OpenVZ Forum


Home » Mailing lists » Devel » [PATCH 0/3] capabilities: per-process capbset
[PATCH 0/3] capabilities: per-process capbset [message #21067] Mon, 01 October 2007 14:40 Go to previous message
serue is currently offline  serue
Messages: 750
Registered: February 2006
Senior Member
Here is a new per-process capability bounding set patchset
which I expect to send to linux-kernel soon.  It makes
the capbset per-process.  A process can only permanently
remove bits from it's bounding set, not add them.  To
remove bits, CAP_SYS_ADMIN is currently needed.  Maybe
that's not the best choice, but some privilege should
probably be required.

The intent is to allow a process tree to start with
certain capabilities, i.e. CAP_MKNOD, permanently
removed, so that running a setuid binary or one with
file capabilities will still not result in those
capabilities.  The immediate use case for this is
containers/virtual servers.

I am not taking the task_capability_lock during
cap_prctl_setbset(), just as it is not taken when
capabilities are calculated during fork.  That means
it can race with another task doing capsetp() on it,
and with capgetp().  I'm still looking for comments
on whether the fix I sent out last week is correct.
If it is, then I'll take the task_capability_lock
during cap_prctl_setbset().

thanks,
-serge
_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: [PATCH 0/5] Kernel memory accounting container (v4)
Next Topic: [PATCH] Uninline fork.c/exit.c
Goto Forum:
  


Current Time: Tue Sep 10 11:00:24 GMT 2024

Total time taken to generate the page: 0.04789 seconds