Re: [PATCH] capabilities: Ambient capability set V2

[Christoph Lameter]

On Fri, 6 Mar 2015, Serge E. Hallyn wrote:

> Sorry, something about that patch-patch didn't make sense to me, but I
> need to look more closely.  My objection was that you were able to get the
> pA capabilities into pP without them being in your pI.  Your proposed
> change didn't seem like it would fix that.

Just tried to fix that. Could it be that cap_inherited is never set even
for a binary that has

christoph@fujitsu-haswell:~$ getcap ambient_test

ambient_test = cap_setpcap,cap_net_admin,cap_net_raw,cap_sys_nice+eip


I added some printks and it seems that current_cred()->cap_inherited is
not set when running ambient_test.

Index: linux/security/commoncap.c
===================================================================
--- linux.orig/security/commoncap.c     2015-03-06 11:05:10.802218196
-0600
+++ linux/security/commoncap.c  2015-03-06 12:50:38.424330679 -0600
@@ -456,6 +456,10 @@ static int get_file_caps(struct linux_bi
                        kernel_cap_t relevant_ambient = cap_intersect(
                                current_cred()->cap_ambient,
                                current_cred()->cap_inheritable);
+                       printk("task->comm %s: Amb=%x Inh=%x relevant=%x\n",
+                               current->comm, current_cred()->cap_ambient.cap[0],
+                                               current_cred()->cap_inheritable.cap[0],
+                                               relevant_ambient.cap[0]);
                        rc = 0;
                        if (!cap_isclear(relevant_ambient)) {
                                /*



Mar  6 12:42:18 fujitsu-haswell kernel: [  284.715051] task->comm ambient_test: Amb=803000 Inh=0 relevant=0


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/