Re: Is CAP_SYS_ADMIN checked by every program !?

[Tetsuo Handa]

Hello,

In message <9033584D-5A24-11D9-989E-000393ACC76E@xxxxxxx>
   "Re: Is CAP_SYS_ADMIN checked by every program !?"
   "Kyle Moffett <mrmacman_g4@xxxxxxx>" wrote:

> On Dec 28, 2004, at 23:47, Tetsuo Handa wrote:
> > It seems to me that every program calls capable(CAP_SYS_ADMIN),
> 
> Umm, the program has nothing to do with this.  Programs themselves have 
> no
> access to the kernel function "capable".  Probably something in the 
> kernel, perhaps
> triggered by libc or maybe just suid checks, is checking for 
> CAP_SYS_ADMIN. It's
> harmless and irrelevant, why do you care?

I'm developing a kernel patch that provides simple and handy
MAC(mandatory access control) functionality, much easier than SELinux.
And now I'm porting the patch from 2.4 to 2.6,
though the patch can't support LSM, for it refers 'struct vfsmount'.

At first, I doubted that some kernel function (do_execve(), memory management
functions, or any kernel functions that are always called by every process) is
doing this CAP_SYS_ADMIN checking. But may be this CAP_SYS_ADMIN checking is
caused by the Fedora Core 3's libc, not by the kernel.
I don't have 2.6 kernel environment other than Fedora Core 3.

But anyway, I have to give up checking for CAP_SYS_ADMIN .

Thank you.
--
Tetsuo Handa
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/