Skunk Worx wrote:
[snip]
I'm looking at the source code for the two kernels now.
2.6.23:
-------
extern int cap_capget (struct task_struct *target, kernel_cap_t
*effective, kernel_cap_t *inheritable, kernel_cap_t *permitted);
./linux-2.6.23/include/linux/security.h
and
int cap_capget (struct task_struct *target, kernel_cap_t *effective,
EXPORT_SYMBOL(cap_capget);
./linux-2.6.23/security/commoncap.c
2.6.25:
-------
extern int cap_capget (struct task_struct *target, kernel_cap_t
*effective, kernel_cap_t *inheritable, kernel_cap_t *permitted);
./linux-2.6.25/include/linux/security.h
and
int cap_capget (struct task_struct *target, kernel_cap_t *effective,
./linux-2.6.25/security/commoncap.c
...so someone took out a group of EXPORT_SYMBOLS :
EXPORT_SYMBOL(cap_capable);
EXPORT_SYMBOL(cap_settime);
EXPORT_SYMBOL(cap_ptrace);
EXPORT_SYMBOL(cap_capget);
EXPORT_SYMBOL(cap_capset_check);
EXPORT_SYMBOL(cap_capset_set);
EXPORT_SYMBOL(cap_bprm_set_security);
EXPORT_SYMBOL(cap_bprm_apply_creds);
EXPORT_SYMBOL(cap_bprm_secureexec);
EXPORT_SYMBOL(cap_inode_setxattr);
EXPORT_SYMBOL(cap_inode_removexattr);
EXPORT_SYMBOL(cap_task_post_setuid);
EXPORT_SYMBOL(cap_task_reparent_to_init);
EXPORT_SYMBOL(cap_syslog);
EXPORT_SYMBOL(cap_vm_enough_memory);
This seems relevant :
http://lists.openwall.net/linux-kernel/2007/08/14/418
...esp. the statement : "- remove a bunch of no longer used exports"
Sounds like people can't use the POSIX capability API to set things
like CAP_SYS_NICE in their drivers any more, or maybe there is a new
way to do such things.
At least one of our ring nodes (sometimes more) need to adjust the
scheduler to keep up with the incoming data.
---
John
...I think I found it :
http://lwn.net/Articles/211207/
http://www.friedhoff.org/posixfilecaps.html
Very cool...I am looking forward to trying this.
---
John
Very cool indeed. Thanks for posting this. The article is a great read.
And I too will be trying this out. I checked and Fedora 9 only provides
libcap 2.0.6 whereas 2.0.8 is needed for all the neat capabilities.
This is powerful. What a great way to lock down an installation.
Almost seems like the dual of the selinux work.
--
fedora-test-list mailing list
fedora-test-list@xxxxxxxxxx
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list
