Mailinglist Archive: opensuse-kernel (95 mails)

< Previous Next >
Re: [opensuse-kernel] Re: openSUSE Kernel: Push Patches Upstream
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/29/2011 11:36 AM, Greg KH wrote:
On Fri, Apr 29, 2011 at 08:38:44AM +0200, Marcus Meissner wrote:
On Thu, Apr 28, 2011 at 07:40:08PM -0400, Jeff Mahoney wrote:
On 04/28/2011 02:50 PM, Brandon Philips wrote:
On 13:35 Thu 28 Apr 2011, Jeff Mahoney wrote:
- - patches.suse/file-capabilities-disable-by-default.diff
[never submitted]

We should drop it. Upstream has had file caps by default since Nov 2009.

Upstream commits:
b3a222e52e4d4be77cc4520a57af1a4a0d8222d1
1f29fae29709b4668979e244c09b2fa78ff1ad59

In doing a zypper dup today, I saw that something is looking at
/proc/cmdline for "file_caps" as part of SuSEconfig running. We should
probably figure out what that is.

The SuSEconfig permissions module, it decides on whether to handle file caps
setting or not depending on the kernel.

Ludwig wants a patch to detect this for years in the mainline kernel, but it
is
not there yet.

Can you please take care that such a method is exposed by mainline?
(file_caps might be disabled or enabled, we should handle both cases and
detect
it from the kernel.)


The patch doing this in the kernel is queued up to be accepted for the
.40 kernel release, so perhaps I should also add it to our tree now so
that FACTORY can be converted over to using it and this can be dropped?

If so, just let me know and I will go add it as it is in my upstream
kernel tree already.

And it was my fault that it took so long to get accepted for the past 6+
months, sorry, it got lost in my patch queue :(

This has now become interesting, it seems. I just noticed that /bin/ping
has capabilities set and is no longer suid root on two of my factory
machines. Consequently, it's not working unless I boot with file_caps on
the command line.

As to whether or not it's currently available, wouldn't something like
the attached program work for that? I copied the security.capability
attribute from /bin/ping to a test program (as root) and it gives me
val=0 on my system without file_caps and val=1 on my system with it when
I run it with an unprivileged user.

- -Jeff

- --
Jeff Mahoney
SUSE Labs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAk3cYzgACgkQLPWxlyuTD7LV7QCfbRfX7cWwOfuprKSJ8IoPLInk
d48AoKezMiMblfX6aw+UySwtGJmUPEe4
=7yjj
-----END PGP SIGNATURE-----
#include <sys/capability.h>
#include <signal.h>
#include <stdio.h>

int main(void)
{
cap_t cap;

cap = cap_get_proc();
if (cap) {
int ret;
cap_flag_value_t val;
ret = cap_get_flag(cap, CAP_NET_RAW, CAP_EFFECTIVE, &val);
if (!ret) {
printf("val=%d\n", val);
} else
perror("cap_get_flag");

cap_free(cap);

}

return 0;
}

< Previous Next >