Re: [PATCH] Properly split capset_check+capset_set

[Chris Wright]

* Serge E. Hallyn (serue@xxxxxxxxxx) wrote:
> Quoting Stephen Smalley (sds@xxxxxxxxxxxxxx):
> > necessary to preserve any error return in the cases where capset() is
> > being applied to multiple processes, but in the case where it is being
> > applied to a single specific process, it would be nice if any error
> > return from security_capset_check() would be returned to the caller.
> 
> In the case of pid<0, would we want to do something like "return an error
> if none of the sets was allowed, else return 0", or is that too ugly?

The signal code returns an error if any delivery failed.  So, there's at
least precedence for that type of behaviour.

> > I also wonder whether the existing hardcoded checks should be moved into
> > the new security_capset_check() hook function for dummy and commoncap so
> > that they will be applied to the real target, even when pid < 0. 
> > Otherwise, those hardcoded checks seem bogus in the pid < 0 case, as
> > they are then applied to current rather than to the true targets.
> 
> True, this (testing applicability of caps to the real targets in pid<0 case)
> certainly seems like a good thing, so the attached patch leaves that
> check in cap_capset_check, and just removes it from sys_capset() instead.

Yeah, it is inconsistent right now.  Don't forget, the dummy code doesn't
even allow for capability setting.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/