The patch titled
implement-file-posix-capabilities update
has been removed from the -mm tree. Its filename was
implement-file-posix-capabilities-update.patch
This patch was dropped because it was folded into implement-file-posix-capabilities.patch
------------------------------------------------------
Subject: implement-file-posix-capabilities update
From: "Serge E. Hallyn" <serge@xxxxxxxxxx>
So here is a new consolidated patch without the STRICTXATTR config
option.
Signed-off-by: Serge E. Hallyn <serue@xxxxxxxxxx>
Cc: Stephen Smalley <sds@xxxxxxxxxxxxx>
Cc: James Morris <jmorris@xxxxxxxxx>
Cc: Chris Wright <chrisw@xxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
security/Kconfig | 10 --------
security/commoncap.c | 51 ++---------------------------------------
2 files changed, 3 insertions(+), 58 deletions(-)
diff -puN security/Kconfig~implement-file-posix-capabilities-update security/Kconfig
--- a/security/Kconfig~implement-file-posix-capabilities-update
+++ a/security/Kconfig
@@ -90,16 +90,6 @@ config SECURITY_FILE_CAPABILITIES
If in doubt, answer N.
-config SECURITY_FILE_CAPABILITIES_STRICTXATTR
- bool "Refuse to run files with unknown caps"
- depends on SECURITY_FILE_CAPABILITIES
- default y
- help
- Refuse to run files which have unknown capabilities set
- in the security.capability xattr. This could prevent
- running important binaries from an updated distribution
- on an older kernel.
-
config SECURITY_ROOTPLUG
tristate "Root Plug Support"
depends on USB && SECURITY
diff -puN security/commoncap.c~implement-file-posix-capabilities-update security/commoncap.c
--- a/security/commoncap.c~implement-file-posix-capabilities-update
+++ a/security/commoncap.c
@@ -111,51 +111,10 @@ void cap_capset_set (struct task_struct
#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
-#ifdef CONFIG_SECURITY_FILE_CAPABILITIES_STRICTXATTR
-static int check_cap_sanity(struct vfs_cap_data_disk *dcap, int size)
-{
- int word, bit;
- u32 eff, inh, perm;
- int sz = (size-1)/3;
-
- word = CAP_NUMCAPS / 32;
- bit = CAP_NUMCAPS % 32;
-
- eff = le32_to_cpu(dcap->data[3*word]);
- perm = le32_to_cpu(dcap->data[3*word+1]);
- inh = le32_to_cpu(dcap->data[3*word+2]);
-
- while (word < sz) {
- if (bit == 32) {
- bit = 0;
- word++;
- if (word >= sz)
- break;
- eff = le32_to_cpu(dcap->data[3*word]);
- perm = le32_to_cpu(dcap->data[3*word+1]);
- inh = le32_to_cpu(dcap->data[3*word+2]);
- continue;
- }
- if (eff & CAP_TO_MASK(bit))
- return -EINVAL;
- if (inh & CAP_TO_MASK(bit))
- return -EINVAL;
- if (perm & CAP_TO_MASK(bit))
- return -EINVAL;
- bit++;
- }
-
- return 0;
-}
-#else
-static int check_cap_sanity(struct vfs_cap_data_disk *dcap, int sz)
-{ return 0; }
-#endif
-
static inline int cap_from_disk(struct vfs_cap_data_disk *dcap,
struct linux_binprm *bprm, int size)
{
- int rc, version;
+ int version;
version = le32_to_cpu(dcap->version);
if (version != _LINUX_CAPABILITY_VERSION)
@@ -163,15 +122,11 @@ static inline int cap_from_disk(struct v
size /= sizeof(u32);
if ((size-1)%3) {
- printk(KERN_WARNING "%s: size is an invalid size (%d)\n",
- __FUNCTION__, size);
+ printk(KERN_WARNING "%s: size is an invalid size %d for %s\n",
+ __FUNCTION__, size, bprm->filename);
return -EINVAL;
}
- rc = check_cap_sanity(dcap, size);
- if (rc)
- return rc;
-
bprm->cap_effective = le32_to_cpu(dcap->data[0]);
bprm->cap_permitted = le32_to_cpu(dcap->data[1]);
bprm->cap_inheritable = le32_to_cpu(dcap->data[2]);
_
Patches currently in -mm which might be from serge@xxxxxxxxxx are
implement-file-posix-capabilities.patch
implement-file-posix-capabilities-update.patch
-
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
