On Thu, Feb 26, 2015 at 12:28:30PM -0600, Christoph Lameter wrote: > On Thu, 26 Feb 2015, Serge E. Hallyn wrote: > > > > Well doing that breaks su. > > > > Don't what exactly? You're saying that doing > > > > pI' = pI > > pA' = pA (pA is ambient) > > pP' = (X & fP) | (pI & (fI | pA)) > > pE' = pP' & (fE | pA) > > > > stopped su from having CAP_SETGID while > > > > pI' = pI > > pA' = pA (pA is ambient) > > pP' = (X & fP) | (pI & (fI | pA)) > > pE' = pP' & fE > > > > worked? I'll hope you're saying both "fail", in which case > > fE does not exist in cpu_vfs_cap_data. We only get fI and fP. Why in the > world does setcap allow setting fE? It sets a bit in the magic_etc. So fE is either all on or all off. > V1 does not use fE. In my newer attempt, I seemed to have worked > with zeroed field that I assumed was filled in. > > I will just do > > pE' = pP' > > Ok? Andrew Morgan was against that. What if we changed pE' = pP' & (fE | pA) to if (pA) pE' = pP' & fE else pE' = pP' -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
