From: Blaisorblade <bla...@ya...> - 2006-07-16 10:31:49
|
On Saturday 15 July 2006 17:23, Frank v Waveren wrote: > I was trying to limit some unecessary capabilities in a UML instance > with /proc/sys/kernel/cap-bound, but it turned out not to take. To remove capabilities from the whole system (i.e. all processes) the recommended way wasn't to use lcap (or a similar program bundled with libcap)? > The source of the problem (or at least something a bit of the way up > the garden path of the problem) is at security/commoncap.c:140 at the > top of cap_bprm_apply_creds(bprm, unsafe): > > void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) > { > /* Derived from fs/exec.c:compute_creds. */ > kernel_cap_t new_permitted, working; > > new_permitted = cap_intersect (bprm->cap_permitted, cap_bset); > working = cap_intersect (bprm->cap_inheritable, > current->cap_inheritable); > new_permitted = cap_combine (new_permitted, working); > ... > > Here the new permitted set gets limited to the bits in cap_bset, which > is as it should be, but then the intersection of the of the current > and exec inheritable masks get added to that set, whereas as I > understand it, cap_bset should always be the bounding set. > > I've tried commenting out that bit and everything worked as I'd hoped > (I haven't done extensive testing, but bounding the caps worked, as > did suids and such). > > That doesn't explain why it works with those lines left in on a > non-UML kernel though, so I assume I'm missing something fundamental. > > (My guest kernel is > Linux version 2.6.16.24 (fv...@ju...) (gcc version 4.0.3 20051201 > (prerelease) (Debian 4.0.2-5)) #3 Sat Jul 15 16:54:20 CEST 2006 > , should it matter) -- Inform me of my mistakes, so I can keep imitating Homer Simpson's "Doh!". Paolo Giarrusso, aka Blaisorblade http://www.user-mode-linux.org/~blaisorblade Chiacchiera con i tuoi amici in tempo reale! http://it.yahoo.com/mail_it/foot/*http://it.messenger.yahoo.com |