {
>  	cap->version = le32_to_cpu(cap->version);
>  	cap->effective = le32_to_cpu(cap->effective);
> @@ -126,7 +127,7 @@ static inline void convert_to_le(struct 
>  	cap->inheritable = le32_to_cpu(cap->inheritable);
>  }
>  
> -static int check_cap_sanity(struct vfs_cap_data_struct *cap)
> +static int check_cap_sanity(struct vfs_cap_data *cap)
>  {
>  	int i;
>  
> @@ -149,39 +150,14 @@ static int check_cap_sanity(struct vfs_c
>  	return 0;
>  }
>  
> -int cap_bprm_set_security (struct linux_binprm *bprm)
> +/* Locate any VFS capabilities: */
> +static int set_file_caps(struct linux_binprm *bprm)
>  {
>  	struct dentry *dentry;
>  	ssize_t rc;
> -	struct vfs_cap_data_struct cap_struct;
> +	struct vfs_cap_data cap_struct;
>  	struct inode *inode;
>  
> -	/* Copied from fs/exec.c:prepare_binprm. */
> -
> -	cap_clear (bprm->cap_inheritable);
> -	cap_clear (bprm->cap_permitted);
> -	cap_clear (bprm->cap_effective);
> -
> -	/*  To support inheritance of root-permissions and suid-root
> -	 *  executables under compatibility mode, we raise all three
> -	 *  capability sets for the file.
> -	 *
> -	 *  If only the real uid is 0, we only raise the inheritable
> -	 *  and permitted sets of the executable file.
> -	 */
> -
> -	if (!issecure (SECURE_NOROOT)) {
> -		if (bprm->e_uid == 0 || current->uid == 0) {
> -			cap_set_full (bprm->cap_inheritable);
> -			cap_set_full (bprm->cap_permitted);
> -		}
> -		if (bprm->e_uid == 0)
> -			cap_set_full (bprm->cap_effective);
> -	}
> -
> -#ifdef CONFIG_SECURITY_FS_CAPABILITIES
> -	/* Locate any VFS capabilities: */
> -
>  	dentry = dget(bprm->file->f_dentry);
>  	inode = dentry->d_inode;
>  	if (!inode->i_op || !inode->i_op->getxattr) {
> @@ -216,9 +192,42 @@ #ifdef CONFIG_SECURITY_FS_CAPABILITIES
>  	bprm->cap_permitted = cap_struct.permitted;
>  	bprm->cap_inheritable = cap_struct.inheritable;
>  
> -#endif
>  	return 0;
>  }
> +#else
> +static int set_file_caps(struct linux_binprm *bprm)
> +{
> +	return 0;
> +}
> +#endif
> +
> +int cap_bprm_set_security (struct linux_binprm *bprm)
> +{
> +	/* Copied from fs/exec.c:prepare_binprm. */
> +
> +	cap_clear (bprm->cap_inheritable);
> +	cap_clear (bprm->cap_permitted);
> +	cap_clear (bprm->cap_effective);
> +
> +	/*  To support inheritance of root-permissions and suid-root
> +	 *  executables under compatibility mode, we raise all three
> +	 *  capability sets for the file.
> +	 *
> +	 *  If only the real uid is 0, we only raise the inheritable
> +	 *  and permitted sets of the executable file.
> +	 */
> +
> +	if (!issecure (SECURE_NOROOT)) {
> +		if (bprm->e_uid == 0 || current->uid == 0) {
> +			cap_set_full (bprm->cap_inheritable);
> +			cap_set_full (bprm->cap_permitted);
> +		}
> +		if (bprm->e_uid == 0)
> +			cap_set_full (bprm->cap_effective);
> +	}
> +
> +	return set_file_caps(bprm);
> +}
>  
>  void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
>  {
> -- 
> 1.4.1
> 


--------------------
Chris Friedhoff
chris@friedhoff.org

Re: [PATCH 1/1] security: introduce fs caps

[Bill O'Donnell]

On Thu, Nov 09, 2006 at 10:33:49AM +0100, Chris Friedhoff wrote:
| Page http://www.friedhoff.org/fscaps.html updated ...
| Kernel 2.6.18.2 updated ...
| System keeps on humming ...
| Is anyone else using/testing the patch? Please give feedback ...
| Thanks ...
I am just starting to test it out.  I'll let you know how it goes.
Thanks!
Bill


| 
| Chris
| 
| 
| On Thu, 9 Nov 2006 00:10:21 -0600
| "Serge E. Hallyn" <serue@us.ibm.com> wrote:
| 
| > Sorry, I should have noticed and fixed this much sooner.  This
| > patch is against the latest full fscaps patch which I'm replying
| > to.
| > 
| > From: Serge E. Hallyn <serue@us.ibm.com>
| > Date: Thu, 9 Nov 2006 00:01:49 -0600
| > Subject: security: file caps: fix unused variable warnings
| > 
| > Address warnings of unused variables at cap_bprm_set_security
| > when file capabilities are disabled, and simultaneously clean
| > up the code a little, by pulling the new code into a helper
| > function.
| > 
| > Rename vfs_cap_data_struct to remove redundant '_struct'.
| > 
| > Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
| > ---
| >  security/commoncap.c |   73 ++++++++++++++++++++++++++++----------------------
| >  1 files changed, 41 insertions(+), 32 deletions(-)
| > 
| > diff --git a/security/commoncap.c b/security/commoncap.c
| > index 6f5e46c..4b50b4d 100644
| > --- a/security/commoncap.c
| > +++ b/security/commoncap.c
| > @@ -109,16 +109,17 @@ void cap_capset_set (struct task_struct 
| >  	target->cap_permitted = *permitted;
| >  }
| >  
| > +#ifdef CONFIG_SECURITY_FS_CAPABILITIES
| >  #define XATTR_CAPS_SUFFIX "capability"
| >  #define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX
| > -struct vfs_cap_data_struct {
| > +struct vfs_cap_data {
| >  	__u32 version;
| >  	__u32 effective;
| >  	__u32 permitted;
| >  	__u32 inheritable;
| >  };
| >  
| > -static inline void convert_to_le(struct vfs_cap_data_struct *cap)
| > +static inline void convert_to_le(struct vfs_cap_data *cap)
| >  {
| >  	cap->version = le32_to_cpu(cap->version);
| >  	cap->effective = le32_to_cpu(cap->effective);
| > @@ -126,7 +127,7 @@ static inline void convert_to_le(struct 
| >  	cap->inheritable = le32_to_cpu(cap->inheritable);
| >  }
| >  
| > -static int check_cap_sanity(struct vfs_cap_data_struct *cap)
| > +static int check_cap_sanity(struct vfs_cap_data *cap)
| >  {
| >  	int i;
| >  
| > @@ -149,39 +150,14 @@ static int check_cap_sanity(struct vfs_c
| >  	return 0;
| >  }
| >  
| > -int cap_bprm_set_security (struct linux_binprm *bprm)
| > +/* Locate any VFS capabilities: */
| > +static int set_file_caps(struct linux_binprm *bprm)
| >  {
| >  	struct dentry *dentry;
| >  	ssize_t rc;
| > -	struct vfs_cap_data_struct cap_struct;
| > +	struct vfs_cap_data cap_struct;
| >  	struct inode *inode;
| >  
| > -	/* Copied from fs/exec.c:prepare_binprm. */
| > -
| > -	cap_clear (bprm->cap_inheritable);
| > -	cap_clear (bprm->cap_permitted);
| > -	cap_clear (bprm->cap_effective);
| > -
| > -	/*  To support inheritance of root-permissions and suid-root
| > -	 *  executables under compatibility mode, we raise all three
| > -	 *  capability sets for the file.
| > -	 *
| > -	 *  If only the real uid is 0, we only raise the inheritable
| > -	 *  and permitted sets of the executable file.
| > -	 */
| > -
| > -	if (!issecure (SECURE_NOROOT)) {
| > -		if (bprm->e_uid == 0 || current->uid == 0) {
| > -			cap_set_full (bprm->cap_inheritable);
| > -			cap_set_full (bprm->cap_permitted);
| > -		}
| > -		if (bprm->e_uid == 0)
| > -			cap_set_full (bprm->cap_effective);
| > -	}
| > -
| > -#ifdef CONFIG_SECURITY_FS_CAPABILITIES
| > -	/* Locate any VFS capabilities: */
| > -
| >  	dentry = dget(bprm->file->f_dentry);
| >  	inode = dentry->d_inode;
| >  	if (!inode->i_op || !inode->i_op->getxattr) {
| > @@ -216,9 +192,42 @@ #ifdef CONFIG_SECURITY_FS_CAPABILITIES
| >  	bprm->cap_permitted = cap_struct.permitted;
| >  	bprm->cap_inheritable = cap_struct.inheritable;
| >  
| > -#endif
| >  	return 0;
| >  }
| > +#else
| > +static int set_file_caps(struct linux_binprm *bprm)
| > +{
| > +	return 0;
| > +}
| > +#endif
| > +
| > +int cap_bprm_set_security (struct linux_binprm *bprm)
| > +{
| > +	/* Copied from fs/exec.c:prepare_binprm. */
| > +
| > +	cap_clear (bprm->cap_inheritable);
| > +	cap_clear (bprm->cap_permitted);
| > +	cap_clear (bprm->cap_effective);
| > +
| > +	/*  To support inheritance of root-permissions and suid-root
| > +	 *  executables under compatibility mode, we raise all three
| > +	 *  capability sets for the file.
| > +	 *
| > +	 *  If only the real uid is 0, we only raise the inheritable
| > +	 *  and permitted sets of the executable file.
| > +	 */
| > +
| > +	if (!issecure (SECURE_NOROOT)) {
| > +		if (bprm->e_uid == 0 || current->uid == 0) {
| > +			cap_set_full (bprm->cap_inheritable);
| > +			cap_set_full (bprm->cap_permitted);
| > +		}
| > +		if (bprm->e_uid == 0)
| > +			cap_set_full (bprm->cap_effective);
| > +	}
| > +
| > +	return set_file_caps(bprm);
| > +}
| >  
| >  void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
| >  {
| > -- 
| > 1.4.1
| > 
| 
| 
| --------------------
| Chris Friedhoff
| chris@friedhoff.org
| -
| To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
| the body of a message to majordomo@vger.kernel.org
| More majordomo info at  http://vger.kernel.org/majordomo-info.html

-- 
Bill O'Donnell
SGI
651.683.3079
billodo@sgi.com

Re: [PATCH 1/1] security: introduce fs caps

[Serge E. Hallyn]

Quoting Alexey Dobriyan (adobriyan@gmail.com):
> On Wed, Nov 08, 2006 at 05:52:03PM -0600, Serge E. Hallyn wrote:
> > > > +	__u32 version;
> > > > +	__u32 effective;
> > > > +	__u32 permitted;
> > > > +	__u32 inheritable;
> > > > +};
> > > > +
> > > > +static inline void convert_to_le(struct vfs_cap_data_struct *cap)
> > > > +{
> > > > +	cap->version = le32_to_cpu(cap->version);
> > > > +	cap->effective = le32_to_cpu(cap->effective);
> > > > +	cap->permitted = le32_to_cpu(cap->permitted);
> > > > +	cap->inheritable = le32_to_cpu(cap->inheritable);
> > > > +}
> > >
> > > This pretty much defeats sparse endian checking. You will get warnings
> > > regardless of whether u32 or le32 are used.
> >
> > But I don't get any sparse warnings with make C=1.  Am I doing something
> > wrong?
> 
> You need (temporarily) to use CF:
> 
> 	make C=1 CF=-D__CHECK_ENDIAN__ ...

The following patch on top of the existing one eliminates the warning.
Does it appear consistent with what you were suggesting?

If it is ok, I'll resend the full patch.

Thank you for that help.

-serge

From: Serge E. Hallyn <serue@us.ibm.com>
Subject: [PATCH 1/1] filecaps: fix endianness warnings

Fix endianness warnings as suggested by Alexey Dobriyan.

Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
---
 include/linux/capability.h |   21 +++++++++++++++++++++
 security/commoncap.c       |   39 ++++++++++++++++-----------------------
 2 files changed, 37 insertions(+), 23 deletions(-)

diff --git a/include/linux/capability.h b/include/linux/capability.h
index 76a6e87..c54b201 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -39,12 +39,33 @@ typedef struct __user_cap_data_struct {
         __u32 permitted;
         __u32 inheritable;
 } __user *cap_user_data_t;
+
+
+#ifdef CONFIG_SECURITY_FS_CAPABILITIES
+#define XATTR_CAPS_SUFFIX "capability"
+#define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX
+struct vfs_cap_data_disk {
+	__le32 version;
+	__le32 effective;
+	__le32 permitted;
+	__le32 inheritable;
+};
+#endif
   
 #ifdef __KERNEL__
 
 #include <linux/spinlock.h>
 #include <asm/current.h>
 
+#ifdef CONFIG_SECURITY_FS_CAPABILITIES
+struct vfs_cap_data {
+	__u32 version;
+	__u32 effective;
+	__u32 permitted;
+	__u32 inheritable;
+};
+#endif
+
 /* #define STRICT_CAP_T_TYPECHECKS */
 
 #ifdef STRICT_CAP_T_TYPECHECKS
diff --git a/security/commoncap.c b/security/commoncap.c
index 4b50b4d..c1ef43f 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -110,21 +110,13 @@ void cap_capset_set (struct task_struct 
 }
 
 #ifdef CONFIG_SECURITY_FS_CAPABILITIES
-#define XATTR_CAPS_SUFFIX "capability"
-#define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX
-struct vfs_cap_data {
-	__u32 version;
-	__u32 effective;
-	__u32 permitted;
-	__u32 inheritable;
-};
-
-static inline void convert_to_le(struct vfs_cap_data *cap)
+static inline void cap_from_disk(struct vfs_cap_data_disk *dcap,
+					struct vfs_cap_data *cap)
 {
-	cap->version = le32_to_cpu(cap->version);
-	cap->effective = le32_to_cpu(cap->effective);
-	cap->permitted = le32_to_cpu(cap->permitted);
-	cap->inheritable = le32_to_cpu(cap->inheritable);
+	cap->version = le32_to_cpu(dcap->version);
+	cap->effective = le32_to_cpu(dcap->effective);
+	cap->permitted = le32_to_cpu(dcap->permitted);
+	cap->inheritable = le32_to_cpu(dcap->inheritable);
 }
 
 static int check_cap_sanity(struct vfs_cap_data *cap)
@@ -155,7 +147,8 @@ static int set_file_caps(struct linux_bi
 {
 	struct dentry *dentry;
 	ssize_t rc;
-	struct vfs_cap_data cap_struct;
+	struct vfs_cap_data_disk dcaps;
+	struct vfs_cap_data caps;
 	struct inode *inode;
 
 	dentry = dget(bprm->file->f_dentry);
@@ -165,8 +158,8 @@ static int set_file_caps(struct linux_bi
 		return 0;
 	}
 
-	rc = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, &cap_struct,
-						sizeof(cap_struct));
+	rc = inode->i_op->getxattr(dentry, XATTR_NAME_CAPS, &dcaps,
+						sizeof(dcaps));
 	dput(dentry);
 
 	if (rc == -ENODATA)
@@ -178,19 +171,19 @@ static int set_file_caps(struct linux_bi
 		return rc;
 	}
 
-	if (rc != sizeof(cap_struct)) {
+	if (rc != sizeof(dcaps)) {
 		printk(KERN_NOTICE "%s: got wrong size for getxattr (%d)\n",
 					__FUNCTION__, rc);
 		return -EPERM;
 	}
 	
-	convert_to_le(&cap_struct);
-	if (check_cap_sanity(&cap_struct))
+	cap_from_disk(&dcaps, &caps);
+	if (check_cap_sanity(&caps))
 		return -EPERM;
 
-	bprm->cap_effective = cap_struct.effective;
-	bprm->cap_permitted = cap_struct.permitted;
-	bprm->cap_inheritable = cap_struct.inheritable;
+	bprm->cap_effective = caps.effective;
+	bprm->cap_permitted = caps.permitted;
+	bprm->cap_inheritable = caps.inheritable;
 
 	return 0;
 }
-- 
1.4.1

Re: [PATCH 1/1] security: introduce fs caps

[Alexey Dobriyan]

On Mon, Nov 13, 2006 at 10:43:26AM -0600, Serge E. Hallyn wrote:
> Quoting Alexey Dobriyan (adobriyan@gmail.com):
> > On Wed, Nov 08, 2006 at 05:52:03PM -0600, Serge E. Hallyn wrote:
> > > > > +	__u32 version;
> > > > > +	__u32 effective;
> > > > > +	__u32 permitted;
> > > > > +	__u32 inheritable;
> > > > > +};
> > > > > +
> > > > > +static inline void convert_to_le(struct vfs_cap_data_struct *cap)
> > > > > +{
> > > > > +	cap->version = le32_to_cpu(cap->version);
> > > > > +	cap->effective = le32_to_cpu(cap->effective);
> > > > > +	cap->permitted = le32_to_cpu(cap->permitted);
> > > > > +	cap->inheritable = le32_to_cpu(cap->inheritable);
> > > > > +}
> > > >
> > > > This pretty much defeats sparse endian checking. You will get warnings
> > > > regardless of whether u32 or le32 are used.
> > >
> > > But I don't get any sparse warnings with make C=1.  Am I doing something
> > > wrong?
> >
> > You need (temporarily) to use CF:
> >
> > 	make C=1 CF=-D__CHECK_ENDIAN__ ...
>
> The following patch on top of the existing one eliminates the warning.
> Does it appear consistent with what you were suggesting?

> If it is ok, I'll resend the full patch.

Yes, that's it, modulo:

> --- a/include/linux/capability.h
> +++ b/include/linux/capability.h
> +#ifdef CONFIG_SECURITY_FS_CAPABILITIES

This is exportable header, so no CONFIG_*

> +#define XATTR_CAPS_SUFFIX "capability"
> +#define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX
> +struct vfs_cap_data_disk {
> +	__le32 version;
> +	__le32 effective;
> +	__le32 permitted;
> +	__le32 inheritable;
> +};
> +#endif
>
>  #ifdef __KERNEL__
>
>  #include <linux/spinlock.h>
>  #include <asm/current.h>
>
> +#ifdef CONFIG_SECURITY_FS_CAPABILITIES
> +struct vfs_cap_data {
> +	__u32 version;
> +	__u32 effective;
> +	__u32 permitted;
> +	__u32 inheritable;
> +};

Now you're in kernel, so you can happily use u32 without undescores.

> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -155,7 +147,8 @@ static int set_file_caps(struct linux_bi
>  {
>  	struct dentry *dentry;
>  	ssize_t rc;

> @@ -178,19 +171,19 @@ static int set_file_caps(struct linux_bi
>  		return rc;
>  	}
>
> -	if (rc != sizeof(cap_struct)) {
> +	if (rc != sizeof(dcaps)) {
>  		printk(KERN_NOTICE "%s: got wrong size for getxattr (%d)\n",
>  					__FUNCTION__, rc);

rc is ssize_t, so "%zd".

Re: [PATCH 1/1] security: introduce fs caps

[Bill O'Donnell]

On Thu, Nov 09, 2006 at 10:33:49AM +0100, Chris Friedhoff wrote:
| Page http://www.friedhoff.org/fscaps.html updated ...
| Kernel 2.6.18.2 updated ...
| System keeps on humming ...
| Is anyone else using/testing the patch? Please give feedback ...

Most likely a cockpit error, but I'm having trouble when I give the 
capability to ping (using the userexample from your fscaps page):

$ uname -a
Linux certify 2.6.19-rc3 #3 SMP PREEMPT Mon Nov 13 14:40:54 CST 2006 ia64

$ sudo chmod 711 /bin/ping
$ ping -c 1 localhost
ping: icmp open socket: Operation not permitted

$ sudo setfcaps cap_net_raw=ep /bin/ping           
/bin/ping: Function not implemented (errno=38)

Any help is appreciated.

Bill

---
Bill O'Donnell
SGI
651.683.3079
billodo@sgi.com

Re: [PATCH 1/1] security: introduce fs caps

[Serge E. Hallyn]

Quoting Alexey Dobriyan (adobriyan@gmail.com):
> On Mon, Nov 13, 2006 at 10:43:26AM -0600, Serge E. Hallyn wrote:
> > Quoting Alexey Dobriyan (adobriyan@gmail.com):
> > > On Wed, Nov 08, 2006 at 05:52:03PM -0600, Serge E. Hallyn wrote:
> > > > > > +	__u32 version;
> > > > > > +	__u32 effective;
> > > > > > +	__u32 permitted;
> > > > > > +	__u32 inheritable;
> > > > > > +};
> > > > > > +
> > > > > > +static inline void convert_to_le(struct vfs_cap_data_struct *cap)
> > > > > > +{
> > > > > > +	cap->version = le32_to_cpu(cap->version);
> > > > > > +	cap->effective = le32_to_cpu(cap->effective);
> > > > > > +	cap->permitted = le32_to_cpu(cap->permitted);
> > > > > > +	cap->inheritable = le32_to_cpu(cap->inheritable);
> > > > > > +}
> > > > >
> > > > > This pretty much defeats sparse endian checking. You will get warnings
> > > > > regardless of whether u32 or le32 are used.
> > > >
> > > > But I don't get any sparse warnings with make C=1.  Am I doing something
> > > > wrong?
> > >
> > > You need (temporarily) to use CF:
> > >
> > > 	make C=1 CF=-D__CHECK_ENDIAN__ ...
> >
> > The following patch on top of the existing one eliminates the warning.
> > Does it appear consistent with what you were suggesting?
> 
> > If it is ok, I'll resend the full patch.
> 
> Yes, that's it, modulo:

Thanks, comments integrated with the exception of:

> > --- a/include/linux/capability.h
> > +++ b/include/linux/capability.h
> > +#ifdef CONFIG_SECURITY_FS_CAPABILITIES
> 
> This is exportable header, so no CONFIG_*
> 
> > +#define XATTR_CAPS_SUFFIX "capability"
> > +#define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX
> > +struct vfs_cap_data_disk {
> > +	__le32 version;
> > +	__le32 effective;
> > +	__le32 permitted;
> > +	__le32 inheritable;
> > +};
> > +#endif
> >
> >  #ifdef __KERNEL__
> >
> >  #include <linux/spinlock.h>
> >  #include <asm/current.h>
> >
> > +#ifdef CONFIG_SECURITY_FS_CAPABILITIES
> > +struct vfs_cap_data {
> > +	__u32 version;
> > +	__u32 effective;
> > +	__u32 permitted;
> > +	__u32 inheritable;
> > +};
> 
> Now you're in kernel, so you can happily use u32 without undescores.

The rest of the file already uses __u32, so for consistency I'd
rather stick with __u32, unless there's a reason why it's really
discouraged.

Will send new patch in just a bit.

thanks,
-serge

> > --- a/security/commoncap.c
> > +++ b/security/commoncap.c
> > @@ -155,7 +147,8 @@ static int set_file_caps(struct linux_bi
> >  {
> >  	struct dentry *dentry;
> >  	ssize_t rc;
> 
> > @@ -178,19 +171,19 @@ static int set_file_caps(struct linux_bi
> >  		return rc;
> >  	}
> >
> > -	if (rc != sizeof(cap_struct)) {
> > +	if (rc != sizeof(dcaps)) {
> >  		printk(KERN_NOTICE "%s: got wrong size for getxattr (%d)\n",
> >  					__FUNCTION__, rc);
> 
> rc is ssize_t, so "%zd".

Re: [PATCH 1/1] security: introduce fs caps

[Serge E. Hallyn]

Quoting Bill O'Donnell (billodo@sgi.com):
> On Thu, Nov 09, 2006 at 10:33:49AM +0100, Chris Friedhoff wrote:
> | Page http://www.friedhoff.org/fscaps.html updated ...
> | Kernel 2.6.18.2 updated ...
> | System keeps on humming ...
> | Is anyone else using/testing the patch? Please give feedback ...
> 
> Most likely a cockpit error, but I'm having trouble when I give the 
> capability to ping (using the userexample from your fscaps page):
> 
> $ uname -a
> Linux certify 2.6.19-rc3 #3 SMP PREEMPT Mon Nov 13 14:40:54 CST 2006 ia64
> 
> $ sudo chmod 711 /bin/ping
> $ ping -c 1 localhost
> ping: icmp open socket: Operation not permitted
> 
> $ sudo setfcaps cap_net_raw=ep /bin/ping           
> /bin/ping: Function not implemented (errno=38)
> 
> Any help is appreciated.

Hmm, two things which come to mind are (a) do you have extended
attributes compiled into your kernel and (b) is sudo properly set
up.

But for (a) to be the case, you should be getting EOPNOTZSPUP (98),
not ENOSYS (38).

Could you send me a copy of your .config, tell me which filesystem
you are using, and send the /tmp/straceout after doing

	strace -o/tmp/straceout -f setfcaps cap_net_raw=ep /bin/ping

as root?

thanks,
-serge

Re: [PATCH 1/1] security: introduce fs caps

[Bill O'Donnell]

[-- Attachment #1: Type: text/plain, Size: 1497 bytes --]

On Mon, Nov 13, 2006 at 11:25:31PM -0600, Serge E. Hallyn wrote:
| Quoting Bill O'Donnell (billodo@sgi.com):
| > On Thu, Nov 09, 2006 at 10:33:49AM +0100, Chris Friedhoff wrote:
| > | Page http://www.friedhoff.org/fscaps.html updated ...
| > | Kernel 2.6.18.2 updated ...
| > | System keeps on humming ...
| > | Is anyone else using/testing the patch? Please give feedback ...
| > 
| > Most likely a cockpit error, but I'm having trouble when I give the 
| > capability to ping (using the userexample from your fscaps page):
| > 
| > $ uname -a
| > Linux certify 2.6.19-rc3 #3 SMP PREEMPT Mon Nov 13 14:40:54 CST 2006 ia64
| > 
| > $ sudo chmod 711 /bin/ping
| > $ ping -c 1 localhost
| > ping: icmp open socket: Operation not permitted
| > 
| > $ sudo setfcaps cap_net_raw=ep /bin/ping           
| > /bin/ping: Function not implemented (errno=38)
| > 
| > Any help is appreciated.
| 
| Hmm, two things which come to mind are (a) do you have extended
| attributes compiled into your kernel and (b) is sudo properly set
| up.
| 
| But for (a) to be the case, you should be getting EOPNOTZSPUP (98),
| not ENOSYS (38).
| 
| Could you send me a copy of your .config, tell me which filesystem
| you are using, and send the /tmp/straceout after doing
| 
| 	strace -o/tmp/straceout -f setfcaps cap_net_raw=ep /bin/ping
| 
| as root?

