On Sun, 12 Oct 2008, Steve Grubb wrote: > Hi, > > I recenetly found out that the kernel now allows more than 32 capabilities. > This means I need to update the audit code that inteprets this value given > from SE Linux. When I looked over the 2.6.27 kernel code, I found that SE > Linux has not updated the capabilities code. Its still being kept as a simple > integer in avc.h, but everywhere else I look in the kernel has moved to > kernel_cap_t, which is an array. Are patches for moving to kernel_cap_t > scheduled for 2.6.28? Are there security implications for not being able to > access or control capabilities > 32? The AVC can opnly handle 32-bit vectors, so a capability2 class was added to handle capabilities over 32-bits. See http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=b68e418c445e8a468634d0a7ca2fb63bbaa74028 -- James Morris <jmorris@xxxxxxxxx> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
