Re: [LTP] [PATCH] Filecaps: Update error message for recent kernels

Thu, 17 Sep 2009 07:25:04 -0700 

Quoting Geert Uytterhoeven (geert.uytterhoe...@sonycom.com):
> On Wed, 16 Sep 2009, Serge E. Hallyn wrote:
> > Quoting Geert Uytterhoeven (geert.uytterhoe...@sonycom.com):
...
> > > + if tst_kvercmp 2 6 24 ; then
> > > +         echo modprobe capability or recompile your kernel with
> > > +         echo CONFIG_SECURITY_CAPABILITIES=y.
> > > + elif tst_kvercmp 2 6 27 ; then
> > > +         echo recompile your kernel with CONFIG_SECURITY_CAPABILITIES=y.
> > > + else
> > > +         echo recompile your kernel with 
> > > CONFIG_SECURITY_FILE_CAPABILITIES=y.
> > 
> > I don't think splitting these last two up is necessary - the
> > CONFIG_SECURITY_FILE_CAPABILITIES check is in the next stanza
> > in checkforfilecaps.sh.  This check is only for
> > CONFIG_SECURITY_CAPABILITIES itself.
> 
> However, this (first) check is triggered on my 2.6.31+ kernel with
> CONFIG_SECURITY_FILE_CAPABILITIES=n, where the config symbol
> CONFIG_SECURITY_CAPABILITIES no longer exists.
> 
> Or should it be plain CONFIG_SECURITY?

???  Well, taking a quick look at check_simple_capset.c, it's actually
a bit messed up.  I'm pretty sure I did in fact write it, but it isn't
right.  The second test in checkforfilecaps.sh isn't right either -
it checks for the xattr support, not actual file capabilities support.

check_simple_capset.c should just read:

        caps = cap_from_text("cap_sys_admin=ep");
        caps2 = cap_get_proc();
        if (!caps || !caps2)
                fail;
        ret = cap_compare(caps, caps);
        cap_free(caps);
        cap_free(caps2);
        return ret;

The second test should actually execute a copy of sleep with filecaps,
i.e.
        cp `which sleep` .
        setcap cap_sys_admin=ep ./sleep
        capsh --uid=`id -u ltp`  -- -c "./sleep 20" &
        p=`jobs -p`
        prm=`cat /proc/$p/status | grep CapPrm | awk '{ print $2 '}`
        inh=`cat /proc/$p/status | grep CapInh | awk '{ print $2 '}`
        eff=`cat /proc/$p/status | grep CapEff | awk '{ print $2 '}`
        if [ "$inh" != "0000000000000000" ]; then
                fail;
        fi
        if [ "$prm" != "0000000000200000" ]; then
                fail;
        fi
        if [ "$eff" != "0000000000200000" ]; then
                fail;
        fi
        pass

-serge

------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Ltp-list mailing list
Ltp-list@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ltp-list

Reply via email to