.config and straceout attached.  The filesystem is ext3.  Will check if
sudo is properly configured.

Thanks,
Bill

-- 
Bill O'Donnell
SGI
651.683.3079
billodo@sgi.com

[-- Attachment #2: .config.certify --]
[-- Type: text/plain, Size: 28801 bytes --]

#
# Automatically generated make config: don't edit
# Linux kernel version: 2.6.19-rc3
# Mon Nov 13 14:20:06 2006
#
CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"

#
# Code maturity level options
#
CONFIG_EXPERIMENTAL=y
CONFIG_LOCK_KERNEL=y
CONFIG_INIT_ENV_ARG_LIMIT=32

#
# General setup
#
CONFIG_LOCALVERSION=""
# CONFIG_LOCALVERSION_AUTO is not set
CONFIG_SWAP=y
CONFIG_SYSVIPC=y
# CONFIG_IPC_NS is not set
CONFIG_POSIX_MQUEUE=y
# CONFIG_BSD_PROCESS_ACCT is not set
CONFIG_TASKSTATS=y
# CONFIG_TASK_DELAY_ACCT is not set
# CONFIG_UTS_NS is not set
# CONFIG_AUDIT is not set
# CONFIG_IKCONFIG is not set
CONFIG_CPUSETS=y
CONFIG_RELAY=y
CONFIG_INITRAMFS_SOURCE=""
CONFIG_CC_OPTIMIZE_FOR_SIZE=y
CONFIG_TASK_XACCT=y
CONFIG_SYSCTL=y
# CONFIG_EMBEDDED is not set
# CONFIG_SYSCTL_SYSCALL is not set
CONFIG_KALLSYMS=y
CONFIG_KALLSYMS_ALL=y
# CONFIG_KALLSYMS_EXTRA_PASS is not set
CONFIG_HOTPLUG=y
CONFIG_PRINTK=y
CONFIG_BUG=y
CONFIG_ELF_CORE=y
CONFIG_BASE_FULL=y
CONFIG_FUTEX=y
CONFIG_EPOLL=y
CONFIG_SHMEM=y
CONFIG_SLAB=y
CONFIG_VM_EVENT_COUNTERS=y
CONFIG_RT_MUTEXES=y
# CONFIG_TINY_SHMEM is not set
CONFIG_BASE_SMALL=0
# CONFIG_SLOB is not set

#
# Loadable module support
#
CONFIG_MODULES=y
CONFIG_MODULE_UNLOAD=y
# CONFIG_MODULE_FORCE_UNLOAD is not set
# CONFIG_MODVERSIONS is not set
# CONFIG_MODULE_SRCVERSION_ALL is not set
CONFIG_KMOD=y
CONFIG_STOP_MACHINE=y

#
# Block layer
#
CONFIG_BLOCK=y
# CONFIG_BLK_DEV_IO_TRACE is not set

#
# IO Schedulers
#
CONFIG_IOSCHED_NOOP=y
CONFIG_IOSCHED_AS=y
CONFIG_IOSCHED_DEADLINE=y
CONFIG_IOSCHED_CFQ=y
CONFIG_DEFAULT_AS=y
# CONFIG_DEFAULT_DEADLINE is not set
# CONFIG_DEFAULT_CFQ is not set
# CONFIG_DEFAULT_NOOP is not set
CONFIG_DEFAULT_IOSCHED="anticipatory"

#
# Processor type and features
#
CONFIG_IA64=y
CONFIG_64BIT=y
CONFIG_MMU=y
CONFIG_SWIOTLB=y
CONFIG_RWSEM_XCHGADD_ALGORITHM=y
CONFIG_GENERIC_FIND_NEXT_BIT=y
CONFIG_GENERIC_CALIBRATE_DELAY=y
CONFIG_TIME_INTERPOLATION=y
CONFIG_DMI=y
CONFIG_EFI=y
CONFIG_GENERIC_IOMAP=y
CONFIG_SCHED_NO_NO_OMIT_FRAME_POINTER=y
CONFIG_IA64_UNCACHED_ALLOCATOR=y
CONFIG_AUDIT_ARCH=y
# CONFIG_IA64_GENERIC is not set
# CONFIG_IA64_DIG is not set
# CONFIG_IA64_HP_ZX1 is not set
# CONFIG_IA64_HP_ZX1_SWIOTLB is not set
CONFIG_IA64_SGI_SN2=y
# CONFIG_IA64_HP_SIM is not set
# CONFIG_ITANIUM is not set
CONFIG_MCKINLEY=y
# CONFIG_IA64_PAGE_SIZE_4KB is not set
# CONFIG_IA64_PAGE_SIZE_8KB is not set
CONFIG_IA64_PAGE_SIZE_16KB=y
# CONFIG_IA64_PAGE_SIZE_64KB is not set
# CONFIG_PGTABLE_3 is not set
CONFIG_PGTABLE_4=y
# CONFIG_HZ_100 is not set
CONFIG_HZ_250=y
# CONFIG_HZ_1000 is not set
CONFIG_HZ=250
CONFIG_IA64_L1_CACHE_SHIFT=7
# CONFIG_IA64_CYCLONE is not set
CONFIG_IOSAPIC=y
CONFIG_IA64_SGI_SN_XP=m
CONFIG_FORCE_MAX_ZONEORDER=17
CONFIG_SMP=y
CONFIG_NR_CPUS=1024
# CONFIG_HOTPLUG_CPU is not set
CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
CONFIG_SCHED_SMT=y
CONFIG_PREEMPT=y
CONFIG_SELECT_MEMORY_MODEL=y
# CONFIG_FLATMEM_MANUAL is not set
CONFIG_DISCONTIGMEM_MANUAL=y
# CONFIG_SPARSEMEM_MANUAL is not set
CONFIG_DISCONTIGMEM=y
CONFIG_FLAT_NODE_MEM_MAP=y
CONFIG_NEED_MULTIPLE_NODES=y
# CONFIG_SPARSEMEM_STATIC is not set
CONFIG_SPLIT_PTLOCK_CPUS=4
CONFIG_MIGRATION=y
CONFIG_RESOURCES_64BIT=y
CONFIG_ARCH_SELECT_MEMORY_MODEL=y
CONFIG_ARCH_DISCONTIGMEM_ENABLE=y
CONFIG_ARCH_FLATMEM_ENABLE=y
CONFIG_ARCH_SPARSEMEM_ENABLE=y
CONFIG_ARCH_DISCONTIGMEM_DEFAULT=y
CONFIG_NUMA=y
CONFIG_NODES_SHIFT=10
CONFIG_ARCH_POPULATES_NODE_MAP=y
CONFIG_VIRTUAL_MEM_MAP=y
CONFIG_HOLES_IN_ZONE=y
CONFIG_HAVE_ARCH_EARLY_PFN_TO_NID=y
CONFIG_HAVE_ARCH_NODEDATA_EXTENSION=y
CONFIG_IA32_SUPPORT=y
CONFIG_COMPAT=y
CONFIG_IA64_MCA_RECOVERY=y
CONFIG_PERFMON=y
CONFIG_IA64_PALINFO=y
CONFIG_SGI_SN=y
# CONFIG_IA64_ESI is not set

#
# SN Devices
#
CONFIG_SGI_IOC3=y

#
# Firmware Drivers
#
CONFIG_EFI_VARS=y
CONFIG_EFI_PCDP=y
CONFIG_BINFMT_ELF=y
# CONFIG_BINFMT_MISC is not set

#
# Power management and ACPI
#
CONFIG_PM=y
# CONFIG_PM_LEGACY is not set
# CONFIG_PM_DEBUG is not set
# CONFIG_PM_SYSFS_DEPRECATED is not set

#
# ACPI (Advanced Configuration and Power Interface) Support
#
CONFIG_ACPI=y
# CONFIG_ACPI_BUTTON is not set
# CONFIG_ACPI_FAN is not set
# CONFIG_ACPI_DOCK is not set
# CONFIG_ACPI_PROCESSOR is not set
CONFIG_ACPI_NUMA=y
CONFIG_ACPI_BLACKLIST_YEAR=0
# CONFIG_ACPI_DEBUG is not set
CONFIG_ACPI_EC=y
CONFIG_ACPI_POWER=y
CONFIG_ACPI_SYSTEM=y
# CONFIG_ACPI_CONTAINER is not set

#
# CPU Frequency scaling
#
# CONFIG_CPU_FREQ is not set

#
# Bus options (PCI, PCMCIA)
#
CONFIG_PCI=y
CONFIG_PCI_DOMAINS=y
CONFIG_PCIEPORTBUS=y
CONFIG_HOTPLUG_PCI_PCIE=y
# CONFIG_HOTPLUG_PCI_PCIE_POLL_EVENT_MODE is not set
CONFIG_PCIEAER=y
# CONFIG_PCI_MSI is not set
# CONFIG_PCI_MULTITHREAD_PROBE is not set
# CONFIG_PCI_DEBUG is not set

#
# PCI Hotplug Support
#
CONFIG_HOTPLUG_PCI=y
# CONFIG_HOTPLUG_PCI_FAKE is not set
# CONFIG_HOTPLUG_PCI_ACPI is not set
# CONFIG_HOTPLUG_PCI_CPCI is not set
# CONFIG_HOTPLUG_PCI_SHPC is not set
CONFIG_HOTPLUG_PCI_SGI=y

#
# PCCARD (PCMCIA/CardBus) support
#
# CONFIG_PCCARD is not set

#
# Networking
#
CONFIG_NET=y

#
# Networking options
#
# CONFIG_NETDEBUG is not set
CONFIG_PACKET=y
CONFIG_PACKET_MMAP=y
CONFIG_UNIX=y
CONFIG_XFRM=y
# CONFIG_XFRM_USER is not set
# CONFIG_XFRM_SUB_POLICY is not set
# CONFIG_NET_KEY is not set
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
# CONFIG_IP_ADVANCED_ROUTER is not set
CONFIG_IP_FIB_HASH=y
# CONFIG_IP_PNP is not set
# CONFIG_NET_IPIP is not set
# CONFIG_NET_IPGRE is not set
# CONFIG_IP_MROUTE is not set
# CONFIG_ARPD is not set
CONFIG_SYN_COOKIES=y
# CONFIG_INET_AH is not set
# CONFIG_INET_ESP is not set
# CONFIG_INET_IPCOMP is not set
# CONFIG_INET_XFRM_TUNNEL is not set
# CONFIG_INET_TUNNEL is not set
CONFIG_INET_XFRM_MODE_TRANSPORT=y
CONFIG_INET_XFRM_MODE_TUNNEL=y
CONFIG_INET_XFRM_MODE_BEET=y
CONFIG_INET_DIAG=m
CONFIG_INET_TCP_DIAG=m
# CONFIG_TCP_CONG_ADVANCED is not set
CONFIG_TCP_CONG_CUBIC=y
CONFIG_DEFAULT_TCP_CONG="cubic"
CONFIG_IPV6=m
# CONFIG_IPV6_PRIVACY is not set
# CONFIG_IPV6_ROUTER_PREF is not set
# CONFIG_INET6_AH is not set
# CONFIG_INET6_ESP is not set
# CONFIG_INET6_IPCOMP is not set
# CONFIG_IPV6_MIP6 is not set
# CONFIG_INET6_XFRM_TUNNEL is not set
# CONFIG_INET6_TUNNEL is not set
CONFIG_INET6_XFRM_MODE_TRANSPORT=m
CONFIG_INET6_XFRM_MODE_TUNNEL=m
CONFIG_INET6_XFRM_MODE_BEET=m
# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set
CONFIG_IPV6_SIT=m
# CONFIG_IPV6_TUNNEL is not set
# CONFIG_IPV6_MULTIPLE_TABLES is not set
# CONFIG_NETWORK_SECMARK is not set
# CONFIG_NETFILTER is not set

