Re: [PATCH][LSM] Early init for security modules and various cleanups

Previous message: Grzegorz Jaskiewicz: "Re: [PATCH][LSM] Early init for security modules and various cleanups"
In reply to: Grzegorz Jaskiewicz: "Re: [PATCH][LSM] Early init for security modules and various cleanups"
Next in thread: Andrew Morton: "Re: [PATCH][LSM] Early init for security modules and various cleanups"
Reply: Andrew Morton: "Re: [PATCH][LSM] Early init for security modules and various cleanups"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

chrisat_private

* Grzegorz Jaskiewicz (gjat_private) wrote:
> On Mon, 2 Jun 2003, Chris Wright wrote:
> 
> > @@ -91,7 +92,7 @@
> >  	 * Superuser processes are usually more important, so we make it
> >  	 * less likely that we kill those.
> >  	 */
> > -	if (cap_t(p->cap_effective) & CAP_TO_MASK(CAP_SYS_ADMIN) ||
> > +	if (!security_capable(p,CAP_SYS_ADMIN) ||
> >  				p->uid == 0 || p->euid == 0)
> >  		points /= 4;
> ..............
> > -	if (cap_t(p->cap_effective) & CAP_TO_MASK(CAP_SYS_RAWIO))
> > +	if (!security_capable(p,CAP_SYS_RAWIO))
> >  		points /= 4;
> 
> Correct me if i am wrong, but I think it is not a good idea to favor 
> applications with more 
> capabilities, as ussualy those are most wanted target on a system.

security_capable() returns 0 if that capability bit is set.  so there is
no functional change here, just allows the security module to see the
capability check that was hand coded.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module