[tomoyo-users-en 70] Re: [PATCH] tomoyo: add missing call to cap_bprm_set_creds

Mon, 25 May 2009 20:02:21 -0700 

Hello.

Herton Ronaldo Krzesinski wrote:
> Make sure we call cap_bprm_set_creds with tomoyo, to set credentials
> properly inside tomoyo_bprm_set_creds
> 
> Signed-off-by: Herton Ronaldo Krzesinski <[email protected]>
> ---
>  security/tomoyo/tomoyo.c |    6 ++++++
>  1 file changed, 6 insertions(+)
> 
> Hi, I noted that in a boot with 2.6.30-rc7 with tomoyo enabled, testing on a
> system without ccs-tools installed (thus tomoyo enabled but not used*), some
> suid executables were not being working (for example, su - was not working
> anymore with tomoyo enabled); I traced it to tomoyo not calling
> cap_bprm_set_creds, please review and send as 2.6.30 bugfix, thanks.
> 
> *didn't test yet if with ccs-tools installed the bug doesn't happen, thus my
> note
Oh, I didn't know TOMOYO needs to call cap_bprm_set_creds().

> 
> diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
> index 5b48191..e42be5c 100644
> --- a/security/tomoyo/tomoyo.c
> +++ b/security/tomoyo/tomoyo.c
> @@ -27,6 +27,12 @@ static int tomoyo_cred_prepare(struct cred *new, const 
> struct cred *old,
>  
>  static int tomoyo_bprm_set_creds(struct linux_binprm *bprm)
>  {
> +     int rc;
> +
> +     rc = cap_bprm_set_creds(bprm);
> +     if (rc)
> +             return rc;
> +
>       /*
>        * Do only if this function is called for the first time of an execve
>        * operation.
> 

SMACK is calling below capability hooks.
Maybe TOMOYO needs to call below capability hooks as well.

struct security_operations smack_ops = {
        .capget =                       cap_capget,
        .capset =                       cap_capset,
        .capable =                      cap_capable,
        .settime =                      cap_settime,
        .vm_enough_memory =             cap_vm_enough_memory,
        .bprm_set_creds =               cap_bprm_set_creds,
        .bprm_secureexec =              cap_bprm_secureexec,
        .inode_need_killpriv =          cap_inode_need_killpriv,
        .inode_killpriv =               cap_inode_killpriv,
        .task_fix_setuid =              cap_task_fix_setuid,
        .task_prctl =                   cap_task_prctl,
        .netlink_send =                 cap_netlink_send,
        .netlink_recv =                 cap_netlink_recv,
};

Thank you.

_______________________________________________
tomoyo-users-en mailing list
[email protected]
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en

Reply via email to