#
# DCCP Configuration (EXPERIMENTAL)
#
# CONFIG_IP_DCCP is not set

#
# SCTP Configuration (EXPERIMENTAL)
#
# CONFIG_IP_SCTP is not set

#
# TIPC Configuration (EXPERIMENTAL)
#
# CONFIG_TIPC is not set
# CONFIG_ATM is not set
# CONFIG_BRIDGE is not set
# CONFIG_VLAN_8021Q is not set
# CONFIG_DECNET is not set
# CONFIG_LLC2 is not set
# CONFIG_IPX is not set
# CONFIG_ATALK is not set
# CONFIG_X25 is not set
# CONFIG_LAPB is not set
# CONFIG_ECONET is not set
# CONFIG_WAN_ROUTER is not set

#
# QoS and/or fair queueing
#
# CONFIG_NET_SCHED is not set

#
# Network testing
#
# CONFIG_NET_PKTGEN is not set
# CONFIG_HAMRADIO is not set
# CONFIG_IRDA is not set
# CONFIG_BT is not set
# CONFIG_IEEE80211 is not set
# CONFIG_NETLABEL is not set

#
# Device Drivers
#

#
# Generic Driver Options
#
CONFIG_STANDALONE=y
CONFIG_PREVENT_FIRMWARE_BUILD=y
CONFIG_FW_LOADER=y
# CONFIG_DEBUG_DRIVER is not set
# CONFIG_SYS_HYPERVISOR is not set

#
# Connector - unified userspace <-> kernelspace linker
#
# CONFIG_CONNECTOR is not set

#
# Memory Technology Devices (MTD)
#
# CONFIG_MTD is not set

#
# Parallel port support
#
# CONFIG_PARPORT is not set

#
# Plug and Play support
#
# CONFIG_PNP is not set

#
# Block devices
#
# CONFIG_BLK_CPQ_DA is not set
# CONFIG_BLK_CPQ_CISS_DA is not set
# CONFIG_BLK_DEV_DAC960 is not set
# CONFIG_BLK_DEV_UMEM is not set
# CONFIG_BLK_DEV_COW_COMMON is not set
CONFIG_BLK_DEV_LOOP=y
CONFIG_BLK_DEV_CRYPTOLOOP=m
CONFIG_BLK_DEV_NBD=m
# CONFIG_BLK_DEV_SX8 is not set
# CONFIG_BLK_DEV_UB is not set
CONFIG_BLK_DEV_RAM=y
CONFIG_BLK_DEV_RAM_COUNT=16
CONFIG_BLK_DEV_RAM_SIZE=4096
CONFIG_BLK_DEV_RAM_BLOCKSIZE=1024
CONFIG_BLK_DEV_INITRD=y
# CONFIG_CDROM_PKTCDVD is not set
CONFIG_ATA_OVER_ETH=m

#
# Misc devices
#
CONFIG_SGI_IOC4=y
# CONFIG_TIFM_CORE is not set

#
# ATA/ATAPI/MFM/RLL support
#
CONFIG_IDE=y
CONFIG_IDE_MAX_HWIFS=4
CONFIG_BLK_DEV_IDE=y

#
# Please see Documentation/ide.txt for help/info on IDE drives
#
# CONFIG_BLK_DEV_IDE_SATA is not set
CONFIG_BLK_DEV_IDEDISK=y
# CONFIG_IDEDISK_MULTI_MODE is not set
CONFIG_BLK_DEV_IDECD=y
# CONFIG_BLK_DEV_IDETAPE is not set
# CONFIG_BLK_DEV_IDEFLOPPY is not set
# CONFIG_BLK_DEV_IDESCSI is not set
# CONFIG_IDE_TASK_IOCTL is not set

#
# IDE chipset support/bugfixes
#
CONFIG_IDE_GENERIC=y
CONFIG_BLK_DEV_IDEPCI=y
CONFIG_IDEPCI_SHARE_IRQ=y
# CONFIG_BLK_DEV_OFFBOARD is not set
# CONFIG_BLK_DEV_GENERIC is not set
# CONFIG_BLK_DEV_OPTI621 is not set
CONFIG_BLK_DEV_IDEDMA_PCI=y
# CONFIG_BLK_DEV_IDEDMA_FORCED is not set
CONFIG_IDEDMA_PCI_AUTO=y
# CONFIG_IDEDMA_ONLYDISK is not set
# CONFIG_BLK_DEV_AEC62XX is not set
# CONFIG_BLK_DEV_ALI15X3 is not set
# CONFIG_BLK_DEV_AMD74XX is not set
# CONFIG_BLK_DEV_CMD64X is not set
# CONFIG_BLK_DEV_TRIFLEX is not set
# CONFIG_BLK_DEV_CY82C693 is not set
# CONFIG_BLK_DEV_CS5520 is not set
# CONFIG_BLK_DEV_CS5530 is not set
# CONFIG_BLK_DEV_HPT34X is not set
# CONFIG_BLK_DEV_HPT366 is not set
# CONFIG_BLK_DEV_JMICRON is not set
# CONFIG_BLK_DEV_SC1200 is not set
# CONFIG_BLK_DEV_PIIX is not set
# CONFIG_BLK_DEV_IT821X is not set
# CONFIG_BLK_DEV_NS87415 is not set
# CONFIG_BLK_DEV_PDC202XX_OLD is not set
# CONFIG_BLK_DEV_PDC202XX_NEW is not set
# CONFIG_BLK_DEV_SVWKS is not set
CONFIG_BLK_DEV_SGIIOC4=y
# CONFIG_BLK_DEV_SIIMAGE is not set
# CONFIG_BLK_DEV_SLC90E66 is not set
# CONFIG_BLK_DEV_TRM290 is not set
# CONFIG_BLK_DEV_VIA82CXXX is not set
# CONFIG_IDE_ARM is not set
CONFIG_BLK_DEV_IDEDMA=y
# CONFIG_IDEDMA_IVB is not set
CONFIG_IDEDMA_AUTO=y
# CONFIG_BLK_DEV_HD is not set

#
# SCSI device support
#
# CONFIG_RAID_ATTRS is not set
CONFIG_SCSI=y
CONFIG_SCSI_NETLINK=y
CONFIG_SCSI_PROC_FS=y

#
# SCSI support type (disk, tape, CD-ROM)
#
CONFIG_BLK_DEV_SD=y
CONFIG_CHR_DEV_ST=m
# CONFIG_CHR_DEV_OSST is not set
CONFIG_BLK_DEV_SR=m
# CONFIG_BLK_DEV_SR_VENDOR is not set
CONFIG_CHR_DEV_SG=m
CONFIG_CHR_DEV_SCH=m

#
# Some SCSI devices (e.g. CD jukebox) support multiple LUNs
#
# CONFIG_SCSI_MULTI_LUN is not set
CONFIG_SCSI_CONSTANTS=y
# CONFIG_SCSI_LOGGING is not set

#
# SCSI Transports
#
CONFIG_SCSI_SPI_ATTRS=y
CONFIG_SCSI_FC_ATTRS=y
CONFIG_SCSI_ISCSI_ATTRS=m
CONFIG_SCSI_SAS_ATTRS=y
CONFIG_SCSI_SAS_LIBSAS=y
# CONFIG_SCSI_SAS_LIBSAS_DEBUG is not set

#
# SCSI low-level drivers
#
CONFIG_ISCSI_TCP=m
# CONFIG_BLK_DEV_3W_XXXX_RAID is not set
# CONFIG_SCSI_3W_9XXX is not set
# CONFIG_SCSI_ACARD is not set
# CONFIG_SCSI_AACRAID is not set
# CONFIG_SCSI_AIC7XXX is not set
# CONFIG_SCSI_AIC7XXX_OLD is not set
# CONFIG_SCSI_AIC79XX is not set
# CONFIG_SCSI_AIC94XX is not set
# CONFIG_SCSI_ARCMSR is not set
# CONFIG_MEGARAID_NEWGEN is not set
# CONFIG_MEGARAID_LEGACY is not set
# CONFIG_MEGARAID_SAS is not set
# CONFIG_SCSI_HPTIOP is not set
# CONFIG_SCSI_DMX3191D is not set
# CONFIG_SCSI_FUTURE_DOMAIN is not set
# CONFIG_SCSI_IPS is not set
# CONFIG_SCSI_INITIO is not set
# CONFIG_SCSI_INIA100 is not set
# CONFIG_SCSI_STEX is not set
# CONFIG_SCSI_SYM53C8XX_2 is not set
# CONFIG_SCSI_IPR is not set
CONFIG_SCSI_QLOGIC_1280=y
CONFIG_SCSI_QLA_FC=y
# CONFIG_SCSI_QLA_ISCSI is not set
# CONFIG_SCSI_LPFC is not set
# CONFIG_SCSI_DC395x is not set
# CONFIG_SCSI_DC390T is not set
# CONFIG_SCSI_DEBUG is not set

#
# Serial ATA (prod) and Parallel ATA (experimental) drivers
#
CONFIG_ATA=y
# CONFIG_SATA_AHCI is not set
# CONFIG_SATA_SVW is not set
# CONFIG_ATA_PIIX is not set
# CONFIG_SATA_MV is not set
# CONFIG_SATA_NV is not set
# CONFIG_PDC_ADMA is not set
# CONFIG_SATA_QSTOR is not set
# CONFIG_SATA_PROMISE is not set
# CONFIG_SATA_SX4 is not set
# CONFIG_SATA_SIL is not set
# CONFIG_SATA_SIL24 is not set
# CONFIG_SATA_SIS is not set
# CONFIG_SATA_ULI is not set
# CONFIG_SATA_VIA is not set
CONFIG_SATA_VITESSE=y
# CONFIG_PATA_ALI is not set
# CONFIG_PATA_AMD is not set
# CONFIG_PATA_ARTOP is not set
# CONFIG_PATA_ATIIXP is not set
# CONFIG_PATA_CMD64X is not set
# CONFIG_PATA_CS5520 is not set
# CONFIG_PATA_CS5530 is not set
# CONFIG_PATA_CYPRESS is not set
# CONFIG_PATA_EFAR is not set
# CONFIG_ATA_GENERIC is not set
# CONFIG_PATA_HPT366 is not set
# CONFIG_PATA_HPT37X is not set
# CONFIG_PATA_HPT3X2N is not set
# CONFIG_PATA_HPT3X3 is not set
# CONFIG_PATA_IT821X is not set
# CONFIG_PATA_JMICRON is not set
# CONFIG_PATA_TRIFLEX is not set
# CONFIG_PATA_MPIIX is not set
# CONFIG_PATA_OLDPIIX is not set
# CONFIG_PATA_NETCELL is not set
# CONFIG_PATA_NS87410 is not set
# CONFIG_PATA_OPTI is not set
# CONFIG_PATA_OPTIDMA is not set
# CONFIG_PATA_PDC_OLD is not set
# CONFIG_PATA_RADISYS is not set
# CONFIG_PATA_RZ1000 is not set
# CONFIG_PATA_SC1200 is not set
# CONFIG_PATA_SERVERWORKS is not set
# CONFIG_PATA_PDC2027X is not set
# CONFIG_PATA_SIL680 is not set
# CONFIG_PATA_SIS is not set
# CONFIG_PATA_VIA is not set
# CONFIG_PATA_WINBOND is not set

#
# Multi-device support (RAID and LVM)
#
CONFIG_MD=y
CONFIG_BLK_DEV_MD=y
CONFIG_MD_LINEAR=y
CONFIG_MD_RAID0=y
CONFIG_MD_RAID1=y
# CONFIG_MD_RAID10 is not set
CONFIG_MD_RAID456=y
# CONFIG_MD_RAID5_RESHAPE is not set
CONFIG_MD_MULTIPATH=y
# CONFIG_MD_FAULTY is not set
CONFIG_BLK_DEV_DM=y
# CONFIG_DM_DEBUG is not set
CONFIG_DM_CRYPT=m
CONFIG_DM_SNAPSHOT=m
CONFIG_DM_MIRROR=m
CONFIG_DM_ZERO=m
CONFIG_DM_MULTIPATH=m
CONFIG_DM_MULTIPATH_EMC=m

#
# Fusion MPT device support
#
CONFIG_FUSION=y
CONFIG_FUSION_SPI=y
CONFIG_FUSION_FC=y
CONFIG_FUSION_SAS=y
CONFIG_FUSION_MAX_SGE=128
CONFIG_FUSION_CTL=m

#
# IEEE 1394 (FireWire) support
#
# CONFIG_IEEE1394 is not set

#
# I2O device support
#
# CONFIG_I2O is not set

#
# Network device support
#
CONFIG_NETDEVICES=y
# CONFIG_DUMMY is not set
# CONFIG_BONDING is not set
# CONFIG_EQUALIZER is not set
# CONFIG_TUN is not set

#
# ARCnet devices
#
# CONFIG_ARCNET is not set

#
# PHY device support
#

#
# Ethernet (10 or 100Mbit)
#
# CONFIG_NET_ETHERNET is not set

#
# Ethernet (1000 Mbit)
#
# CONFIG_ACENIC is not set
# CONFIG_DL2K is not set
# CONFIG_E1000 is not set
# CONFIG_NS83820 is not set
# CONFIG_HAMACHI is not set
# CONFIG_YELLOWFIN is not set
# CONFIG_R8169 is not set
# CONFIG_SIS190 is not set
# CONFIG_SKGE is not set
# CONFIG_SKY2 is not set
# CONFIG_SK98LIN is not set
CONFIG_TIGON3=y
# CONFIG_BNX2 is not set
# CONFIG_QLA3XXX is not set

#
# Ethernet (10000 Mbit)
#
CONFIG_CHELSIO_T1=m
# CONFIG_IXGB is not set
CONFIG_S2IO=m
# CONFIG_S2IO_NAPI is not set
# CONFIG_MYRI10GE is not set

#
# Token Ring devices
#
# CONFIG_TR is not set

#
# Wireless LAN (non-hamradio)
#
# CONFIG_NET_RADIO is not set

#
# Wan interfaces
#
# CONFIG_WAN is not set
# CONFIG_FDDI is not set
# CONFIG_HIPPI is not set
# CONFIG_PPP is not set
# CONFIG_SLIP is not set
# CONFIG_NET_FC is not set
# CONFIG_SHAPER is not set
CONFIG_NETCONSOLE=y
CONFIG_NETPOLL=y
# CONFIG_NETPOLL_RX is not set
# CONFIG_NETPOLL_TRAP is not set
CONFIG_NET_POLL_CONTROLLER=y

#
# ISDN subsystem
#
# CONFIG_ISDN is not set

#
# Telephony Support
#
# CONFIG_PHONE is not set

#
# Input device support
#
CONFIG_INPUT=y
# CONFIG_INPUT_FF_MEMLESS is not set

#
# Userland interfaces
#
CONFIG_INPUT_MOUSEDEV=y
# CONFIG_INPUT_MOUSEDEV_PSAUX is not set
CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
# CONFIG_INPUT_JOYDEV is not set
# CONFIG_INPUT_TSDEV is not set
# CONFIG_INPUT_EVDEV is not set
# CONFIG_INPUT_EVBUG is not set

#
# Input Device Drivers
#
# CONFIG_INPUT_KEYBOARD is not set
# CONFIG_INPUT_MOUSE is not set
# CONFIG_INPUT_JOYSTICK is not set
# CONFIG_INPUT_TOUCHSCREEN is not set
# CONFIG_INPUT_MISC is not set

#
# Hardware I/O ports
#
# CONFIG_SERIO is not set
# CONFIG_GAMEPORT is not set

#
# Character devices
#
CONFIG_VT=y
CONFIG_VT_CONSOLE=y
CONFIG_HW_CONSOLE=y
# CONFIG_VT_HW_CONSOLE_BINDING is not set
CONFIG_SERIAL_NONSTANDARD=y
# CONFIG_COMPUTONE is not set
# CONFIG_ROCKETPORT is not set
# CONFIG_CYCLADES is not set
# CONFIG_DIGIEPCA is not set
# CONFIG_MOXA_INTELLIO is not set
# CONFIG_MOXA_SMARTIO is not set
# CONFIG_ISI is not set
# CONFIG_SYNCLINKMP is not set
# CONFIG_SYNCLINK_GT is not set
# CONFIG_N_HDLC is not set
# CONFIG_SPECIALIX is not set
# CONFIG_SX is not set
# CONFIG_RIO is not set
# CONFIG_STALDRV is not set
CONFIG_SGI_SNSC=y
CONFIG_SGI_TIOCX=y
CONFIG_SGI_MBCS=m
CONFIG_MSPEC=y

#
# Serial drivers
#
# CONFIG_SERIAL_8250 is not set

#
# Non-8250 serial port support
#
CONFIG_SERIAL_CORE=y
CONFIG_SERIAL_CORE_CONSOLE=y
CONFIG_SERIAL_SGI_L1_CONSOLE=y
# CONFIG_SERIAL_JSM is not set
CONFIG_SERIAL_SGI_IOC4=y
CONFIG_SERIAL_SGI_IOC3=y
CONFIG_UNIX98_PTYS=y
CONFIG_LEGACY_PTYS=y
CONFIG_LEGACY_PTY_COUNT=256

#
# IPMI
#
# CONFIG_IPMI_HANDLER is not set

#
# Watchdog Cards
#
# CONFIG_WATCHDOG is not set
# CONFIG_HW_RANDOM is not set
CONFIG_EFI_RTC=y
# CONFIG_DTLK is not set
# CONFIG_R3964 is not set
# CONFIG_APPLICOM is not set

#
# Ftape, the floppy tape device driver
#
CONFIG_AGP=y
# CONFIG_AGP_SIS is not set
# CONFIG_AGP_VIA is not set
CONFIG_AGP_SGI_TIOCA=y
# CONFIG_DRM is not set
CONFIG_RAW_DRIVER=m
CONFIG_MAX_RAW_DEVS=256
# CONFIG_HPET is not set
# CONFIG_HANGCHECK_TIMER is not set
CONFIG_MMTIMER=y

#
# TPM devices
#
# CONFIG_TCG_TPM is not set

#
# I2C support
#
# CONFIG_I2C is not set

#
# SPI support
#
# CONFIG_SPI is not set
# CONFIG_SPI_MASTER is not set

#
# Dallas's 1-wire bus
#
# CONFIG_W1 is not set

#
# Hardware Monitoring support
#
# CONFIG_HWMON is not set
# CONFIG_HWMON_VID is not set

#
# Multimedia devices
#
# CONFIG_VIDEO_DEV is not set

#
# Digital Video Broadcasting Devices
#
# CONFIG_DVB is not set
# CONFIG_USB_DABUSB is not set

#
# Graphics support
#
CONFIG_FIRMWARE_EDID=y
# CONFIG_FB is not set

#
# Console display driver support
#
CONFIG_VGA_CONSOLE=y
# CONFIG_VGACON_SOFT_SCROLLBACK is not set
CONFIG_DUMMY_CONSOLE=y
# CONFIG_BACKLIGHT_LCD_SUPPORT is not set

#
# Sound
#
# CONFIG_SOUND is not set

#
# USB support
#
CONFIG_USB_ARCH_HAS_HCD=y
CONFIG_USB_ARCH_HAS_OHCI=y
CONFIG_USB_ARCH_HAS_EHCI=y
CONFIG_USB=m
# CONFIG_USB_DEBUG is not set

#
# Miscellaneous USB options
#
# CONFIG_USB_DEVICEFS is not set
# CONFIG_USB_BANDWIDTH is not set
# CONFIG_USB_DYNAMIC_MINORS is not set
# CONFIG_USB_SUSPEND is not set
# CONFIG_USB_OTG is not set

#
# USB Host Controller Drivers
#
CONFIG_USB_EHCI_HCD=m
# CONFIG_USB_EHCI_SPLIT_ISO is not set
# CONFIG_USB_EHCI_ROOT_HUB_TT is not set
# CONFIG_USB_EHCI_TT_NEWSCHED is not set
# CONFIG_USB_ISP116X_HCD is not set
CONFIG_USB_OHCI_HCD=m
# CONFIG_USB_OHCI_BIG_ENDIAN is not set
CONFIG_USB_OHCI_LITTLE_ENDIAN=y
CONFIG_USB_UHCI_HCD=m
# CONFIG_USB_SL811_HCD is not set

#
# USB Device Class drivers
#
# CONFIG_USB_ACM is not set
# CONFIG_USB_PRINTER is not set

#
# NOTE: USB_STORAGE enables SCSI, and 'SCSI disk support'
#

#
# may also be needed; see USB_STORAGE Help for more information
#
# CONFIG_USB_STORAGE is not set
# CONFIG_USB_LIBUSUAL is not set

#
# USB Input Devices
#
CONFIG_USB_HID=m
CONFIG_USB_HIDINPUT=y
# CONFIG_USB_HIDINPUT_POWERBOOK is not set
# CONFIG_HID_FF is not set
# CONFIG_USB_HIDDEV is not set

#
# USB HID Boot Protocol drivers
#
# CONFIG_USB_KBD is not set
# CONFIG_USB_MOUSE is not set
# CONFIG_USB_AIPTEK is not set
# CONFIG_USB_WACOM is not set
# CONFIG_USB_ACECAD is not set
# CONFIG_USB_KBTAB is not set
# CONFIG_USB_POWERMATE is not set
# CONFIG_USB_TOUCHSCREEN is not set
# CONFIG_USB_YEALINK is not set
# CONFIG_USB_XPAD is not set
# CONFIG_USB_ATI_REMOTE is not set
# CONFIG_USB_ATI_REMOTE2 is not set
# CONFIG_USB_KEYSPAN_REMOTE is not set
# CONFIG_USB_APPLETOUCH is not set

#
# USB Imaging devices
#
# CONFIG_USB_MDC800 is not set
# CONFIG_USB_MICROTEK is not set

#
# USB Network Adapters
#
# CONFIG_USB_CATC is not set
# CONFIG_USB_KAWETH is not set
# CONFIG_USB_PEGASUS is not set
# CONFIG_USB_RTL8150 is not set
# CONFIG_USB_USBNET is not set
CONFIG_USB_MON=y

#
# USB port drivers
#

#
# USB Serial Converter support
#
# CONFIG_USB_SERIAL is not set

#
# USB Miscellaneous drivers
#
# CONFIG_USB_EMI62 is not set
# CONFIG_USB_EMI26 is not set
# CONFIG_USB_ADUTUX is not set
# CONFIG_USB_AUERSWALD is not set
# CONFIG_USB_RIO500 is not set
# CONFIG_USB_LEGOTOWER is not set
# CONFIG_USB_LCD is not set
# CONFIG_USB_LED is not set
# CONFIG_USB_CYPRESS_CY7C63 is not set
# CONFIG_USB_CYTHERM is not set
# CONFIG_USB_PHIDGET is not set
# CONFIG_USB_IDMOUSE is not set
# CONFIG_USB_FTDI_ELAN is not set
# CONFIG_USB_APPLEDISPLAY is not set
# CONFIG_USB_SISUSBVGA is not set
# CONFIG_USB_LD is not set
# CONFIG_USB_TRANCEVIBRATOR is not set

#
# USB DSL modem support
#

#
# USB Gadget Support
#
# CONFIG_USB_GADGET is not set

#
# MMC/SD Card support
#
# CONFIG_MMC is not set

#
# LED devices
#
# CONFIG_NEW_LEDS is not set

#
# LED drivers
#

#
# LED Triggers
#

#
# InfiniBand support
#
CONFIG_INFINIBAND=m
# CONFIG_INFINIBAND_USER_MAD is not set
CONFIG_INFINIBAND_USER_ACCESS=m
CONFIG_INFINIBAND_ADDR_TRANS=y
CONFIG_INFINIBAND_MTHCA=m
CONFIG_INFINIBAND_MTHCA_DEBUG=y
# CONFIG_INFINIBAND_AMSO1100 is not set
CONFIG_INFINIBAND_IPOIB=m
CONFIG_INFINIBAND_IPOIB_DEBUG=y
# CONFIG_INFINIBAND_IPOIB_DEBUG_DATA is not set
CONFIG_INFINIBAND_SRP=m
# CONFIG_INFINIBAND_ISER is not set

#
# EDAC - error detection and reporting (RAS) (EXPERIMENTAL)
#

#
# Real Time Clock
#
# CONFIG_RTC_CLASS is not set

#
# DMA Engine support
#
# CONFIG_DMA_ENGINE is not set

#
# DMA Clients
#

#
# DMA Devices
#

#
# File systems
#
CONFIG_EXT2_FS=y
CONFIG_EXT2_FS_XATTR=y
CONFIG_EXT2_FS_POSIX_ACL=y
CONFIG_EXT2_FS_SECURITY=y
# CONFIG_EXT2_FS_XIP is not set
CONFIG_EXT3_FS=y
CONFIG_EXT3_FS_XATTR=y
CONFIG_EXT3_FS_POSIX_ACL=y
CONFIG_EXT3_FS_SECURITY=y
# CONFIG_EXT4DEV_FS is not set
CONFIG_JBD=y
# CONFIG_JBD_DEBUG is not set
CONFIG_FS_MBCACHE=y
CONFIG_REISERFS_FS=y
# CONFIG_REISERFS_CHECK is not set
# CONFIG_REISERFS_PROC_INFO is not set
CONFIG_REISERFS_FS_XATTR=y
CONFIG_REISERFS_FS_POSIX_ACL=y
CONFIG_REISERFS_FS_SECURITY=y
# CONFIG_JFS_FS is not set
CONFIG_FS_POSIX_ACL=y
CONFIG_XFS_FS=y
CONFIG_XFS_QUOTA=y
# CONFIG_XFS_SECURITY is not set
CONFIG_XFS_POSIX_ACL=y
CONFIG_XFS_RT=y
# CONFIG_GFS2_FS is not set
# CONFIG_OCFS2_FS is not set
# CONFIG_MINIX_FS is not set
# CONFIG_ROMFS_FS is not set
CONFIG_INOTIFY=y
CONFIG_INOTIFY_USER=y
CONFIG_QUOTA=y
# CONFIG_QFMT_V1 is not set
# CONFIG_QFMT_V2 is not set
CONFIG_QUOTACTL=y
CONFIG_DNOTIFY=y
CONFIG_AUTOFS_FS=m
CONFIG_AUTOFS4_FS=m
CONFIG_FUSE_FS=m

