-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is a fail-safe additional feature for filesystem capability support.

Cheers

Andrew
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFINES/+bHCR3gb8jsRAmPdAJsG8fKTNBXYmUb3CJDchLQ1MCYgDQCg2uQl
ltlVX1O9D6BtDK/4+gsoq8U=
=AUc0
-----END PGP SIGNATURE-----
[ message continues ]

Assuming (as it appears) the only change from last time is that you
dropped the part changing cap_bprm_apply_creds() contraints for a
ptraced process, then

Acked-by: Serge Hallyn <serue@us.ibm.com>

I'll try to give it a good test-run next week.

thanks,

--

[ message continues ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Serge E. Hallyn wrote:
| Quoting Andrew G. Morgan (morgan@kernel.org):
| This is a fail-safe additional feature for filesystem capability support.
|
| Cheers
|
| Andrew

~From 916b252d3b631214acea6df6c61e94ce6770fdf7 Mon Sep 17 00:00:00 2001
From: Andrew G. Morgan <morgan@kernel.org>
Date: Thu, 15 May 2008 23:17:13 -0700
Subject: [PATCH] Protect legacy applications from executing with
insufficient privilege.
[..]

| Assuming (as it appears) the only change from last time is that you
| dropped the part changing cap_bprm_apply_creds() contraints for a
| ptraced process, then

Yes. That's the only material change. I also added a comment explaining
the "strange" (since it caused some concern last time around) cap_bset |
cap_inheritable bit...

| Acked-by: Serge Hallyn <serue@us.ibm.com>

| I'll try to give it a good test-run next week.

Thanks

Andrew
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFINQIr+bHCR3gb8jsRAjUtAJ0dX67kT3AAtR7gUZgCPiXS2t+nzQCgghmv
GSgqeiwwbZXcc6tSh9957Fo=
=dmv/
-----END PGP SIGNATURE-----
--

[ message continues ]

That makes my eyes say ow.  The 80-col thing is a pain.

With a judiciously placed `continue' we can do this:

	CAP_FOR_EACH_U32(i) {
		__u32 value_cpu;

		if (i >= tocopy) {
			/*
			 * Legacy capability sets have no upper bits
			 */
			bprm->cap_post_exec_permitted.cap[i] = 0;
			continue;
		}
		/*
		 * pP' = (X & fP) | (pI & fI)
		 */
		value_cpu = le32_to_cpu(caps->data[i].permitted);
		bprm->cap_post_exec_permitted.cap[i] =
			(current->cap_bset.cap[i] & value_cpu) |
			(current->cap_inheritable.cap[i] &
				le32_to_cpu(caps->data[i].inheritable));
		if (value_cpu & ~bprm->cap_post_exec_permitted.cap[i]) {
			/*
			 * insufficient to execute correctly
			 */
			ret = -EPERM;
		}
	}

OK?
--

[ message continues ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andrew Morton wrote:
| With a judiciously placed `continue' we can do this:
|
| 	CAP_FOR_EACH_U32(i) {
| 		__u32 value_cpu;
|
| 		if (i >= tocopy) {
| 			/*
| 			 * Legacy capability sets have no upper bits
| 			 */
| 			bprm->cap_post_exec_permitted.cap[i] = 0;
| 			continue;
| 		}
| 		/*
| 		 * pP' = (X & fP) | (pI & fI)
| 		 */
| 		value_cpu = le32_to_cpu(caps->data[i].permitted);
| 		bprm->cap_post_exec_permitted.cap[i] =
| 			(current->cap_bset.cap[i] & value_cpu) |
| 			(current->cap_inheritable.cap[i] &
| 				le32_to_cpu(caps->data[i].inheritable));
| 		if (value_cpu & ~bprm->cap_post_exec_permitted.cap[i]) {
| 			/*
| 			 * insufficient to execute correctly
| 			 */
| 			ret = -EPERM;
| 		}
| 	}
|
| OK?

Yes.

Acked-by: Andrew G. Morgan <morgan@kernel.org>

Cheers

Andrew
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFINXLL+bHCR3gb8jsRAiGUAJ49d61n7+uhc3M5vJjT5398w9tRGgCgwLRe
vXHOIIJAoHvlGNACagKSPes=
=oPN0
-----END PGP SIGNATURE-----
--

[ message continues ]