Re: [uml-devel] cap-bound not working in uml

Sun, 16 Jul 2006 05:05:30 -0700 

On Sun, Jul 16, 2006 at 12:31:51PM +0200, Blaisorblade wrote:
> On Saturday 15 July 2006 17:23, Frank v Waveren wrote:
> > I was trying to limit some unecessary capabilities in a UML instance
> > with /proc/sys/kernel/cap-bound, but it turned out not to take.
> 
> To remove capabilities from the whole system (i.e. all processes) the 
> recommended way wasn't to use lcap (or a similar program bundled with 
> libcap)?
Yup, lcap is just an interface to /proc/sys/kernel/cap-bound.


> > The source of the problem (or at least something a bit of the way up
> > the garden path of the problem) is at security/commoncap.c:140 at the
> > top of cap_bprm_apply_creds(bprm, unsafe):
> >
> >    void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
> >    {
> >            /* Derived from fs/exec.c:compute_creds. */
> >            kernel_cap_t new_permitted, working;
> >
> >            new_permitted = cap_intersect (bprm->cap_permitted, cap_bset);
> >            working = cap_intersect (bprm->cap_inheritable,
> >                                     current->cap_inheritable);
> >            new_permitted = cap_combine (new_permitted, working);
> >            ...
> >
> > Here the new permitted set gets limited to the bits in cap_bset, which
> > is as it should be, but then the intersection of the of the current
> > and exec inheritable masks get added to that set, whereas as I
> > understand it, cap_bset should always be the bounding set.
> >
> > I've tried commenting out that bit and everything worked as I'd hoped
> > (I haven't done extensive testing, but bounding the caps worked, as
> > did suids and such).
> >
> > That doesn't explain why it works with those lines left in on a
> > non-UML kernel though, so I assume I'm missing something fundamental.
> >
> > (My guest kernel is
> >   Linux version 2.6.16.24 ([EMAIL PROTECTED]) (gcc version 4.0.3 20051201
> >   (prerelease) (Debian 4.0.2-5)) #3 Sat Jul 15 16:54:20 CEST 2006
> > , should it matter)

-- 
Frank v Waveren                                  Key fingerprint: BDD7 D61E
[EMAIL PROTECTED]                                              5D39 CF05 4BFC 
F57A
Public key: hkp://wwwkeys.pgp.net/468D62C8              FA00 7D51 468D 62C8

Attachment: signature.asc
Description: Digital signature

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

_______________________________________________
User-mode-linux-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/user-mode-linux-devel

Reply via email to