From 8cdbc2b9826b3543fecff2f6d6400fa77b21ffdd Mon Sep 17 00:00:00 2001 From: "Andrew G. Morgan" Date: Thu, 12 Jun 2008 15:21:33 -0700 Subject: capabilities: add (back) dummy support for KEEPCAPS The dummy module is used by folk that run security conscious code(!?). A feature of such code (for example, dhclient) is that it tries to operate with minimum privilege (dropping unneeded capabilities). While the dummy module doesn't restrict code execution based on capability state, the user code expects the kernel to appear to support it. This patch adds back faked support for the PR_SET_KEEPCAPS etc., calls - making the kernel behave as before 2.6.26. For details see: http://bugzilla.kernel.org/show_bug.cgi?id=10748 Signed-off-by: Andrew G. Morgan Acked-by: Serge Hallyn Cc: James Morris Cc: Stephen Smalley Cc: Chris Wright Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- security/dummy.c | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/security/dummy.c b/security/dummy.c index f50c6c3c32c..b8916883b77 100644 --- a/security/dummy.c +++ b/security/dummy.c @@ -27,6 +27,8 @@ #include #include #include +#include +#include static int dummy_ptrace (struct task_struct *parent, struct task_struct *child) { @@ -607,7 +609,27 @@ static int dummy_task_kill (struct task_struct *p, struct siginfo *info, static int dummy_task_prctl (int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5, long *rc_p) { - return 0; + switch (option) { + case PR_CAPBSET_READ: + *rc_p = (cap_valid(arg2) ? 1 : -EINVAL); + break; + case PR_GET_KEEPCAPS: + *rc_p = issecure(SECURE_KEEP_CAPS); + break; + case PR_SET_KEEPCAPS: + if (arg2 > 1) + *rc_p = -EINVAL; + else if (arg2) + current->securebits |= issecure_mask(SECURE_KEEP_CAPS); + else + current->securebits &= + ~issecure_mask(SECURE_KEEP_CAPS); + break; + default: + return 0; + } + + return 1; } static void dummy_task_reparent_to_init (struct task_struct *p) -- cgit v1.2.3-70-g09d2