Re: [PATCH 3/3] capabilities: add cap userns sysctl mask

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, May 20, 2024 at 12:25:27PM -0700, Jonathan Calmels wrote:
> On Mon, May 20, 2024 at 07:30:14AM GMT, Tycho Andersen wrote:
> > there is an ongoing effort (started at [0]) to constify the first arg
> > here, since you're not supposed to write to it. Your usage looks
> > correct to me, so I think all it needs is a literal "const" here.
> 
> Will do, along with the suggestions from Jarkko
> 
> > > +	struct ctl_table t;
> > > +	unsigned long mask_array[2];
> > > +	kernel_cap_t new_mask, *mask;
> > > +	int err;
> > > +
> > > +	if (write && (!capable(CAP_SETPCAP) ||
> > > +		      !capable(CAP_SYS_ADMIN)))
> > > +		return -EPERM;
> > 
> > ...why CAP_SYS_ADMIN? You mention it in the changelog, but don't
> > explain why.
> 
> No reason really, I was hoping we could decide what we want here.
> UMH uses CAP_SYS_MODULE, Serge mentioned adding a new cap maybe.

I don't have a strong preference between SETPCAP and a new capability,
but I do think it should be just one. SYS_ADMIN is already god mode
enough, IMO.

Tycho




[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [NTFS 3]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [NTFS 3]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux