linux/kernel
Andrew Morgan 72c2d5823f V3 file capabilities: alter behavior of cap_setpcap
The non-filesystem capability meaning of CAP_SETPCAP is that a process, p1,
can change the capabilities of another process, p2.  This is not the
meaning that was intended for this capability at all, and this
implementation came about purely because, without filesystem capabilities,
there was no way to use capabilities without one process bestowing them on
another.

Since we now have a filesystem support for capabilities we can fix the
implementation of CAP_SETPCAP.

The most significant thing about this change is that, with it in effect, no
process can set the capabilities of another process.

The capabilities of a program are set via the capability convolution
rules:

   pI(post-exec) = pI(pre-exec)
   pP(post-exec) = (X(aka cap_bset) & fP) | (pI(post-exec) & fI)
   pE(post-exec) = fE ? pP(post-exec) : 0

at exec() time.  As such, the only influence the pre-exec() program can
have on the post-exec() program's capabilities are through the pI
capability set.

The correct implementation for CAP_SETPCAP (and that enabled by this patch)
is that it can be used to add extra pI capabilities to the current process
- to be picked up by subsequent exec()s when the above convolution rules
are applied.

Here is how it works:

Let's say we have a process, p. It has capability sets, pE, pP and pI.
Generally, p, can change the value of its own pI to pI' where

   (pI' & ~pI) & ~pP = 0.

That is, the only new things in pI' that were not present in pI need to
be present in pP.

The role of CAP_SETPCAP is basically to permit changes to pI beyond
the above:

   if (pE & CAP_SETPCAP) {
      pI' = anything; /* ie., even (pI' & ~pI) & ~pP != 0  */
   }

This capability is useful for things like login, which (say, via
pam_cap) might want to raise certain inheritable capabilities for use
by the children of the logged-in user's shell, but those capabilities
are not useful to or needed by the login program itself.

One such use might be to limit who can run ping. You set the
capabilities of the 'ping' program to be "= cap_net_raw+i", and then
only shells that have (pI & CAP_NET_RAW) will be able to run
it. Without CAP_SETPCAP implemented as described above, login(pam_cap)
would have to also have (pP & CAP_NET_RAW) in order to raise this
capability and pass it on through the inheritable set.

