Re: [PATCH] Properly split capset_check+capset_set

[Chris Wright]

* Serge E. Hallyn (serue@xxxxxxxxxx) wrote:
> As Stephen Smalley pointed out, the cap_capset_check code is redundant
> with what is hardcoded in kernel/capability.c:sys_capset().  On the
> other hand, because the security_capset_set hook is responsible for
> doing both an authorization check and doing the actual change,
> (particularly, in the case of a cap_set_all or cap_set_pg), when
> stacking security modules, the first module may complete the
> capset_set before the second module refuses permission.

The problem is that the module was (theoretically) allowed to manage
capability bits all on its own.  I think it's a bit of a braindamaged
idea though, and the bits should just stay in the ->cap_* fields.

> The attached patch (against 2.6.10-rc3-mm1 w/ ioctl patch) removes the
> redundant cap_capset_check hook and moves the security_capset_check
> call to just before security_capset_set.  The selinux_capset_set hook
> now simply sets the capability (through its secondary), while
> selinux_capset_check checks the authorization permission.

I think Stephen mentioned this already, but you lose an error now,
where you continue in cap_set_all().

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/