Marek Zelem wrote:
>Our new formula:
> * (***) pP' = (fP & X) | (fI & pI)
> * pI' = pP'
> * pE' = ((pP' & pE) | fP) & X & fE
Can you say anything about why this is safe and doesn't introduce
vulnerabilities? (The capabilities misfeature that caused sendmail
8.10.1 to leak root privilege really drove home for me the subtlety of
this stuff.)
Also, the meaning of fE and fP seem backwards from what I would have
expected. Maybe this reflects a lack in my understanding in capabilities,
but I thought 'effective' refers to capabilities you're allowed to invoke
at the moment, whereas 'permitted' refers to an upper bound on what
capabilities you're allowed enable in 'effective', consequently I would
have swapped the treatment of fE and fP. Can you clear up my confusion?
Finally, what's the story behind the changes to CAP_INIT_EFF_SET and
CAP_INIT_INH_SET, and the business with CAP_SETPCAP? If I understand
correctly, one side-effect of this change is that you've changed cap_bset
(X, the global bound on capabilities above) to add CAP_SETPCAP to it.
Is this safe? What motivated this change? Did I understand correctly?
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon Apr 15 2002 - 22:00:26 EST