Re: [PATCH] 64 bit capabilities
Quoting Andrew Morgan ([EMAIL PROTECTED]): -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Serge E. Hallyn wrote: I defined CAP_NS_UNSHARE as bit 32 as an experiment, and had to do some finagling/combination of both of your trees to do so... Though that aside I'm pleased to say it all worked perfectly. In my tree, you should be able to simply add it to the convenience copy of libcap/include/linux/capability.h and recompile. Andrew and Kaigai, I'm having libcap troubles. Kaigai, did you in fact take your googlecode version down? Andrew, I tried libcap 2.02 on a test system with 2.6.24-rc3. setcap results in binaries which won't load with a new kernel. When I use setfcaps from the googlecode version, it works fine. setcap also takes the older argument versions (i.e. not -c caps, but just caps). I don't care about the arguments, but thought maybe that meant an older version of the code snuck into the new libcap? (I haven't looked deeper into the code, since I assume there's a very simple explanation or solution...) thanks, -serge - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] 64 bit capabilities
Sigh, sorry, ignore me. Wrong kernel branch! icouldasworn... -serge Quoting Andrew Morgan ([EMAIL PROTECTED]): -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: Quoting Andrew Morgan ([EMAIL PROTECTED]): -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Serge E. Hallyn wrote: I defined CAP_NS_UNSHARE as bit 32 as an experiment, and had to do some finagling/combination of both of your trees to do so... Though that aside I'm pleased to say it all worked perfectly. In my tree, you should be able to simply add it to the convenience copy of libcap/include/linux/capability.h and recompile. Andrew and Kaigai, I'm having libcap troubles. Kaigai, did you in fact take your googlecode version down? Andrew, I tried libcap 2.02 on a test system with 2.6.24-rc3. setcap results in binaries which won't load with a new kernel. When I use setfcaps from the googlecode version, it works fine. setcap also takes the older argument versions (i.e. not -c caps, but just caps). I don't care about the arguments, but thought maybe that meant an older version of the code snuck into the new libcap? (I haven't looked deeper into the code, since I assume there's a very simple explanation or solution...) I guess I'll need an example to look further. I'm not sure why it wouldn't work, does strace offer any clue? Thanks Andrew -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHYFyL+bHCR3gb8jsRAtlSAJ0b/RzYdz8nCqTVSbe3xrxpmcIM8wCgnBZm cf7yPslg05u43TnFTnqZbgQ= =PXZE -END PGP SIGNATURE- - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] 64 bit capabilities
[EMAIL PROTECTED] wrote: Quoting Andrew Morgan ([EMAIL PROTECTED]): -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Serge E. Hallyn wrote: I defined CAP_NS_UNSHARE as bit 32 as an experiment, and had to do some finagling/combination of both of your trees to do so... Though that aside I'm pleased to say it all worked perfectly. In my tree, you should be able to simply add it to the convenience copy of libcap/include/linux/capability.h and recompile. Andrew and Kaigai, I'm having libcap troubles. Kaigai, did you in fact take your googlecode version down? Because the repository on the google code is a bit confusable for anyone trying to use recent capability features, I noticed an infomation to refere Andrew's git-tree on the top of the project page for a while, and now the repository on the googlecode is only visible for me. Andrew, I tried libcap 2.02 on a test system with 2.6.24-rc3. setcap results in binaries which won't load with a new kernel. When I use setfcaps from the googlecode version, it works fine. setcap also takes the older argument versions (i.e. not -c caps, but just caps). I don't care about the arguments, but thought maybe that meant an older version of the code snuck into the new libcap? (I haven't looked deeper into the code, since I assume there's a very simple explanation or solution...) thanks, -serge -- OSS Platform Development Division, NEC KaiGai Kohei [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] 64 bit capabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 KaiGai Kohei wrote: Please consider to apply it on your tree. Done, thanks! I've pushed libcap-2.02. Cheers Andrew EXAMPLE: [EMAIL PROTECTED] libcap]$ ./progs/getcap -r /tmp /tmp/ping = cap_net_raw+ep [EMAIL PROTECTED] libcap]$ Thanks, -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFHPnbTQheEq9QabfIRAulIAJ4r3LoR/K/K11fZ1VsD7pBqvZmw3QCZActW VARjdg0XAvjlBWQXkungaCM= =wa37 -END PGP SIGNATURE- - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] 64 bit capabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Serge E. Hallyn wrote: I defined CAP_NS_UNSHARE as bit 32 as an experiment, and had to do some finagling/combination of both of your trees to do so... Though that aside I'm pleased to say it all worked perfectly. In my tree, you should be able to simply add it to the convenience copy of libcap/include/linux/capability.h and recompile. Cheers Andrew -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFHPneKQheEq9QabfIRAhUoAKCFUI06jskry9GsPbIoNk2LVlXtRwCbB0op YE6q+38PodncT/bGY/F0vx0= =FhW4 -END PGP SIGNATURE- - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] 64 bit capabilities
Quoting KaiGai Kohei ([EMAIL PROTECTED]): Andrew Morgan, I'll post the patch of setfcaps/getfcap for his tree. I believe it is better way to maintain. Thanks, The following patch to libcap enables to display file capabilities recursively on the enumerated directories when -r is specified. In addition, some other features are ported from my getfcap. When an entry contains no file-capabilities, displaying it will be skipped without returning an error. However, -v option enables to display those filenames with no capabilities. -h options displays short usage message. Please consider to apply it on your tree. EXAMPLE: [EMAIL PROTECTED] libcap]$ ./progs/getcap -r /tmp /tmp/ping = cap_net_raw+ep [EMAIL PROTECTED] libcap]$ So I'm unclear - is there going to be one definitive libcap tree? I downloaded Adnrew's tree, but it didn't seem to have a copy of setfcaps.c and getfcaps.c at all. I defined CAP_NS_UNSHARE as bit 32 as an experiment, and had to do some finagling/combination of both of your trees to do so... Though that aside I'm pleased to say it all worked perfectly. -serge - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] 64 bit capabilities
Quoting Andrew Morgan ([EMAIL PROTECTED]): -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Serge, I guess I'm not sure what to do about this. In the caller there is an explicit check for negative rc in which case the modifed function is not called. Yeah, and it's only used to compare to two constants anyway. (I was thinking it was used more directly to control # bytes copied, but it isn't.) It does seem to have the potential of confusing future coders, so from that point of view it might be safest to have if (rc 0) goto out; unsigned size = (unsigned)rc; rc = cap_from_disk(v1caps, bprm, size); But it sure looks like I'm being pedantic so please feel free to ignore me. thanks, -serge The argument really is an unsigned quantity and I felt this change was an improvement/fix. Can you suggest a change that would satisfy you here? Thanks Andrew Serge E. Hallyn wrote: Other than the one comment below, Acked-by: Serge Hallyn [EMAIL PROTECTED] - -static inline int cap_from_disk(__le32 *caps, struct linux_binprm *bprm, - - int size) +static inline int cap_from_disk(struct vfs_cap_data *caps, + struct linux_binprm *bprm, unsigned size) Note that you switched this to unsigned, but the caller is still sending in an int (rc). [..] @@ -219,7 +245,7 @@ static int get_file_caps(struct linux_binprm *bprm) { struct dentry *dentry; int rc = 0; - - __le32 v1caps[XATTR_CAPS_SZ]; + struct vfs_cap_data vcaps; struct inode *inode; if (bprm-file-f_vfsmnt-mnt_flags MNT_NOSUID) { @@ -232,8 +258,8 @@ static int get_file_caps(struct linux_binprm *bprm) if (!inode-i_op || !inode-i_op-getxattr) goto