Signed-off-by: Andrew Morgan <morgan@kernel.org>
Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: James Morris <jmorris@namei.org>
Cc: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-10-18 14:37:24 -07:00
..
irq Compile handle_percpu_irq even for uniprocessor kernels 2007-10-17 08:43:00 -07:00
power Hibernation: Enter platform hibernation state in a consistent way 2007-10-18 14:37:20 -07:00
time x86: C1E late detection fix. Really switch off lapic timer 2007-10-17 20:15:13 +02:00
.gitignore
acct.c
audit.c [NET]: make netlink user -> kernel interface synchronious 2007-10-10 21:15:29 -07:00
audit.h
auditfilter.c
auditsc.c Clean up duplicate includes in kernel/ 2007-10-17 08:42:48 -07:00
capability.c V3 file capabilities: alter behavior of cap_setpcap 2007-10-18 14:37:24 -07:00
compat.c
configs.c
cpu.c cpu hotplug: cpu: deliver CPU_UP_CANCELED only to NOTIFY_OKed callbacks with CPU_UP_PREPARE 2007-10-18 14:37:21 -07:00
cpuset.c oom: compare cpuset mems_allowed instead of exclusive ancestors 2007-10-17 08:42:46 -07:00
delayacct.c sched: clean up schedstats, cnt -> count 2007-10-15 17:00:12 +02:00
die_notifier.c
dma.c
exec_domain.c
exit.c Shrink task_struct if CONFIG_FUTEX=n 2007-10-17 08:42:55 -07:00
extable.c
fork.c Remove struct task_struct::io_wait 2007-10-18 14:37:20 -07:00
futex_compat.c robust futex thread exit race 2007-10-01 07:52:23 -07:00
futex.c change inotifyfs magic as the same magic is used for futexfs 2007-10-17 08:43:00 -07:00
hrtimer.c [KTIME]: Introduce ktime_sub_ns and ktime_sub_us 2007-10-10 16:48:12 -07:00
itimer.c
kallsyms.c
Kconfig.hz
Kconfig.preempt Move PREEMPT_NOTIFIERS into an always-included Kconfig 2007-10-17 08:42:55 -07:00
kexec.c add-vmcore: add a prefix "VMCOREINFO_" to the vmcoreinfo macros 2007-10-17 08:42:54 -07:00
kfifo.c
kmod.c Restore call_usermodehelper_pipe() behaviour 2007-09-11 17:21:20 -07:00
kprobes.c kprobes: support kretprobe blacklist 2007-10-16 09:43:10 -07:00
ksysfs.c add-vmcore: cleanup the coding style according to Andrew's comments 2007-10-17 08:42:54 -07:00
kthread.c kthread: silence bogus section mismatch warning 2007-07-31 15:39:42 -07:00
latency.c
lockdep_internals.h
lockdep_proc.c lockdep: Avoid /proc/lockdep & lock_stat infinite output 2007-10-11 22:11:11 +02:00
lockdep.c lockdep: syscall exit check 2007-10-11 22:11:12 +02:00
Makefile sysctl: Error on bad sysctl tables 2007-10-18 14:37:23 -07:00
module.c module: return error when mod_sysfs_init() failed 2007-10-17 08:43:01 -07:00
mutex-debug.c
mutex-debug.h
mutex.c lockdep: fixup mutex annotations 2007-10-11 22:11:12 +02:00
mutex.h
nsproxy.c Use KMEM_CACHE macro to create the nsproxy cache 2007-10-17 08:42:59 -07:00
panic.c
params.c param_sysfs_builtin memchr argument fix 2007-10-18 14:37:21 -07:00
pid.c
posix-cpu-timers.c
posix-timers.c SLAB_PANIC more (proc, posix-timers, shmem) 2007-10-17 08:42:47 -07:00
printk.c serial: turn serial console suspend a boot rather than compile time option 2007-10-18 14:37:19 -07:00
profile.c make kernel/profile.c:time_hook static 2007-10-17 08:42:55 -07:00
ptrace.c m32r: convert to generic sys_ptrace 2007-10-16 09:43:04 -07:00
rcupdate.c Clean up duplicate includes in kernel/ 2007-10-17 08:42:48 -07:00
rcutorture.c Make rcutorture RNG use temporal entropy 2007-10-17 08:42:53 -07:00
relay.c Fix a use after free bug in kernel->userspace relay file support 2007-07-31 15:39:42 -07:00
resource.c memory unplug: memory hotplug cleanup 2007-10-16 09:43:01 -07:00
rtmutex_common.h
rtmutex-debug.c kernel/rtmutex-debug.c: cleanups 2007-10-17 08:42:50 -07:00
rtmutex-debug.h
rtmutex-tester.c
rtmutex.c
rtmutex.h
rwsem.c
sched_debug.c Make scheduler debug file operations const 2007-10-15 17:00:19 +02:00
sched_fair.c sched: fix new task startup crash 2007-10-17 16:55:11 +02:00
sched_idletask.c sched: mark scheduling classes as const 2007-10-15 17:00:12 +02:00
sched_rt.c sched: tidy up SCHED_RR 2007-10-15 17:00:13 +02:00
sched_stats.h sched: clean up schedstats, cnt -> count 2007-10-15 17:00:12 +02:00
sched.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/mingo/linux-2.6-sched 2007-10-17 09:11:18 -07:00
seccomp.c
signal.c freezer: do not send signals to kernel threads 2007-10-18 14:37:19 -07:00
softirq.c [KERNEL]: Unexport raise_softirq_irqoff 2007-10-10 16:49:18 -07:00
softlockup.c softlockup: add a /proc tuning parameter 2007-10-17 08:42:47 -07:00
spinlock.c
srcu.c
stacktrace.c
stop_machine.c
sys_ni.c kernel/sys_ni.c: add dummy sys_ni_syscall() prototype 2007-10-17 08:42:55 -07:00
sys.c unexport pm_power_off_prepare 2007-10-18 14:37:19 -07:00
sysctl_check.c V3 file capabilities: alter behavior of cap_setpcap 2007-10-18 14:37:24 -07:00
sysctl.c V3 file capabilities: alter behavior of cap_setpcap 2007-10-18 14:37:24 -07:00
taskstats.c Clean up duplicate includes in kernel/ 2007-10-17 08:42:48 -07:00
time.c Fix discrepancy between VDSO based gettimeofday() and sys_gettimeofday(). 2007-10-18 14:37:20 -07:00
timer.c
tsacct.c
uid16.c
user_namespace.c Fix user namespace exiting OOPs 2007-09-19 11:24:18 -07:00
user.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/mingo/linux-2.6-sched 2007-10-17 09:11:18 -07:00
utsname_sysctl.c
utsname.c Fix UTS corruption during clone(CLONE_NEWUTS) 2007-09-19 11:24:17 -07:00
wait.c
workqueue.c fix bogus hotplug cpu warning 2007-08-27 10:27:48 -07:00