Re: [PATCH] exporting capability code/name pairs (try #4)

From: Serge E. Hallyn
Date: Tue Feb 12 2008 - 13:09:26 EST

Next message: Gaston, Jason D: "RE: [PATCH 2.6.25-rc1] i2c-i801: SMBus patch for Intel ICH10 DeviceID's"
Previous message: Jeff Garzik: "Re: multiple drivers, single device"
In reply to: Kohei KaiGai: "Re: [PATCH] exporting capability code/name pairs (try #4)"
Next in thread: Kohei KaiGai: "Re: [PATCH] exporting capability code/name pairs (try #4)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Quoting Kohei KaiGai (kaigai@xxxxxxxxxxxxx):
> This patch enables to export code/name pair of capabilities supported
> on the running kernel, under the /sys/kernel/capability .
> We can apply it onto the latest Linus's git tree.
>
> Changes from the previous version:
> - I added "names/" ans "codes/" directories, and we can use them
> to lookup capability code or name non-sequentially.
> In the previous version, we had to scan whole of entries to lookup
> capability name by its code.
> (required by Andrew Morgan)
> - I added an assertion when "mkcapname.sh" works incorrectly.
> (required by Serge E.Hallyn)
>
> In addition, Andrew suggested me to export these translation by symlinks
> to reduce the number of invocation of system call.
> However, current sysfs interface does not allows to create symlinks with
> invalid indication.
> Thus, this patch exports them as regular files.
>
> --------------------------------------------------------
> [kaigai@saba ~]$ ls -R /sys/kernel/capability/
> /sys/kernel/capability/:
> codes names version
>
> /sys/kernel/capability/codes:
> 0 10 12 14 16 18 2 21 23 25 27 29 30 32 4 6 8
> 1 11 13 15 17 19 20 22 24 26 28 3 31 33 5 7 9
>
> /sys/kernel/capability/names:
> cap_audit_control cap_kill cap_net_raw cap_sys_nice
> cap_audit_write cap_lease cap_setfcap cap_sys_pacct
> cap_chown cap_linux_immutable cap_setgid cap_sys_ptrace
> cap_dac_override cap_mac_admin cap_setpcap cap_sys_rawio
> cap_dac_read_search cap_mac_override cap_setuid cap_sys_resource
> cap_fowner cap_mknod cap_sys_admin cap_sys_time
> cap_fsetid cap_net_admin cap_sys_boot cap_sys_tty_config
> cap_ipc_lock cap_net_bind_service cap_sys_chroot
> cap_ipc_owner cap_net_broadcast cap_sys_module
> [kaigai@saba ~]$ cat /sys/kernel/capability/codes/20
> cap_sys_pacct
> [kaigai@saba ~]$ cat /sys/kernel/capability/names/cap_mknod
> 27
> [kaigai@saba ~]$
> --------------------------------------------------------
> Any comment please.
>
> Thanks,
>
> Signed-off-by: KaiGai Kohei <kaigai@xxxxxxxxxxxxx>
> ----
> scripts/mkcapnames.sh | 44 +++++++++++++++++++
> security/Kconfig | 9 ++++
> security/Makefile | 11 +++++
> security/capability.c | 115 +++++++++++++++++++++++++++++++++++++++++++++++++
> 4 files changed, 179 insertions(+), 0 deletions(-)
>
> diff --git a/scripts/mkcapnames.sh b/scripts/mkcapnames.sh
> index e69de29..9e7290f 100644
> --- a/scripts/mkcapnames.sh
> +++ b/scripts/mkcapnames.sh
> @@ -0,0 +1,44 @@
> +#!/bin/sh
> +
> +#
> +# generate a cap_names.h file from include/linux/capability.h
> +#
> +
> +CAPHEAD="`dirname $0`/../include/linux/capability.h"
> +REGEXP='^#define CAP_[A-Z_]+[ ]+[0-9]+$'
> +NUMCAP=`cat "$CAPHEAD" | egrep -c "$REGEXP"`
> +
> +echo '#ifndef CAP_NAMES_H'
> +echo '#define CAP_NAMES_H'
> +echo
> +echo '/*'
> +echo ' * Do NOT edit this file directly.'
> +echo ' * This file is generated from include/linux/capability.h automatically'
> +echo ' */'
> +echo
> +echo '#if !defined(SYSFS_CAP_NAME_ENTRY) || !defined(SYSFS_CAP_CODE_ENTRY)'
> +echo '#error cap_names.h should be included from security/capability.c'
> +echo '#else'
> +echo "#if $NUMCAP != CAP_LAST_CAP + 1"
> +echo '#error mkcapnames.sh cannot collect capabilities correctly'
> +echo '#else'
> +cat "$CAPHEAD" | egrep "$REGEXP" \
> + | awk '{ printf("SYSFS_CAP_NAME_ENTRY(%s,%s);\n", tolower($2), $2); }'
> +echo
> +echo 'static struct attribute *capability_name_attrs[] = {'
> +cat "$CAPHEAD" | egrep "$REGEXP" \
> + | awk '{ printf("\t&%s_name_attr.attr,\n", tolower($2)); } END { print "\tNULL," }'
> +echo '};'
> +
> +echo
> +cat "$CAPHEAD" | egrep "$REGEXP" \
> + | awk '{ printf("SYSFS_CAP_CODE_ENTRY(%s,%s);\n", tolower($2), $2); }'
> +echo
> +echo 'static struct attribute *capability_code_attrs[] = {'
> +cat "$CAPHEAD" | egrep "$REGEXP" \
> + | awk '{ printf("\t&%s_code_attr.attr,\n", tolower($2)); } END { print "\tNULL," }'
> +echo '};'
> +
> +echo '#endif'
> +echo '#endif'
> +echo '#endif'
> diff --git a/security/Kconfig b/security/Kconfig
> index 25ffe1b..b79e830 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -91,6 +91,15 @@ config SECURITY_FILE_CAPABILITIES
>
> If in doubt, answer N.
>
> +config SECURITY_CAPABILITIES_EXPORT
> + bool "Exporting capabilities kernel supported"
> + depends on SECURITY_CAPABILITIES && SYSFS

Oh no, we're being bit by this again... When SECURITY=n, capabilities
are compiled in but SECURITY_CAPABILITIES=n.

Months ago I floated the following patch so we'd have a CONFIG variable
to let us know whether commoncap is compiled in. You might want to use
this and depend on CONFIG_COMMONCAP? (Though really I personally don't
think you need your own config variable for this)

Other than that, this tested fine for me.

thanks,
-serge

Next message: Gaston, Jason D: "RE: [PATCH 2.6.25-rc1] i2c-i801: SMBus patch for Intel ICH10 DeviceID's"
Previous message: Jeff Garzik: "Re: multiple drivers, single device"
In reply to: Kohei KaiGai: "Re: [PATCH] exporting capability code/name pairs (try #4)"
Next in thread: Kohei KaiGai: "Re: [PATCH] exporting capability code/name pairs (try #4)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]