#
# CD-ROM/DVD Filesystems
#
CONFIG_ISO9660_FS=y
CONFIG_JOLIET=y
# CONFIG_ZISOFS is not set
CONFIG_UDF_FS=m
CONFIG_UDF_NLS=y

#
# DOS/FAT/NT Filesystems
#
CONFIG_FAT_FS=y
# CONFIG_MSDOS_FS is not set
CONFIG_VFAT_FS=y
CONFIG_FAT_DEFAULT_CODEPAGE=437
CONFIG_FAT_DEFAULT_IOCHARSET="iso8859-1"
# CONFIG_NTFS_FS is not set

#
# Pseudo filesystems
#
CONFIG_PROC_FS=y
CONFIG_PROC_KCORE=y
CONFIG_PROC_SYSCTL=y
CONFIG_SYSFS=y
CONFIG_TMPFS=y
# CONFIG_TMPFS_POSIX_ACL is not set
CONFIG_HUGETLBFS=y
CONFIG_HUGETLB_PAGE=y
CONFIG_RAMFS=y
# CONFIG_CONFIGFS_FS is not set

#
# Miscellaneous filesystems
#
# CONFIG_ADFS_FS is not set
# CONFIG_AFFS_FS is not set
# CONFIG_HFS_FS is not set
# CONFIG_HFSPLUS_FS is not set
# CONFIG_BEFS_FS is not set
# CONFIG_BFS_FS is not set
# CONFIG_EFS_FS is not set
# CONFIG_CRAMFS is not set
# CONFIG_VXFS_FS is not set
# CONFIG_HPFS_FS is not set
# CONFIG_QNX4FS_FS is not set
# CONFIG_SYSV_FS is not set
# CONFIG_UFS_FS is not set

#
# Network File Systems
#
CONFIG_NFS_FS=m
CONFIG_NFS_V3=y
# CONFIG_NFS_V3_ACL is not set
CONFIG_NFS_V4=y
CONFIG_NFS_DIRECTIO=y
CONFIG_NFSD=m
CONFIG_NFSD_V3=y
# CONFIG_NFSD_V3_ACL is not set
CONFIG_NFSD_V4=y
CONFIG_NFSD_TCP=y
CONFIG_LOCKD=m
CONFIG_LOCKD_V4=y
CONFIG_EXPORTFS=m
CONFIG_NFS_COMMON=y
CONFIG_SUNRPC=m
CONFIG_SUNRPC_GSS=m
CONFIG_RPCSEC_GSS_KRB5=m
# CONFIG_RPCSEC_GSS_SPKM3 is not set
CONFIG_SMB_FS=m
# CONFIG_SMB_NLS_DEFAULT is not set
CONFIG_CIFS=m
# CONFIG_CIFS_STATS is not set
# CONFIG_CIFS_WEAK_PW_HASH is not set
# CONFIG_CIFS_XATTR is not set
# CONFIG_CIFS_DEBUG2 is not set
# CONFIG_CIFS_EXPERIMENTAL is not set
# CONFIG_NCP_FS is not set
# CONFIG_CODA_FS is not set
# CONFIG_AFS_FS is not set
# CONFIG_9P_FS is not set

#
# Partition Types
#
CONFIG_PARTITION_ADVANCED=y
# CONFIG_ACORN_PARTITION is not set
# CONFIG_OSF_PARTITION is not set
# CONFIG_AMIGA_PARTITION is not set
# CONFIG_ATARI_PARTITION is not set
# CONFIG_MAC_PARTITION is not set
CONFIG_MSDOS_PARTITION=y
# CONFIG_BSD_DISKLABEL is not set
# CONFIG_MINIX_SUBPARTITION is not set
# CONFIG_SOLARIS_X86_PARTITION is not set
# CONFIG_UNIXWARE_DISKLABEL is not set
# CONFIG_LDM_PARTITION is not set
CONFIG_SGI_PARTITION=y
# CONFIG_ULTRIX_PARTITION is not set
# CONFIG_SUN_PARTITION is not set
# CONFIG_KARMA_PARTITION is not set
CONFIG_EFI_PARTITION=y

#
# Native Language Support
#
CONFIG_NLS=y
CONFIG_NLS_DEFAULT="iso8859-1"
CONFIG_NLS_CODEPAGE_437=y
# CONFIG_NLS_CODEPAGE_737 is not set
# CONFIG_NLS_CODEPAGE_775 is not set
# CONFIG_NLS_CODEPAGE_850 is not set
# CONFIG_NLS_CODEPAGE_852 is not set
# CONFIG_NLS_CODEPAGE_855 is not set
# CONFIG_NLS_CODEPAGE_857 is not set
# CONFIG_NLS_CODEPAGE_860 is not set
# CONFIG_NLS_CODEPAGE_861 is not set
# CONFIG_NLS_CODEPAGE_862 is not set
# CONFIG_NLS_CODEPAGE_863 is not set
# CONFIG_NLS_CODEPAGE_864 is not set
# CONFIG_NLS_CODEPAGE_865 is not set
# CONFIG_NLS_CODEPAGE_866 is not set
# CONFIG_NLS_CODEPAGE_869 is not set
# CONFIG_NLS_CODEPAGE_936 is not set
# CONFIG_NLS_CODEPAGE_950 is not set
# CONFIG_NLS_CODEPAGE_932 is not set
# CONFIG_NLS_CODEPAGE_949 is not set
# CONFIG_NLS_CODEPAGE_874 is not set
# CONFIG_NLS_ISO8859_8 is not set
# CONFIG_NLS_CODEPAGE_1250 is not set
# CONFIG_NLS_CODEPAGE_1251 is not set
# CONFIG_NLS_ASCII is not set
CONFIG_NLS_ISO8859_1=y
# CONFIG_NLS_ISO8859_2 is not set
# CONFIG_NLS_ISO8859_3 is not set
# CONFIG_NLS_ISO8859_4 is not set
# CONFIG_NLS_ISO8859_5 is not set
# CONFIG_NLS_ISO8859_6 is not set
# CONFIG_NLS_ISO8859_7 is not set
# CONFIG_NLS_ISO8859_9 is not set
# CONFIG_NLS_ISO8859_13 is not set
# CONFIG_NLS_ISO8859_14 is not set
# CONFIG_NLS_ISO8859_15 is not set
# CONFIG_NLS_KOI8_R is not set
# CONFIG_NLS_KOI8_U is not set
CONFIG_NLS_UTF8=y

#
# Library routines
#
# CONFIG_CRC_CCITT is not set
CONFIG_CRC16=m
CONFIG_CRC32=y
CONFIG_LIBCRC32C=m
CONFIG_ZLIB_INFLATE=m
CONFIG_ZLIB_DEFLATE=m
CONFIG_GENERIC_ALLOCATOR=y
CONFIG_PLIST=y
CONFIG_GENERIC_HARDIRQS=y
CONFIG_GENERIC_IRQ_PROBE=y
CONFIG_GENERIC_PENDING_IRQ=y
CONFIG_IRQ_PER_CPU=y

#
# Instrumentation Support
#
# CONFIG_PROFILING is not set
# CONFIG_KPROBES is not set

#
# Kernel hacking
#
# CONFIG_PRINTK_TIME is not set
CONFIG_ENABLE_MUST_CHECK=y
CONFIG_MAGIC_SYSRQ=y
# CONFIG_UNUSED_SYMBOLS is not set
CONFIG_DEBUG_KERNEL=y
CONFIG_LOG_BUF_SHIFT=20
CONFIG_DETECT_SOFTLOCKUP=y
# CONFIG_SCHEDSTATS is not set
# CONFIG_DEBUG_SLAB is not set
# CONFIG_DEBUG_RT_MUTEXES is not set
# CONFIG_RT_MUTEX_TESTER is not set
# CONFIG_DEBUG_SPINLOCK is not set
# CONFIG_DEBUG_MUTEXES is not set
# CONFIG_DEBUG_RWSEMS is not set
# CONFIG_DEBUG_SPINLOCK_SLEEP is not set
# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
# CONFIG_DEBUG_KOBJECT is not set
CONFIG_DEBUG_INFO=y
# CONFIG_DEBUG_FS is not set
# CONFIG_DEBUG_VM is not set
# CONFIG_DEBUG_LIST is not set
CONFIG_FORCED_INLINING=y
# CONFIG_HEADERS_CHECK is not set
# CONFIG_RCU_TORTURE_TEST is not set
CONFIG_IA64_GRANULE_16MB=y
# CONFIG_IA64_GRANULE_64MB is not set
# CONFIG_IA64_PRINT_HAZARDS is not set
# CONFIG_DISABLE_VHPT is not set
# CONFIG_IA64_DEBUG_CMPXCHG is not set
# CONFIG_IA64_DEBUG_IRQ is not set
# CONFIG_KDB is not set
CONFIG_SYSVIPC_COMPAT=y

#
# Security options
#
# CONFIG_KEYS is not set
CONFIG_SECURITY=y
# CONFIG_SECURITY_NETWORK is not set
CONFIG_SECURITY_CAPABILITIES=m
CONFIG_SECURITY_FS_CAPABILITIES=y
# CONFIG_SECURITY_ROOTPLUG is not set

#
# Cryptographic options
#
CONFIG_CRYPTO=y
CONFIG_CRYPTO_ALGAPI=y
CONFIG_CRYPTO_BLKCIPHER=m
CONFIG_CRYPTO_HASH=y
CONFIG_CRYPTO_MANAGER=y
CONFIG_CRYPTO_HMAC=y
# CONFIG_CRYPTO_NULL is not set
# CONFIG_CRYPTO_MD4 is not set
CONFIG_CRYPTO_MD5=y
CONFIG_CRYPTO_SHA1=m
# CONFIG_CRYPTO_SHA256 is not set
# CONFIG_CRYPTO_SHA512 is not set
# CONFIG_CRYPTO_WP512 is not set
# CONFIG_CRYPTO_TGR192 is not set
CONFIG_CRYPTO_ECB=m
CONFIG_CRYPTO_CBC=m
CONFIG_CRYPTO_DES=m
# CONFIG_CRYPTO_BLOWFISH is not set
# CONFIG_CRYPTO_TWOFISH is not set
# CONFIG_CRYPTO_SERPENT is not set
# CONFIG_CRYPTO_AES is not set
# CONFIG_CRYPTO_CAST5 is not set
# CONFIG_CRYPTO_CAST6 is not set
# CONFIG_CRYPTO_TEA is not set
# CONFIG_CRYPTO_ARC4 is not set
# CONFIG_CRYPTO_KHAZAD is not set
# CONFIG_CRYPTO_ANUBIS is not set
CONFIG_CRYPTO_DEFLATE=m
# CONFIG_CRYPTO_MICHAEL_MIC is not set
CONFIG_CRYPTO_CRC32C=m
# CONFIG_CRYPTO_TEST is not set

#
# Hardware crypto devices
#

[-- Attachment #3: straceout --]
[-- Type: text/plain, Size: 2654 bytes --]

8102  execve("/sbin/setfcaps", ["setfcaps", "cap_net_raw=ep", "/bin/ping"], [/* 67 vars */]) = 0
8102  brk(0)                            = 0x6000000000004000
8102  uname({sys="Linux", node="certify", ...}) = 0
8102  access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
8102  open("/etc/ld.so.cache", O_RDONLY) = 3
8102  fstat(3, {st_mode=S_IFREG|0644, st_size=111415, ...}) = 0
8102  mmap(NULL, 111415, PROT_READ, MAP_PRIVATE, 3, 0) = 0x200000000004c000
8102  close(3)                          = 0
8102  open("/lib/libcap.so.1", O_RDONLY) = 3
8102  read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0002\0\1\0\0\0\340\25"..., 832) = 832
8102  fstat(3, {st_mode=S_IFREG|0755, st_size=22672, ...}) = 0
8102  mmap(NULL, 85800, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2000000000068000
8102  madvise(0x2000000000068000, 85800, MADV_SEQUENTIAL|0x1) = 0
8102  mprotect(0x2000000000070000, 49152, PROT_NONE) = 0
8102  mmap(0x200000000007c000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4000) = 0x200000000007c000
8102  close(3)                          = 0
8102  open("/lib/libc.so.6.1", O_RDONLY) = 3
8102  read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0002\0\1\0\0\0\3609\2"..., 832) = 832
8102  fstat(3, {st_mode=S_IFREG|0755, st_size=2590313, ...}) = 0
8102  mmap(NULL, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2000000000080000
8102  mmap(NULL, 2416624, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2000000000084000
8102  madvise(0x2000000000084000, 2416624, MADV_SEQUENTIAL|0x1) = 0
8102  mprotect(0x20000000002bc000, 49152, PROT_NONE) = 0
8102  mmap(0x20000000002c8000, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x234000) = 0x20000000002c8000
8102  mmap(0x20000000002d0000, 8176, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000002d0000
8102  close(3)                          = 0
8102  mmap(NULL, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x20000000002d4000
8102  mmap(NULL, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x20000000002dc000
8102  munmap(0x200000000004c000, 111415) = 0
8102  brk(0)                            = 0x6000000000004000
8102  brk(0x6000000000028000)           = 0x6000000000028000
8102  capget(0x19980330, 0, {0, 0, 0})  = -1 EINVAL (Invalid argument)
8102  fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
8102  mmap(NULL, 65536, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x200000000004c000
8102  write(1, "/bin/ping: Function not implemen"..., 47) = 47
8102  exit_group(0)                     = ?

