[PATCH 2/3] p9auth: add CAP_GRANT_ID to authorize use of /dev/caphash
in [Kernel]
|
From: Serge E. Hallyn on 27 Apr 2010 16:50 Granting userid capabilities to another task is a dangerous privilege. Don't just let file permissions authorize it. Define CAP_GRANT_ID as a new capability needed to write to /dev/caphash. For one thing this lets us start a factotum server early on in init, then have init drop CAP_GRANT_ID from its bounding set so the rest of the system cannot regain it. (This patch is only useful if the next patch, introducing p9auth fs, is upstreamed) TODO - patch for capabilities.7 manpage Signed-off-by: Serge E. Hallyn <serue(a)us.ibm.com> Cc: Michael Kerrisk <mtk.manpages(a)gmail.com> Cc: Andrew Morgan <morgan(a)kernel.org> Cc: James Morris <jmorris(a)namei.org> Cc: linux-security-module(a)vger.kernel.org --- include/linux/capability.h | 6 +++++- security/selinux/include/classmap.h | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/include/linux/capability.h b/include/linux/capability.h index 39e5ff5..ba2cbfe 100644 --- a/include/linux/capability.h +++ b/include/linux/capability.h @@ -355,7 +355,11 @@ struct cpu_vfs_cap_data { #define CAP_MAC_ADMIN 33 -#define CAP_LAST_CAP CAP_MAC_ADMIN +/* Allow granting setuid capabilities through p9auth /dev/caphash */ + +#define CAP_GRANT_ID 34 + +#define CAP_LAST_CAP CAP_GRANT_ID #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP) diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index 8b32e95..f0ec53a 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -142,7 +142,7 @@ struct security_class_mapping secclass_map[] = { "node_bind", "name_connect", NULL } }, { "memprotect", { "mmap_zero", NULL } }, { "peer", { "recv", NULL } }, - { "capability2", { "mac_override", "mac_admin", NULL } }, + { "capability2", { "mac_override", "mac_admin", "grant_id", NULL } }, { "kernel_service", { "use_as_override", "create_files_as", NULL } }, { "tun_socket", { COMMON_SOCK_PERMS, NULL } }, -- 1.7.0.4 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
|
Pages: 1 Prev: DMAENGINE: DMA40 U8500 platform configuration v4 Next: [PATCH 0/3] p9auth fs: introduction |