out; - - rc = inode-i_op-getxattr(dentry, XATTR_NAME_CAPS, v1caps, - - XATTR_CAPS_SZ); + rc = inode-i_op-getxattr(dentry, XATTR_NAME_CAPS, vcaps, +XATTR_CAPS_SZ); if (rc == -ENODATA || rc == -EOPNOTSUPP) { /* no data, that's ok */ rc = 0; @@ -242,7 +268,7 @@ static int get_file_caps(struct linux_binprm *bprm) if (rc 0) goto out; - - rc = cap_from_disk(v1caps, bprm, rc); + rc = cap_from_disk(vcaps, bprm, rc); if (rc) printk(KERN_NOTICE %s: cap_from_disk returned %d for %s\n, -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHNTXnmwytjiwfWMwRAl+SAKCWzzeTd/5/gRA3wqE+cb9yfPS9cwCfVjC0 w4D0isaFXnOCW77WcG+1d7o= =kRqk -END PGP SIGNATURE- - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] 64 bit capabilities
On Wed, 07 Nov 2007 23:44:49 -0800 Andrew Morgan [EMAIL PROTECTED] wrote: The attached patch (e3d27bcb07485a6c8927c8e4f5483d35a99680c3) adds 64-bit capability support to the kernel. This version of the patch is designed to apply against the 2.6.23-mm1 tree. FWIW libcap-2.00 supports this change (and earlier capability formats) http://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/ Cheers Andrew Note: to apply this patch against Linus' upstream kernel, you will first have to undo this other patch from Serge: From b68680e4731abbd78863063aaa0dca2a6d8cc723 Mon Sep 17 00:00:00 2001 From: Serge E. Hallyn [EMAIL PROTECTED] Date: Sun, 21 Oct 2007 16:41:38 -0700 Subject: [PATCH] capabilities: clean up file capability reading It seems that this patch has made it into 2.6.24-rc1, but it is not Well I did that reversion, but I don't understand why. Was that patch wrong, or did it make this new patch impractical, or...? - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] 64 bit capabilities
Quoting Andrew Morton ([EMAIL PROTECTED]): On Wed, 07 Nov 2007 23:44:49 -0800 Andrew Morgan [EMAIL PROTECTED] wrote: The attached patch (e3d27bcb07485a6c8927c8e4f5483d35a99680c3) adds 64-bit capability support to the kernel. This version of the patch is designed to apply against the 2.6.23-mm1 tree. FWIW libcap-2.00 supports this change (and earlier capability formats) http://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/ Cheers Andrew Note: to apply this patch against Linus' upstream kernel, you will first have to undo this other patch from Serge: From b68680e4731abbd78863063aaa0dca2a6d8cc723 Mon Sep 17 00:00:00 2001 From: Serge E. Hallyn [EMAIL PROTECTED] Date: Sun, 21 Oct 2007 16:41:38 -0700 Subject: [PATCH] capabilities: clean up file capability reading It seems that this patch has made it into 2.6.24-rc1, but it is not Well I did that reversion, but I don't understand why. Was that patch wrong, or did it make this new patch impractical, or...? Andrew wanted to keep the vfs_cap_data.data[] structure, using two 'data's for 64-bit caps (and later three for 96-bit caps), whereas my patch had gotten rid of the 'data' struct made its members inline. His 64-bit caps patch keeps the stack abuse fix at get_file_caps(), which was the more important part of that patch. thanks, -serge - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] 64 bit capabilities
Quoting Andrew Morgan ([EMAIL PROTECTED]): -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andrew, Serge The attached patch (e3d27bcb07485a6c8927c8e4f5483d35a99680c3) adds 64-bit capability support to the kernel. This version of the patch is designed to apply against the 2.6.23-mm1 tree. FWIW libcap-2.00 supports this change (and earlier capability formats) http://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/ Cheers Andrew Note: to apply this patch against Linus' upstream kernel, you will first have to undo this other patch from Serge: From b68680e4731abbd78863063aaa0dca2a6d8cc723 Mon Sep 17 00:00:00 2001 From: Serge E. Hallyn [EMAIL PROTECTED] Date: Sun, 21 Oct 2007 16:41:38 -0700 Subject: [PATCH] capabilities: clean up file capability reading It seems that this patch has made it into 2.6.24-rc1, but it is not present in 2.6.23-mm1. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFHMr5rQheEq9QabfIRAkWuAJ9vQBefhA31KWobFGkIugMnPiS7TwCgkeNg DXC3U5OPNO/w9ERJBltxMKo= =SjLL -END PGP SIGNATURE- From e3d27bcb07485a6c8927c8e4f5483d35a99680c3 Mon Sep 17 00:00:00 2001 From: Andrew G. Morgan [EMAIL PROTECTED] Date: Wed, 7 Nov 2007 23:17:06 -0800 Subject: [PATCH] Add 64-bit capability support to the kernel. The patch has supports legacy (32-bit) capability userspace, and where possible translates 32-bit capabilities to/from userspace and the VFS to 64-bit kernel space capabilities. If a capability set cannot be compressed into 32-bits for consumption by user space, the system call fails, with -ERANGE. FWIW libcap-2.00 supports this change (and earlier capability formats) http://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/ Signed-off-by: Andrew G. Morgan [EMAIL PROTECTED] Other than the one comment below, Acked-by: Serge Hallyn [EMAIL PROTECTED] --- fs/nfsd/auth.c | 10 +- fs/proc/array.c| 21 +++- include/linux/capability.h | 222 +++- kernel/capability.c| 89 -- mm/oom_kill.c |5 +- security/commoncap.c | 93 +-- security/dummy.c | 17 ++- 7 files changed, 332 insertions(+), 125 deletions(-) [...] diff --git a/security/commoncap.c b/security/commoncap.c index 43f9027..dd63129 100644 --- a/security/commoncap.c +++ b/security/commoncap.c @@ -1,4 +1,4 @@ -/* Common capabilities, needed by capability.o and root_plug.o +/* Common capabilities, needed by capability.o and root_plug.o * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -87,9 +87,9 @@ int cap_capget (struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted) { /* Derived from kernel/capability.c:sys_capget. */ - *effective = cap_t (target-cap_effective); - *inheritable = cap_t (target-cap_inheritable); - *permitted = cap_t (target-cap_permitted); + *effective = target-cap_effective; + *inheritable = target-cap_inheritable; + *permitted = target-cap_permitted; return 0; } @@ -190,28 +190,54 @@ int cap_inode_killpriv(struct dentry *dentry) return inode-i_op-removexattr(dentry, XATTR_NAME_CAPS); } -static inline int cap_from_disk(__le32 *caps, struct linux_binprm *bprm, - int size) +static inline int cap_from_disk(struct vfs_cap_data *caps, + struct linux_binprm *bprm, unsigned size) Note that you switched this to unsigned, but the caller is still sending in an int (rc). { __u32 magic_etc; + unsigned tocopy, i; - if (size != XATTR_CAPS_SZ) + if (size sizeof(magic_etc)) { return -EINVAL; + } - magic_etc = le32_to_cpu(caps[0]); + magic_etc = le32_to_cpu(caps-magic_etc); switch ((magic_etc VFS_CAP_REVISION_MASK)) { - case VFS_CAP_REVISION: - if (magic_etc VFS_CAP_FLAGS_EFFECTIVE) - bprm-cap_effective = true; - else - bprm-cap_effective = false; - bprm-cap_permitted = to_cap_t( le32_to_cpu(caps[1]) ); - bprm-cap_inheritable = to_cap_t( le32_to_cpu(caps[2]) ); - return 0; + case VFS_CAP_REVISION_1: + if (size != XATTR_CAPS_SZ_1) { + return -EINVAL; + } + tocopy = VFS_CAP_U32_1; + break; + case VFS_CAP_REVISION_2: + if (size != XATTR_CAPS_SZ_2) { + return -EINVAL; + } + tocopy = VFS_CAP_U32_2; + break; default: return -EINVAL; } + + if (magic_etc VFS_CAP_FLAGS_EFFECTIVE) { + bprm-cap_effective
Re: [PATCH] 64 bit capabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Serge E. Hallyn wrote: Note: to apply this patch against Linus' upstream kernel, you will first have to undo this other patch from Serge: From b68680e4731abbd78863063aaa0dca2a6d8cc723 Mon Sep 17 00:00:00 2001 From: Serge E. Hallyn [EMAIL PROTECTED] Date: Sun, 21 Oct 2007 16:41:38 -0700 Subject: [PATCH] capabilities: clean up file capability reading It seems that this patch has made it into 2.6.24-rc1, but it is not Well I did that reversion, but I don't understand why. Was that patch wrong, or did it make this new patch impractical, or...? Andrew wanted to keep the vfs_cap_data.data[] structure, using two 'data's for 64-bit caps (and later three for 96-bit caps), whereas my patch had gotten rid of the 'data' struct made its members inline. His 64-bit caps patch keeps the stack abuse fix at get_file_caps(), which was the more important part of that patch. Serge and I had diverged in what we considered a cleanup. I took his important stack abuse fix, but did not follow the path he was taking with the capability.h file changes. So the higher order bit is yes to the impractical part of your question above. Cheers Andrew -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHNTBZmwytjiwfWMwRAp9xAJ9Ys7jGTKlnRoeIH6EeijhNoeBfuACeIEUF E3LC7BCk/zk4Ae/RlTgHMTE= =9tu/ -END PGP SIGNATURE- - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] 64 bit capabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Serge, I guess I'm not sure what to do about this. In the caller there is an explicit check for negative rc in which case the modifed function is not called. The argument really is an unsigned quantity and I felt this change was an improvement/fix. Can you suggest a change that would satisfy you here? Thanks Andrew Serge E. Hallyn wrote: Other than the one comment below, Acked-by: Serge Hallyn [EMAIL PROTECTED] - -static inline int cap_from_disk(__le32 *caps, struct linux_binprm *bprm, - - int size) +static inline int cap_from_disk(struct vfs_cap_data *caps, + struct linux_binprm *bprm, unsigned size) Note that you switched this to unsigned, but the caller is still sending in an int (rc). [..] @@ -219,7 +245,7 @@ static int get_file_caps(struct linux_binprm *bprm) { struct dentry *dentry; int rc = 0; - - __le32 v1caps[XATTR_CAPS_SZ]; + struct vfs_cap_data vcaps; struct inode *inode; if (bprm-file-f_vfsmnt-mnt_flags MNT_NOSUID) { @@ -232,8 +258,8 @@ static int get_file_caps(struct linux_binprm *bprm) if (!inode-i_op || !inode-i_op-getxattr) goto out; - - rc = inode-i_op-getxattr(dentry, XATTR_NAME_CAPS, v1caps, - - XATTR_CAPS_SZ); + rc = inode-i_op-getxattr(dentry, XATTR_NAME_CAPS, vcaps, + XATTR_CAPS_SZ); if (rc == -ENODATA || rc == -EOPNOTSUPP) { /* no data, that's ok */ rc = 0; @@ -242,7 +268,7 @@ static int get_file_caps(struct linux_binprm *bprm) if (rc 0) goto out; - - rc = cap_from_disk(v1caps, bprm, rc); + rc = cap_from_disk(vcaps, bprm, rc); if (rc) printk(KERN_NOTICE %s: cap_from_disk returned %d for %s\n, -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHNTXnmwytjiwfWMwRAl+SAKCWzzeTd/5/gRA3wqE+cb9yfPS9cwCfVjC0 w4D0isaFXnOCW77WcG+1d7o= =kRqk -END PGP SIGNATURE- - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] 64 bit capabilities
Serge E. Hallyn wrote: Kaigai, Andrew, I believe you are maintaining competing versions of libcap, http://code.google.com/p/libcap/ and http://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/ -serge Please tell me the repository path of Andrew Morgan's libcap. I'll post the patch of setfcaps/getfcap for his tree. I believe it is better way to maintain. Thanks, -- KaiGai Kohei [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] 64 bit capabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andrew, Serge The attached patch (e3d27bcb07485a6c8927c8e4f5483d35a99680c3) adds 64-bit capability support to the kernel. This version of the patch is designed to apply against the 2.6.23-mm1 tree. FWIW libcap-2.00 supports this change (and earlier capability formats) http://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/ Cheers Andrew Note: to apply this patch against Linus' upstream kernel, you will first have to undo this other patch from Serge: From b68680e4731abbd78863063aaa0dca2a6d8cc723 Mon Sep 17 00:00:00 2001 From: Serge E. Hallyn [EMAIL PROTECTED] Date: Sun, 21 Oct 2007 16:41:38 -0700 Subject: [PATCH] capabilities: clean up file capability reading It seems that this patch has made it into 2.6.24-rc1, but it is not present in 2.6.23-mm1. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFHMr5rQheEq9QabfIRAkWuAJ9vQBefhA31KWobFGkIugMnPiS7TwCgkeNg DXC3U5OPNO/w9ERJBltxMKo= =SjLL -END PGP SIGNATURE- From e3d27bcb07485a6c8927c8e4f5483d35a99680c3 Mon Sep 17 00:00:00 2001 From: Andrew G. Morgan [EMAIL PROTECTED] Date: Wed, 7 Nov 2007 23:17:06 -0800 Subject: [PATCH] Add 64-bit capability support to the kernel. The patch has supports legacy (32-bit) capability userspace, and where possible translates 32-bit capabilities to/from userspace and the VFS to 64-bit kernel space capabilities. If a capability set cannot be compressed into 32-bits for consumption by user space, the system call fails, with -ERANGE. FWIW libcap-2.00 supports this change (and earlier capability formats) http://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.6/ Signed-off-by: Andrew G. Morgan [EMAIL PROTECTED] --- fs/nfsd/auth.c | 10 +- fs/proc/array.c| 21 +++- include/linux/capability.h | 222 +++- kernel/capability.c| 89 -- mm/oom_kill.c |5 +- security/commoncap.c | 93 +-- security/dummy.c | 17 ++- 7 files changed, 332 insertions(+), 125 deletions(-) diff --git a/fs/nfsd/auth.c b/fs/nfsd/auth.c index 2192805..d13403e 100644 --- a/fs/nfsd/auth.c +++ b/fs/nfsd/auth.c @@ -11,8 +11,6 @@ #include linux/nfsd/nfsd.h #include linux/nfsd/export.h -#define CAP_NFSD_MASK (CAP_FS_MASK|CAP_TO_MASK(CAP_SYS_RESOURCE)) - int nfsexp_flags(struct svc_rqst *rqstp, struct svc_export *exp) { struct exp_flavor_info *f; @@ -69,10 +67,12 @@ int nfsd_setuser(struct svc_rqst *rqstp, struct svc_export *exp) ret = set_current_groups(cred.cr_group_info); put_group_info(cred.cr_group_info); if ((cred.cr_uid)) { - cap_t(current-cap_effective) = ~CAP_NFSD_MASK; + current-cap_effective = + cap_drop_nfsd_set(current-cap_effective); } else { - cap_t(current-cap_effective) |= (CAP_NFSD_MASK - current-cap_permitted); + current-cap_effective = + cap_raise_nfsd_set(current-cap_effective, + current-cap_permitted); } return ret; } diff --git a/fs/proc/array.c b/fs/proc/array.c index 3f4d824..303b366 100644 --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -286,14 +286,23 @@ static inline char *task_sig(struct task_struct *p, char *buffer) return buffer; } +static char *render_cap_t(const char *header, kernel_cap_t *a, char *buffer) +{ + unsigned __capi; + + buffer += sprintf(buffer, %s, header); + CAP_FOR_EACH_U32(__capi) { + buffer += sprintf(buffer, %08x, + a-cap[(_LINUX_CAPABILITY_U32S-1) -__capi]); + } + return buffer + sprintf(buffer, \n); +} + static inline char *task_cap(struct task_struct *p, char *buffer) { -return buffer + sprintf(buffer, CapInh:\t%016x\n - CapPrm:\t%016x\n - CapEff:\t%016x\n, - cap_t(p-cap_inheritable), - cap_t(p-cap_permitted), - cap_t(p-cap_effective)); + buffer = render_cap_t(CapInh:\t, p-cap_inheritable, buffer); + buffer = render_cap_t(CapPrm:\t, p-cap_permitted, buffer); + return render_cap_t(CapEff:\t, p-cap_effective, buffer); } static inline char *task_context_switch_counts(struct task_struct *p, diff --git a/include/linux/capability.h b/include/linux/capability.h index 7a8d7ad..94663b4 100644 --- a/include/linux/capability.h +++ b/include/linux/capability.h @@ -23,13 +23,20 @@ struct task_struct; kernel might be somewhat backwards compatible, but don't bet on it. */ -/* XXX - Note, cap_t, is defined by POSIX to be an opaque pointer to +/* Note, cap_t, is defined by POSIX (draft) to be an opaque pointer to a set of three capability sets. The transposition of 3*the following structure to such a composite is better handled in a user library since the draft standard requires the use of malloc/free etc.. */ -#define _LINUX_CAPABILITY_VERSION 0x19980330 +#define _LINUX_CAPABILITY_VERSION_1 0x19980330 +#define _LINUX_CAPABILITY_U32S_1 1 + +#define _LINUX_CAPABILITY_VERSION_2 0x20071026 +#define _LINUX_CAPABILITY_U32S_2 2 + +#define
Re: [RFC PATCH] 64-bit-capabilities
Quoting Andrew Morgan ([EMAIL PROTECTED]): -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Serge, Here is my latest iteration of the 64-bit support. This is basically it (sans porting it to Andrew's mm tree). Cheers Andrew -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFHLsh/QheEq9QabfIRAsuYAJ95+NwEARY3IEKdBeNMcWPNtw30KgCfad1r vH+hVJmZ3bJk8vBPWBxnIs0= =c4Lk -END PGP SIGNATURE- From 03ed1112dd629c885a6311a4b67b54f03693eb62 Mon Sep 17 00:00:00 2001 From: Andrew Morgan [EMAIL PROTECTED] Date: Sun, 28 Oct 2007 23:36:08 -0700 Subject: [PATCH] This patch adds 64-bit capability support to the kernel. The patch has supports legacy (32-bit) capability use, and where possible translates 32-bit capabilities from userspace and the VFS to 64-bit kernel space capabilities. If a capability set cannot be compressed into 32-bits for consumption by user space, the system call fails. --- fs/nfsd/auth.c | 10 +- fs/proc/array.c| 21 +++- include/linux/capability.h | 222 +++- kernel/capability.c| 89 -- mm/oom_kill.c |5 +- security/commoncap.c | 96 --- security/dummy.c | 17 ++- 7 files changed, 331 insertions(+), 129 deletions(-) diff --git a/fs/nfsd/auth.c b/fs/nfsd/auth.c index 2192805..d13403e 100644 --- a/fs/nfsd/auth.c +++ b/fs/nfsd/auth.c @@ -11,8 +11,6 @@ #include linux/nfsd/nfsd.h #include linux/nfsd/export.h -#define CAP_NFSD_MASK (CAP_FS_MASK|CAP_TO_MASK(CAP_SYS_RESOURCE)) - int nfsexp_flags(struct svc_rqst *rqstp, struct svc_export *exp) { struct exp_flavor_info *f; @@ -69,10 +67,12 @@ int nfsd_setuser(struct svc_rqst *rqstp, struct svc_export *exp) ret = set_current_groups(cred.cr_group_info); put_group_info(cred.cr_group_info); if ((cred.cr_uid)) { - cap_t(current-cap_effective) = ~CAP_NFSD_MASK; + current-cap_effective = + cap_drop_nfsd_set(current-cap_effective); } else { - cap_t(current-cap_effective) |= (CAP_NFSD_MASK - current-cap_permitted); + current-cap_effective = + cap_raise_nfsd_set(current-cap_effective, +current-cap_permitted); } return ret; } diff --git a/fs/proc/array.c b/fs/proc/array.c index 63c95af..1db3ca1 100644 --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -286,14 +286,23 @@ static inline char *task_sig(struct task_struct *p, char *buffer) return buffer; } +static char *render_cap_t(const char *header, kernel_cap_t *a, char *buffer) +{ + unsigned __capi; + + buffer += sprintf(buffer, %s, header); + CAP_FOR_EACH_U32(__capi) { + buffer += sprintf(buffer, %08x, + a-cap[(_LINUX_CAPABILITY_U32S-1) -__capi]); + } + return buffer + sprintf(buffer, \n); +} + static inline char *task_cap(struct task_struct *p, char *buffer) { -return buffer + sprintf(buffer, CapInh:\t%016x\n - CapPrm:\t%016x\n - CapEff:\t%016x\n, - cap_t(p-cap_inheritable), - cap_t(p-cap_permitted), - cap_t(p-cap_effective)); + buffer = render_cap_t(CapInh:\t, p-cap_inheritable, buffer); + buffer = render_cap_t(CapPrm:\t, p-cap_permitted, buffer); + return render_cap_t(CapEff:\t, p-cap_effective, buffer); } static inline char *task_context_switch_counts(struct task_struct *p, diff --git a/include/linux/capability.h b/include/linux/capability.h index bb017ed..94663b4 100644 --- a/include/linux/capability.h +++ b/include/linux/capability.h @@ -23,13 +23,20 @@ struct task_struct; kernel might be somewhat backwards compatible, but don't bet on it. */ -/* XXX - Note, cap_t, is defined by POSIX to be an opaque pointer to +/* Note, cap_t, is defined by POSIX (draft) to be an opaque pointer to a set of three capability sets. The transposition of 3*the following structure to such a composite is better handled in a user library since the draft standard requires the use of malloc/free etc.. */ -#define _LINUX_CAPABILITY_VERSION 0x19980330 +#define _LINUX_CAPABILITY_VERSION_1 0x19980330 +#define _LINUX_CAPABILITY_U32S_1 1 + +#define _LINUX_CAPABILITY_VERSION_2 0x20071026 +#define _LINUX_CAPABILITY_U32S_2 2 + +#define _LINUX_CAPABILITY_VERSION_LINUX_CAPABILITY_VERSION_2 +#define _LINUX_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_2 typedef struct __user_cap_header_struct { __u32 version; @@ -42,41 +49,42 @@ typedef struct __user_cap_data_struct { __u32 inheritable; } __user *cap_user_data_t; + #define XATTR_CAPS_SUFFIX
