-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Andrew,
Yes, as Kevin suggests 'old' meant 1.x, which is pretty much the only version of libcap in wide distribution. Libcap is available here: http://www.kernel.org/pub/linux/libs/security/linux-privs/ Attached is a modification of the problematic kernel message - I had no idea these messages would generate so much consternation. I've rewritten it, but I'm not altogether clear what level of detail is permitted/desirable. Is this ok? Cheers Andrew >>>> My venerable FC1 machine says >>>> >>>> warning: process `zsh' gets w/ old libcap >>>> warning: process `zsh' gets w/ old libcap >>>> warning: process `zsh' gets w/ old libcap >>>> >>>> should I be scared? >>> It should be safe as of Andrew's latest patch. (Before that patch it >>> was only unsafe because root's capabilities are just set to {~0,~0} so >>> they include invalid capabilities. >>> >>> Agreed a better error message would be good. >> yup >> >>> Would it be inappropriate >>> to include the URL for new libcap versions? >> I doubt it, really. Anyone who's running anything as old as FC1 won't be >> upgrading (and probably couldn't find a package to upgrade to). >> >> Or does "old libcap" here refer to all the versions whcih are deployed >> today? If so then we should jsut kill the message. ot at least make it a >> once-per-boot thing. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFHRRw3QheEq9QabfIRAm53AJ4kq+tZl1qx4pnDQpUB7I7QhHeYmQCeJfbu WDayoZLfYsBrYhUilb9eEiQ= =pwEc -----END PGP SIGNATURE-----
>From fd99fb6f41d04ecf37a61ae8ecc856e8ac686e91 Mon Sep 17 00:00:00 2001 From: Andrew G. Morgan <[EMAIL PROTECTED]> Date: Wed, 21 Nov 2007 21:54:09 -0800 Subject: [PATCH] Clean up warning about legacy (32-bit) capability use When an application (usually via libcap) attempts to use 32-bit capabilities when the kernel supports 64-bit capabilities, we log a kernel warning. We do this exactly once per kernel boot. The warning is just that - the kernel should be able to transparently handle 32-bit capability use. The application will remain limited in the capabilities that it can manipulate until it is relinked with libcap2. Signed-off-by: Andrew G. Morgan <[EMAIL PROTECTED]> --- kernel/capability.c | 36 ++++++++++++++++++++++-------------- 1 files changed, 22 insertions(+), 14 deletions(-) diff --git a/kernel/capability.c b/kernel/capability.c index 9f2db55..e48192f 100644 --- a/kernel/capability.c +++ b/kernel/capability.c @@ -30,6 +30,26 @@ const kernel_cap_t __cap_full_set = CAP_FULL_SET; const kernel_cap_t __cap_init_eff_set = CAP_INIT_EFF_SET; /* + * More recent versions of libcap are available from: + * + * http://www.kernel.org/pub/linux/libs/security/linux-privs/ + */ + +static void warn_legacy_capability_use(void) +{ + static int warned = 0; + if (!warned) { + char name[sizeof(current->comm)]; + + printk(KERN_INFO "warning: `%s' uses 32-bit capabilities" + " (legacy support in use)\n", + get_task_comm(name, current)); + warned = 1; + } + return; +} + +/* * For sys_getproccap() and sys_setproccap(), any of the three * capability set pointers may be NULL -- indicating that that set is * uninteresting and/or not to be changed. @@ -59,12 +79,7 @@ asmlinkage long sys_capget(cap_user_header_t header, cap_user_data_t dataptr) switch (version) { case _LINUX_CAPABILITY_VERSION_1: - if (warned < 5) { - warned++; - printk(KERN_INFO - "warning: process `%s' gets w/ old libcap\n", - current->comm); - } + warn_legacy_capability_use(); tocopy = _LINUX_CAPABILITY_U32S_1; break; case _LINUX_CAPABILITY_VERSION_2: @@ -223,7 +238,6 @@ static inline int cap_set_all(kernel_cap_t *effective, */ asmlinkage long sys_capset(cap_user_header_t header, const cap_user_data_t data) { - static int warned; struct __user_cap_data_struct kdata[_LINUX_CAPABILITY_U32S]; unsigned i, tocopy; kernel_cap_t inheritable, permitted, effective; @@ -237,13 +251,7 @@ asmlinkage long sys_capset(cap_user_header_t header, const cap_user_data_t data) switch (version) { case _LINUX_CAPABILITY_VERSION_1: - if (warned < 5) { - char name[sizeof(current->comm)]; - warned++; - printk(KERN_INFO - "warning: process `%s' sets w/ old libcap\n", - get_task_comm(name, current)); - } + warn_legacy_capability_use(); tocopy = _LINUX_CAPABILITY_U32S_1; break; case _LINUX_CAPABILITY_VERSION_2: -- 1.5.1.3