Re: [PATCH 1/1] security: introduce fs caps

[Serge E. Hallyn]

Quoting Bill O'Donnell (billodo@sgi.com):
> 8102  execve("/sbin/setfcaps", ["setfcaps", "cap_net_raw=ep", "/bin/ping"], [/* 67 vars */]) = 0
> 8102  brk(0)                            = 0x6000000000004000
> 8102  uname({sys="Linux", node="certify", ...}) = 0
> 8102  access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
> 8102  open("/etc/ld.so.cache", O_RDONLY) = 3
> 8102  fstat(3, {st_mode=S_IFREG|0644, st_size=111415, ...}) = 0
> 8102  mmap(NULL, 111415, PROT_READ, MAP_PRIVATE, 3, 0) = 0x200000000004c000
> 8102  close(3)                          = 0
> 8102  open("/lib/libcap.so.1", O_RDONLY) = 3
> 8102  read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0002\0\1\0\0\0\340\25"..., 832) = 832
> 8102  fstat(3, {st_mode=S_IFREG|0755, st_size=22672, ...}) = 0
> 8102  mmap(NULL, 85800, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2000000000068000
> 8102  madvise(0x2000000000068000, 85800, MADV_SEQUENTIAL|0x1) = 0
> 8102  mprotect(0x2000000000070000, 49152, PROT_NONE) = 0
> 8102  mmap(0x200000000007c000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4000) = 0x200000000007c000
> 8102  close(3)                          = 0
> 8102  open("/lib/libc.so.6.1", O_RDONLY) = 3
> 8102  read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0002\0\1\0\0\0\3609\2"..., 832) = 832
> 8102  fstat(3, {st_mode=S_IFREG|0755, st_size=2590313, ...}) = 0
> 8102  mmap(NULL, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2000000000080000
> 8102  mmap(NULL, 2416624, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2000000000084000
> 8102  madvise(0x2000000000084000, 2416624, MADV_SEQUENTIAL|0x1) = 0
> 8102  mprotect(0x20000000002bc000, 49152, PROT_NONE) = 0
> 8102  mmap(0x20000000002c8000, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x234000) = 0x20000000002c8000
> 8102  mmap(0x20000000002d0000, 8176, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000002d0000
> 8102  close(3)                          = 0
> 8102  mmap(NULL, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x20000000002d4000
> 8102  mmap(NULL, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x20000000002dc000
> 8102  munmap(0x200000000004c000, 111415) = 0
> 8102  brk(0)                            = 0x6000000000004000
> 8102  brk(0x6000000000028000)           = 0x6000000000028000
> 8102  capget(0x19980330, 0, {0, 0, 0})  = -1 EINVAL (Invalid argument)

I don't see why this capget is returning -EINVAL.  In fact I don't see
why it happens at all - cap_inode_setxattr would check
capable(CAP_SYS_ADMIN), but setxattr hasn't been called yet.  Looking at
both libcap and setfcaps.c, I don't see where the capget comes from.

As for the -EINVAL, kernel/capability.c:sys_capget() returns -EINVAL if
the _LINUX_CAPABILITY_VERSION is wrong - you have 0x19980330 which is
correct - if pid < 0 - but you send in 0 - or if security_capget
returns -EINVAL, which cap_capget (and dummy_capget) don't do.

Kaigai, do you have any ideas?

thanks,
-serge

Re: [PATCH 1/1] security: introduce fs caps

[Chris Friedhoff]

[-- Attachment #1: Type: text/plain, Size: 3685 bytes --]

Attached the trace of 
$ su -c "strace -o /tmp/stracesetfcapsout -f setfcaps
cap_net_raw=ep /bin/ping "
Here its working.
>From where are the setfcaps/getfcaps tools? Bill, have you compiled
them or are they from a package?

> $ uname -a
> Linux certify 2.6.19-rc3 #3 SMP PREEMPT Mon Nov 13 14:40:54 CST 2006
> ia64
Its an 64 bit system, right? Which distro are you using?


Chris


On Tue, 14 Nov 2006 09:23:07 -0600
"Serge E. Hallyn" <serue@us.ibm.com> wrote:

> Quoting Bill O'Donnell (billodo@sgi.com):
> > 8102  execve("/sbin/setfcaps", ["setfcaps", "cap_net_raw=ep", "/bin/ping"], [/* 67 vars */]) = 0
> > 8102  brk(0)                            = 0x6000000000004000
> > 8102  uname({sys="Linux", node="certify", ...}) = 0
> > 8102  access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
> > 8102  open("/etc/ld.so.cache", O_RDONLY) = 3
> > 8102  fstat(3, {st_mode=S_IFREG|0644, st_size=111415, ...}) = 0
> > 8102  mmap(NULL, 111415, PROT_READ, MAP_PRIVATE, 3, 0) = 0x200000000004c000
> > 8102  close(3)                          = 0
> > 8102  open("/lib/libcap.so.1", O_RDONLY) = 3
> > 8102  read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0002\0\1\0\0\0\340\25"..., 832) = 832
> > 8102  fstat(3, {st_mode=S_IFREG|0755, st_size=22672, ...}) = 0
> > 8102  mmap(NULL, 85800, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2000000000068000
> > 8102  madvise(0x2000000000068000, 85800, MADV_SEQUENTIAL|0x1) = 0
> > 8102  mprotect(0x2000000000070000, 49152, PROT_NONE) = 0
> > 8102  mmap(0x200000000007c000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4000) = 0x200000000007c000
> > 8102  close(3)                          = 0
> > 8102  open("/lib/libc.so.6.1", O_RDONLY) = 3
> > 8102  read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0002\0\1\0\0\0\3609\2"..., 832) = 832
> > 8102  fstat(3, {st_mode=S_IFREG|0755, st_size=2590313, ...}) = 0
> > 8102  mmap(NULL, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2000000000080000
> > 8102  mmap(NULL, 2416624, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2000000000084000
> > 8102  madvise(0x2000000000084000, 2416624, MADV_SEQUENTIAL|0x1) = 0
> > 8102  mprotect(0x20000000002bc000, 49152, PROT_NONE) = 0
> > 8102  mmap(0x20000000002c8000, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x234000) = 0x20000000002c8000
> > 8102  mmap(0x20000000002d0000, 8176, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000002d0000
> > 8102  close(3)                          = 0
> > 8102  mmap(NULL, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x20000000002d4000
> > 8102  mmap(NULL, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x20000000002dc000
> > 8102  munmap(0x200000000004c000, 111415) = 0
> > 8102  brk(0)                            = 0x6000000000004000
> > 8102  brk(0x6000000000028000)           = 0x6000000000028000
> > 8102  capget(0x19980330, 0, {0, 0, 0})  = -1 EINVAL (Invalid argument)
> 
> I don't see why this capget is returning -EINVAL.  In fact I don't see
> why it happens at all - cap_inode_setxattr would check
> capable(CAP_SYS_ADMIN), but setxattr hasn't been called yet.  Looking at
> both libcap and setfcaps.c, I don't see where the capget comes from.
> 
> As for the -EINVAL, kernel/capability.c:sys_capget() returns -EINVAL if
> the _LINUX_CAPABILITY_VERSION is wrong - you have 0x19980330 which is
> correct - if pid < 0 - but you send in 0 - or if security_capget
> returns -EINVAL, which cap_capget (and dummy_capget) don't do.
> 
> Kaigai, do you have any ideas?
> 
> thanks,
> -serge


--------------------
Chris Friedhoff
chris@friedhoff.org

[-- Attachment #2: stracesetfcapsout.gz --]
[-- Type: application/octet-stream, Size: 792 bytes --]

Re: [PATCH 1/1] security: introduce fs caps

[Bill O'Donnell]

On Tue, Nov 14, 2006 at 06:28:18PM +0100, Chris Friedhoff wrote:
| Attached the trace of 
| $ su -c "strace -o /tmp/stracesetfcapsout -f setfcaps
| cap_net_raw=ep /bin/ping "
| Here its working.
| From where are the setfcaps/getfcaps tools? Bill, have you compiled
| them or are they from a package?

I compiled and installed them to /sbin (Kagai's userspace libcap tools), 
using his Makefile.



| 
| > $ uname -a
| > Linux certify 2.6.19-rc3 #3 SMP PREEMPT Mon Nov 13 14:40:54 CST 2006
| > ia64
| Its an 64 bit system, right? Which distro are you using?

Yes.  Its an Itanium based SGI Altix, with a SuSE SLES-10 distro.



Bill

| 
| 
| Chris
| 
| 
| On Tue, 14 Nov 2006 09:23:07 -0600
| "Serge E. Hallyn" <serue@us.ibm.com> wrote:
| 
| > Quoting Bill O'Donnell (billodo@sgi.com):
| > > 8102  execve("/sbin/setfcaps", ["setfcaps", "cap_net_raw=ep", "/bin/ping"], [/* 67 vars */]) = 0
| > > 8102  brk(0)                            = 0x6000000000004000
| > > 8102  uname({sys="Linux", node="certify", ...}) = 0
| > > 8102  access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
| > > 8102  open("/etc/ld.so.cache", O_RDONLY) = 3
| > > 8102  fstat(3, {st_mode=S_IFREG|0644, st_size=111415, ...}) = 0
| > > 8102  mmap(NULL, 111415, PROT_READ, MAP_PRIVATE, 3, 0) = 0x200000000004c000
| > > 8102  close(3)                          = 0
| > > 8102  open("/lib/libcap.so.1", O_RDONLY) = 3
| > > 8102  read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0002\0\1\0\0\0\340\25"..., 832) = 832
| > > 8102  fstat(3, {st_mode=S_IFREG|0755, st_size=22672, ...}) = 0
| > > 8102  mmap(NULL, 85800, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2000000000068000
| > > 8102  madvise(0x2000000000068000, 85800, MADV_SEQUENTIAL|0x1) = 0
| > > 8102  mprotect(0x2000000000070000, 49152, PROT_NONE) = 0
| > > 8102  mmap(0x200000000007c000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4000) = 0x200000000007c000
| > > 8102  close(3)                          = 0
| > > 8102  open("/lib/libc.so.6.1", O_RDONLY) = 3
| > > 8102  read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0002\0\1\0\0\0\3609\2"..., 832) = 832
| > > 8102  fstat(3, {st_mode=S_IFREG|0755, st_size=2590313, ...}) = 0
| > > 8102  mmap(NULL, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2000000000080000
| > > 8102  mmap(NULL, 2416624, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2000000000084000
| > > 8102  madvise(0x2000000000084000, 2416624, MADV_SEQUENTIAL|0x1) = 0
| > > 8102  mprotect(0x20000000002bc000, 49152, PROT_NONE) = 0
| > > 8102  mmap(0x20000000002c8000, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x234000) = 0x20000000002c8000
| > > 8102  mmap(0x20000000002d0000, 8176, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000002d0000
| > > 8102  close(3)                          = 0
| > > 8102  mmap(NULL, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x20000000002d4000
| > > 8102  mmap(NULL, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x20000000002dc000
| > > 8102  munmap(0x200000000004c000, 111415) = 0
| > > 8102  brk(0)                            = 0x6000000000004000
| > > 8102  brk(0x6000000000028000)           = 0x6000000000028000
| > > 8102  capget(0x19980330, 0, {0, 0, 0})  = -1 EINVAL (Invalid argument)
| > 
| > I don't see why this capget is returning -EINVAL.  In fact I don't see
| > why it happens at all - cap_inode_setxattr would check
| > capable(CAP_SYS_ADMIN), but setxattr hasn't been called yet.  Looking at
| > both libcap and setfcaps.c, I don't see where the capget comes from.
| > 
| > As for the -EINVAL, kernel/capability.c:sys_capget() returns -EINVAL if
| > the _LINUX_CAPABILITY_VERSION is wrong - you have 0x19980330 which is
| > correct - if pid < 0 - but you send in 0 - or if security_capget
| > returns -EINVAL, which cap_capget (and dummy_capget) don't do.
| > 
| > Kaigai, do you have any ideas?
| > 
| > thanks,
| > -serge
| 
| 
| --------------------
| Chris Friedhoff
| chris@friedhoff.org



-- 
Bill O'Donnell
SGI
651.683.3079
billodo@sgi.com

Re: [PATCH 1/1] security: introduce fs caps

[KaiGai Kohei]

Hi, Serge.

Serge E. Hallyn wrote:
> Quoting Bill O'Donnell (billodo@sgi.com):
>> 8102  execve("/sbin/setfcaps", ["setfcaps", "cap_net_raw=ep", "/bin/ping"], [/* 67 vars */]) = 0
     - snip -
>> 8102  capget(0x19980330, 0, {0, 0, 0})  = -1 EINVAL (Invalid argument)
> 
> I don't see why this capget is returning -EINVAL.  In fact I don't see
> why it happens at all - cap_inode_setxattr would check
> capable(CAP_SYS_ADMIN), but setxattr hasn't been called yet.  Looking at
> both libcap and setfcaps.c, I don't see where the capget comes from.
> 
> As for the -EINVAL, kernel/capability.c:sys_capget() returns -EINVAL if
> the _LINUX_CAPABILITY_VERSION is wrong - you have 0x19980330 which is
> correct - if pid < 0 - but you send in 0 - or if security_capget
> returns -EINVAL, which cap_capget (and dummy_capget) don't do.
> 
> Kaigai, do you have any ideas?

Bill said that he uses SLES10/ia64, so the version of libcap is different
from Fedora Core's one. 'libcap-1.92-499.4.src.rpm' is bandled.

Then, I found a strange code in libcap-1.92-499.4.src.rpm.

The setfcaps calls cap_from_text() which is defined in libcap to parse
the command line argument. It has the following function call chains:

cap_from_text()
   -> cap_init()
     -> _libcap_establish_api()

---- the definition of _libcap_establish_api() ----
void _libcap_establish_api(void)
{
     struct __user_cap_header_struct ch;
     struct __user_cap_data_struct cs;

     if (_libcap_kernel_version) { <-- _libcap_kernel_version is 0 initially.
         _cap_debug("already identified kernal api 0x%.8x",
                    _libcap_kernel_version);
         return;
     }

     memset(&ch, 0, sizeof(ch));
     memset(&cs, 0, sizeof(cs));

     (void) capget(&ch, &cs);  <-- (?)

     switch (ch.version) {

     case 0x19980330:
         _libcap_kernel_version = 0x19980330;
         _libcap_kernel_features = CAP_FEATURE_PROC;
         break;

     case 0x19990414:
         _libcap_kernel_version = 0x19990414;
         _libcap_kernel_features = CAP_FEATURE_PROC|CAP_FEATURE_FILE;
         break;

     default:
         _libcap_kernel_version = 0x00000000;
         _libcap_kernel_features = 0x00000000;
     }

     _cap_debug("version: %x, features: %x\n",
                _libcap_kernel_version, _libcap_kernel_features);
}
---------------------------------------------------

capget() is called from _libcap_establish_api() with full-zeroed
__user_cap_header_struct object at first time.
The result of this, sys_capget() in kernel will return -EINVAL.
(Why did strace say the first argument is 0x19980330?)

Probably, Bill didn't update libcap.so.

But I can't recommend Bill to update libcap immediately.
As Hawk Xu said, it may cause a serious problem on the distro
except Fedora Core 6. :(

I have to recommend to use 'fscaps-1.0-kg.i386.rpm' now.
It includes the implementation of interaction between application and xattr.
(Of couse, it's one of the features which should be provided by libcap.)

Thanks,
-- 
Open Source Software Promotion Center, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

Re: [PATCH 1/1] security: introduce fs caps

[Bill O'Donnell]

On Wed, Nov 15, 2006 at 09:08:55PM +0900, KaiGai Kohei wrote:
| Serge E. Hallyn wrote:
| >Quoting Bill O'Donnell (billodo@sgi.com):
| >>8102  execve("/sbin/setfcaps", ["setfcaps", "cap_net_raw=ep", 
| >>"/bin/ping"], [/* 67 vars */]) = 0
|     - snip -
| >>8102  capget(0x19980330, 0, {0, 0, 0})  = -1 EINVAL (Invalid argument)
| >
| >I don't see why this capget is returning -EINVAL.  In fact I don't see
| >why it happens at all - cap_inode_setxattr would check
| >capable(CAP_SYS_ADMIN), but setxattr hasn't been called yet.  Looking at
| >both libcap and setfcaps.c, I don't see where the capget comes from.
| >
| >As for the -EINVAL, kernel/capability.c:sys_capget() returns -EINVAL if
| >the _LINUX_CAPABILITY_VERSION is wrong - you have 0x19980330 which is
| >correct - if pid < 0 - but you send in 0 - or if security_capget
| >returns -EINVAL, which cap_capget (and dummy_capget) don't do.
| >
| >Kaigai, do you have any ideas?
| 
| Bill said that he uses SLES10/ia64, so the version of libcap is different
| from Fedora Core's one. 'libcap-1.92-499.4.src.rpm' is bandled.
| 
| Then, I found a strange code in libcap-1.92-499.4.src.rpm.
| 
| The setfcaps calls cap_from_text() which is defined in libcap to parse
| the command line argument. It has the following function call chains:
| 
| cap_from_text()
|   -> cap_init()
|     -> _libcap_establish_api()

     - snip -

| capget() is called from _libcap_establish_api() with full-zeroed
| __user_cap_header_struct object at first time.
| The result of this, sys_capget() in kernel will return -EINVAL.
| (Why did strace say the first argument is 0x19980330?)
| 
| Probably, Bill didn't update libcap.so.
No, I didn't...
certify:~/libcap-1.10/progs # ls -altr /lib/libcap*
-rwxr-xr-x 1 root root 22672 2006-06-16 09:56 /lib/libcap.so.1.92
-rw-r--r-- 1 root root 53363 2006-11-13 16:04 /lib/libcap.so.1.10
lrwxrwxrwx 1 root root    14 2006-11-13 16:04 /lib/libcap.so.1 ->libcap.so.1.92
lrwxrwxrwx 1 root root    11 2006-11-13 16:04 /lib/libcap.so -> libcap.so.1

| 
| But I can't recommend Bill to update libcap immediately.
| As Hawk Xu said, it may cause a serious problem on the distro
| except Fedora Core 6. :(

What version of libcap is on FC6? 

| 
| I have to recommend to use 'fscaps-1.0-kg.i386.rpm' now.
| It includes the implementation of interaction between application and xattr.
| (Of couse, it's one of the features which should be provided by libcap.)

But that won't work on ia64 will it?

Thanks,
Bill


-- 
Bill O'Donnell
SGI
651.683.3079
billodo@sgi.com

Re: [PATCH 1/1] security: introduce fs caps

[Chris Friedhoff]

On Wed, 15 Nov 2006 11:06:34 -0600
"Bill O'Donnell" <billodo@sgi.com> wrote:

- snip - 
> | Probably, Bill didn't update libcap.so.
> No, I didn't...
> certify:~/libcap-1.10/progs # ls -altr /lib/libcap*
> -rwxr-xr-x 1 root root 22672 2006-06-16 09:56 /lib/libcap.so.1.92
> -rw-r--r-- 1 root root 53363 2006-11-13 16:04 /lib/libcap.so.1.10
> lrwxrwxrwx 1 root root    14 2006-11-13 16:04 /lib/libcap.so.1 ->libcap.so.1.92
> lrwxrwxrwx 1 root root    11 2006-11-13 16:04 /lib/libcap.so -> libcap.so.1
> 

Why is SLES10 using libcap-1.92?
(googling brought this page:
http://www.me.kernel.org/pub/linux/libs/security/linux-privs/old/kernel-2.3/)

> | 
> | But I can't recommend Bill to update libcap immediately.
> | As Hawk Xu said, it may cause a serious problem on the distro
> | except Fedora Core 6. :(
> 
> What version of libcap is on FC6? 
> 

Are there newer libcap versions then libcap-1.10 available?
(http://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.4/)

> | 
> | I have to recommend to use 'fscaps-1.0-kg.i386.rpm' now.
> | It includes the implementation of interaction between application and xattr.
> | (Of couse, it's one of the features which should be provided by libcap.)
> 
> But that won't work on ia64 will it?

Kaigai also provides a srpm package to compile.
 VFS Capability Support -> fscaps version 1.0 [SRPM]
(http://www.kaigai.gr.jp/pub/fscaps-1.0-kg.src.rpm)

Chris


--------------------
Chris Friedhoff
chris@friedhoff.org

Re: [PATCH 1/1] security: introduce fs caps

[Bill O'Donnell]

On Wed, Nov 15, 2006 at 10:49:23PM +0100, Chris Friedhoff wrote:
| On Wed, 15 Nov 2006 11:06:34 -0600
| "Bill O'Donnell" <billodo@sgi.com> wrote:
| 
| - snip - 
| > | Probably, Bill didn't update libcap.so.
| > No, I didn't...
| > certify:~/libcap-1.10/progs # ls -altr /lib/libcap*
| > -rwxr-xr-x 1 root root 22672 2006-06-16 09:56 /lib/libcap.so.1.92
| > -rw-r--r-- 1 root root 53363 2006-11-13 16:04 /lib/libcap.so.1.10
| > lrwxrwxrwx 1 root root    14 2006-11-13 16:04 /lib/libcap.so.1 ->libcap.so.1.92
| > lrwxrwxrwx 1 root root    11 2006-11-13 16:04 /lib/libcap.so -> libcap.so.1
| > 
| 
| Why is SLES10 using libcap-1.92?
| (googling brought this page:
| http://www.me.kernel.org/pub/linux/libs/security/linux-privs/old/kernel-2.3/)

Good quesion.  My gentoo ia32 machine uses libcap.so.1.10.  Probably a FAQ, 
but is 1.92 actually older than 1.10?

| 
| > | 
| > | But I can't recommend Bill to update libcap immediately.
| > | As Hawk Xu said, it may cause a serious problem on the distro
| > | except Fedora Core 6. :(
| > 
| > What version of libcap is on FC6? 
| > 
| 
| Are there newer libcap versions then libcap-1.10 available?
| (http://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.4/)

| 
| > | 
| > | I have to recommend to use 'fscaps-1.0-kg.i386.rpm' now.
| > | It includes the implementation of interaction between application and xattr.
| > | (Of couse, it's one of the features which should be provided by libcap.)
| > 
| > But that won't work on ia64 will it?
| 
| Kaigai also provides a srpm package to compile.
|  VFS Capability Support -> fscaps version 1.0 [SRPM]
| (http://www.kaigai.gr.jp/pub/fscaps-1.0-kg.src.rpm)

I'll try that next.

Thanks, 
Bill

Re: [PATCH 1/1] security: introduce fs caps

[Chris Friedhoff]

[-- Attachment #1: Type: text/plain, Size: 1387 bytes --]

> Good quesion.  My gentoo ia32 machine uses libcap.so.1.10.  Probably a FAQ, 
> but is 1.92 actually older than 1.10?
looking at these locations, yes
http://www.me.kernel.org/pub/linux/libs/security/linux-privs/old/kernel-2.3/
http://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.4/

> | Kaigai also provides a srpm package to compile.
> |  VFS Capability Support -> fscaps version 1.0 [SRPM]
> | (http://www.kaigai.gr.jp/pub/fscaps-1.0-kg.src.rpm)
> 
> I'll try that next.

I installed sles10 in qemu on my pentium-m laptop, compiled  a kernel
with fscap support and installed fscaps-1.0-kg.i386.rpm and got "Invalid
argument (errno=22)" error.
trace output is attached

# id
uid=0(root) gid=0(root) groups=0(root)
# uname -a
Linux sles10 2.6.19-rc3-fscaps-a #2 Fri Nov 17 09:17:40 CET 2006 i686
i686 i386 GNU/Linux
# rpm -q fscaps
fscaps-1.0-kg
# zgrep -i capa /proc/config.gz
CONFIG_SECURITY_FS_CAPABILITIES=y
# setfcaps cap_net_raw=ep /bin/ping
/bin/ping: Invalid argument (errno=22)
# setfcaps cap_sys_module=ep /sbin/modprobe
/sbin/modprobe: Invalid argument (errno=22)
# ls -l /lib/libcap.so*
lrwxrwxrwx 1 root root    11 Nov 17 09:51 /lib/libcap.so -> libcap.so.1
lrwxrwxrwx 1 root root    14 Nov 16 11:57 /lib/libcap.so.1 ->
libcap.so.1.92 -rwxr-xr-x 1 root root 10456 Jun 16
15:14 /lib/libcap.so.1.92



--------------------
Chris Friedhoff
chris@friedhoff.org


[-- Attachment #2: strace-ping-sles10.gz --]
[-- Type: application/octet-stream, Size: 929 bytes --]

Re: [PATCH 1/1] security: introduce fs caps

[Chris Friedhoff]

[-- Attachment #1: Type: text/plain, Size: 185 bytes --]

compiling fscaps-1.0-kg.src.rpm just gives the same result
/bin/ping: Invalid argument (errno=22)
trace output attached

Chris

--------------------
Chris Friedhoff
chris@friedhoff.org

[-- Attachment #2: strace-ping-sles10-b.gz --]
[-- Type: application/octet-stream, Size: 947 bytes --]