Re: [PATCH] [request for inclusion] Realtime LSM

From: Chris Wright
Date: Fri Jan 07 2005 - 12:32:31 EST

Next message: Daniel Gryniewicz: "Re: Process blocking behaviour"
Previous message: Denis Vlasenko: "Re: [PATCH] ALPS touchpad detection fix"
In reply to: Martin Mares: "Re: [PATCH] [request for inclusion] Realtime LSM"
Next in thread: Martin Mares: "Re: [PATCH] [request for inclusion] Realtime LSM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Martin Mares (mj@xxxxxx) wrote:
> Hello!
>
> > They are present but disabled by default. You have to hack the initial
> > values of CAP_INIT_EFF_SET and CAP_INIT_IHN_SET.
>
> Oops. Does anybody know why this has been done?

Yes, SETPCAP became a gaping security hole. Recall the sendmail hole.

> Also, it seems that it has a relatively easy work-around: boot with
> init=/sbin/simple-wrapper and let the wrapper set the cap_bset and exec real
> init. (I agree that it's a hack, but a temporarily usable one.)

This won't work, you can't increase the bset, which is hardcoded to
leave out SETPCAP. Also, init is hard coded to start without SETPCAP.

thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Daniel Gryniewicz: "Re: Process blocking behaviour"
Previous message: Denis Vlasenko: "Re: [PATCH] ALPS touchpad detection fix"
In reply to: Martin Mares: "Re: [PATCH] [request for inclusion] Realtime LSM"
Next in thread: Martin Mares: "Re: [PATCH] [request for inclusion] Realtime LSM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]