Re: permissive vs. restrictive issue and solutions...

• Previous message: sarnoldat_private: "Re: Another hook"
• In reply to: Chris Wright: "Re: permissive vs. restrictive issue and solutions..."
• Next in thread: David Wagner: "Re: permissive vs. restrictive issue and solutions..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Chris Wright  wrote:
>You are missing the call to cap_issubset().  This is a capabilities call.
>Currently, all the capabilities bits are stored in the per task security
>blob (i.e. child->cap_permitted is not relevant).  Stephen Smalley made
>a great suggestion to move that check into the prior ptrace_hook check
>for the capabillities module, so the ptrace hook implementation for the
>capabilities module would be:
>
>(!cap_issubset(child, parent) && !capable(CAP_SYS_PTRACE)
>
>I believe that solves the issue cleanly.

Ahh, yes, you're right.  I was rather blind.  Thanks for the explanation!
(Clever solution, too...)

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Crispin Cowan: "Re: Another hook"
• Previous message: sarnoldat_private: "Re: Another hook"
• In reply to: Chris Wright: "Re: permissive vs. restrictive issue and solutions..."
• Next in thread: David Wagner: "Re: permissive vs. restrictive issue and solutions..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 15 2001 - 23:36:21 PDT