Re: [uml-devel] cap-bound not working in uml

Sun, 16 Jul 2006 03:31:51 -0700 

On Saturday 15 July 2006 17:23, Frank v Waveren wrote:
> I was trying to limit some unecessary capabilities in a UML instance
> with /proc/sys/kernel/cap-bound, but it turned out not to take.

To remove capabilities from the whole system (i.e. all processes) the 
recommended way wasn't to use lcap (or a similar program bundled with 
libcap)?

> The source of the problem (or at least something a bit of the way up
> the garden path of the problem) is at security/commoncap.c:140 at the
> top of cap_bprm_apply_creds(bprm, unsafe):
>
>    void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
>    {
>            /* Derived from fs/exec.c:compute_creds. */
>            kernel_cap_t new_permitted, working;
>
>            new_permitted = cap_intersect (bprm->cap_permitted, cap_bset);
>            working = cap_intersect (bprm->cap_inheritable,
>                                     current->cap_inheritable);
>            new_permitted = cap_combine (new_permitted, working);
>            ...
>
> Here the new permitted set gets limited to the bits in cap_bset, which
> is as it should be, but then the intersection of the of the current
> and exec inheritable masks get added to that set, whereas as I
> understand it, cap_bset should always be the bounding set.
>
> I've tried commenting out that bit and everything worked as I'd hoped
> (I haven't done extensive testing, but bounding the caps worked, as
> did suids and such).
>
> That doesn't explain why it works with those lines left in on a
> non-UML kernel though, so I assume I'm missing something fundamental.
>
> (My guest kernel is
>   Linux version 2.6.16.24 ([EMAIL PROTECTED]) (gcc version 4.0.3 20051201
>   (prerelease) (Debian 4.0.2-5)) #3 Sat Jul 15 16:54:20 CEST 2006
> , should it matter)

-- 
Inform me of my mistakes, so I can keep imitating Homer Simpson's "Doh!".
Paolo Giarrusso, aka Blaisorblade
http://www.user-mode-linux.org/~blaisorblade
Chiacchiera con i tuoi amici in tempo reale! 
 http://it.yahoo.com/mail_it/foot/*http://it.messenger.yahoo.com 



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
User-mode-linux-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/user-mode-linux-devel

Reply via email to