[RFC PATCH] 64-bit-capabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Serge, Here is my latest iteration of the 64-bit support. This is basically it (sans porting it to Andrew's mm tree). Cheers Andrew -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFHLsh/QheEq9QabfIRAsuYAJ95+NwEARY3IEKdBeNMcWPNtw30KgCfad1r vH+hVJmZ3bJk8vBPWBxnIs0= =c4Lk -END PGP SIGNATURE- From 03ed1112dd629c885a6311a4b67b54f03693eb62 Mon Sep 17 00:00:00 2001 From: Andrew Morgan [EMAIL PROTECTED] Date: Sun, 28 Oct 2007 23:36:08 -0700 Subject: [PATCH] This patch adds 64-bit capability support to the kernel. The patch has supports legacy (32-bit) capability use, and where possible translates 32-bit capabilities from userspace and the VFS to 64-bit kernel space capabilities. If a capability set cannot be compressed into 32-bits for consumption by user space, the system call fails. --- fs/nfsd/auth.c | 10 +- fs/proc/array.c| 21 +++- include/linux/capability.h | 222 +++- kernel/capability.c| 89 -- mm/oom_kill.c |5 +- security/commoncap.c | 96 --- security/dummy.c | 17 ++- 7 files changed, 331 insertions(+), 129 deletions(-) diff --git a/fs/nfsd/auth.c b/fs/nfsd/auth.c index 2192805..d13403e 100644 --- a/fs/nfsd/auth.c +++ b/fs/nfsd/auth.c @@ -11,8 +11,6 @@ #include linux/nfsd/nfsd.h #include linux/nfsd/export.h -#define CAP_NFSD_MASK (CAP_FS_MASK|CAP_TO_MASK(CAP_SYS_RESOURCE)) - int nfsexp_flags(struct svc_rqst *rqstp, struct svc_export *exp) { struct exp_flavor_info *f; @@ -69,10 +67,12 @@ int nfsd_setuser(struct svc_rqst *rqstp, struct svc_export *exp) ret = set_current_groups(cred.cr_group_info); put_group_info(cred.cr_group_info); if ((cred.cr_uid)) { - cap_t(current-cap_effective) = ~CAP_NFSD_MASK; + current-cap_effective = + cap_drop_nfsd_set(current-cap_effective); } else { - cap_t(current-cap_effective) |= (CAP_NFSD_MASK - current-cap_permitted); + current-cap_effective = + cap_raise_nfsd_set(current-cap_effective, + current-cap_permitted); } return ret; } diff --git a/fs/proc/array.c b/fs/proc/array.c index 63c95af..1db3ca1 100644 --- a/fs/proc/array.c +++ b/fs/proc/array.c @@ -286,14 +286,23 @@ static inline char *task_sig(struct task_struct *p, char *buffer) return buffer; } +static char *render_cap_t(const char *header, kernel_cap_t *a, char *buffer) +{ + unsigned __capi; + + buffer += sprintf(buffer, %s, header); + CAP_FOR_EACH_U32(__capi) { + buffer += sprintf(buffer, %08x, + a-cap[(_LINUX_CAPABILITY_U32S-1) -__capi]); + } + return buffer + sprintf(buffer, \n); +} + static inline char *task_cap(struct task_struct *p, char *buffer) { -return buffer + sprintf(buffer, CapInh:\t%016x\n - CapPrm:\t%016x\n - CapEff:\t%016x\n, - cap_t(p-cap_inheritable), - cap_t(p-cap_permitted), - cap_t(p-cap_effective)); + buffer = render_cap_t(CapInh:\t, p-cap_inheritable, buffer); + buffer = render_cap_t(CapPrm:\t, p-cap_permitted, buffer); + return render_cap_t(CapEff:\t, p-cap_effective, buffer); } static inline char *task_context_switch_counts(struct task_struct *p, diff --git a/include/linux/capability.h b/include/linux/capability.h index bb017ed..94663b4 100644 --- a/include/linux/capability.h +++ b/include/linux/capability.h @@ -23,13 +23,20 @@ struct task_struct; kernel might be somewhat backwards compatible, but don't bet on it. */ -/* XXX - Note, cap_t, is defined by POSIX to be an opaque pointer to +/* Note, cap_t, is defined by POSIX (draft) to be an opaque pointer to a set of three capability sets. The transposition of 3*the following structure to such a composite is better handled in a user library since the draft standard requires the use of malloc/free etc.. */ -#define _LINUX_CAPABILITY_VERSION 0x19980330 +#define _LINUX_CAPABILITY_VERSION_1 0x19980330 +#define _LINUX_CAPABILITY_U32S_1 1 + +#define _LINUX_CAPABILITY_VERSION_2 0x20071026 +#define _LINUX_CAPABILITY_U32S_2 2 + +#define _LINUX_CAPABILITY_VERSION_LINUX_CAPABILITY_VERSION_2 +#define _LINUX_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_2 typedef struct __user_cap_header_struct { __u32 version; @@ -42,41 +49,42 @@ typedef struct __user_cap_data_struct { __u32 inheritable; } __user *cap_user_data_t; + #define XATTR_CAPS_SUFFIX capability #define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX -#define XATTR_CAPS_SZ (3*sizeof(__le32)) #define VFS_CAP_REVISION_MASK 0xFF00 +#define VFS_CAP_FLAGS_MASK ~VFS_CAP_REVISION_MASK +#define VFS_CAP_FLAGS_EFFECTIVE 0x01 + #define VFS_CAP_REVISION_1 0x0100 +#define VFS_CAP_U32_1 1 +#define XATTR_CAPS_SZ_1 (sizeof(__le32)*(1 + 2*VFS_CAP_U32_1)) -#define VFS_CAP_REVISION VFS_CAP_REVISION_1 +#define VFS_CAP_REVISION_2 0x0200 +#define VFS_CAP_U32_2 2 +#define