Re: [PATCH 1/1] kernel/sysctl.c: Add cap_last_cap to /proc/sys/kernel

[Lennart Poettering]

On Mon, 17.10.11 15:39, Andrew Morton (akpm@xxxxxxxxxxxxxxxxxxxx) wrote:

> 
> On Sat, 15 Oct 2011 07:50:05 -0700
> Dan Ballard <dan@xxxxxxxxxxxx> wrote:
> 
> > Userspace needs to know the highest valid capability of the running
> > kernel, which right now cannot reliably be retrieved from the header
> > files only.  The fact that this value cannot be determined properly
> > right now creates various problems for libraries compiled on newer
> > header files which are run on older kernels. They assume
> > capabilities are available which actually aren't.
> 
> Specfically, what libraries are we talking about here?

libcap-ng, for example. And we ran into the same problem with systemd too.
> 
> > Now the capability is exported in /proc/sys/kernel/cap_last_cap.
> 
> Ever the optimist: is there any way in which we can avoid 0444
> permissions on this?

Normal users should be able to query this value, and it's not a security
problem if they do. Hence 0444 appears to be the right setting to me.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/