Quoting Kees Cook (keesc...@chromium.org): > On Sun, Oct 7, 2012 at 2:56 AM, Andrew Vagin <ava...@openvz.org> wrote: > > Without this patch it is really hard to interpret a bounding set, > > if CAP_LAST_CAP is unknown for a current kernel. > > > > Non-existant capabilities can not be deleted from a bounding set > > with help of prctl. > > > > E.g.: Here are two examples without/with this patch. > > CapBnd: ffffffe0fdecffff > > CapBnd: 00000000fdecffff > > > > I suggest to hide non-existent capabilities. Here is two reasons. > > * It's logically and easier for using. > > * It helps to checkpoint-restore capabilities of tasks, because tasks > > can be restored on another kernel, where CAP_LAST_CAP is bigger. > > > > v2: Non-existent capabilities can not be removed from creds, because > > in this case user cannot set all=eip. This patch cleans up non-existent > > capabilities from content of /proc/pid/status > > > > Cc: Andrew G. Morgan <mor...@kernel.org> > > Cc: Serge Hallyn <serge.hal...@canonical.com>
Basic capsh tests seem to have no problem with it. Thanks, Andrew. Reviewed-by: Serge E. Hallyn <serge.hal...@canonical.com> > > Cc: Pavel Emelyanov <xe...@parallels.com> > > Cc: Andrew Morton <a...@linux-foundation.org> > > Cc: Kees Cook <keesc...@chromium.org> > > Cc: KAMEZAWA Hiroyuki <kamezawa.hir...@jp.fujitsu.com> > > Signed-off-by: Andrew Vagin <ava...@openvz.org> > > Seems sensible to me. > > Reviewed-by: Kees Cook <keesc...@chromium.org> > > -Kees > > -- > Kees Cook > Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
