Commit 8cdbc2b9 authored by Andrew G. Morgan's avatar Andrew G. Morgan Committed by Linus Torvalds

capabilities: add (back) dummy support for KEEPCAPS

The dummy module is used by folk that run security conscious code(!?).  A
feature of such code (for example, dhclient) is that it tries to operate
with minimum privilege (dropping unneeded capabilities).  While the dummy
module doesn't restrict code execution based on capability state, the user
code expects the kernel to appear to support it.  This patch adds back
faked support for the PR_SET_KEEPCAPS etc., calls - making the kernel
behave as before 2.6.26.

For details see: http://bugzilla.kernel.org/show_bug.cgi?id=10748Signed-off-by: default avatarAndrew G. Morgan <morgan@kernel.org>
Acked-by: default avatarSerge Hallyn <serue@us.ibm.com>
Cc: James Morris <jmorris@namei.org>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 57d3c64f
...@@ -27,6 +27,8 @@ ...@@ -27,6 +27,8 @@
#include <linux/hugetlb.h> #include <linux/hugetlb.h>
#include <linux/ptrace.h> #include <linux/ptrace.h>
#include <linux/file.h> #include <linux/file.h>
#include <linux/prctl.h>
#include <linux/securebits.h>
static int dummy_ptrace (struct task_struct *parent, struct task_struct *child) static int dummy_ptrace (struct task_struct *parent, struct task_struct *child)
{ {
...@@ -607,7 +609,27 @@ static int dummy_task_kill (struct task_struct *p, struct siginfo *info, ...@@ -607,7 +609,27 @@ static int dummy_task_kill (struct task_struct *p, struct siginfo *info,
static int dummy_task_prctl (int option, unsigned long arg2, unsigned long arg3, static int dummy_task_prctl (int option, unsigned long arg2, unsigned long arg3,
unsigned long arg4, unsigned long arg5, long *rc_p) unsigned long arg4, unsigned long arg5, long *rc_p)
{ {
return 0; switch (option) {
case PR_CAPBSET_READ:
*rc_p = (cap_valid(arg2) ? 1 : -EINVAL);
break;
case PR_GET_KEEPCAPS:
*rc_p = issecure(SECURE_KEEP_CAPS);
break;
case PR_SET_KEEPCAPS:
if (arg2 > 1)
*rc_p = -EINVAL;
else if (arg2)
current->securebits |= issecure_mask(SECURE_KEEP_CAPS);
else
current->securebits &=
~issecure_mask(SECURE_KEEP_CAPS);
break;
default:
return 0;
}
return 1;
} }
static void dummy_task_reparent_to_init (struct task_struct *p) static void dummy_task_reparent_to_init (struct task_struct *p)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment