diff options
| author | Chris Wright <chris@wirex.com> | 2002-11-19 03:01:48 -0800 |
|---|---|---|
| committer | Linus Torvalds <torvalds@home.transmeta.com> | 2002-11-19 03:01:48 -0800 |
| commit | a879e2fdb6836ca3028b3ca8c11e397b0f8b688b (patch) | |
| tree | 1325e87318ad0ff4eff556db7e355036bca2e2b5 /security | |
| parent | 36a0426742ce32c36345cefaf2d0cddabad8e4d3 (diff) | |
| download | history-a879e2fdb6836ca3028b3ca8c11e397b0f8b688b.tar.gz | |
[PATCH] remove duplicated assignment from sys_capget.
This removes the code from cap_sysget that fills out the capability set
being returned to userspace. The module handles this in a policy
specific way. This updates the dummy.c module to fill in return data
according to superuser policy, and also disables setting capabilities in
superuser policy.
Diffstat (limited to 'security')
| -rw-r--r-- | security/dummy.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/security/dummy.c b/security/dummy.c index 8d036ab418b295..3c34dc783790b4 100644 --- a/security/dummy.c +++ b/security/dummy.c @@ -27,6 +27,17 @@ static int dummy_ptrace (struct task_struct *parent, struct task_struct *child) static int dummy_capget (struct task_struct *target, kernel_cap_t * effective, kernel_cap_t * inheritable, kernel_cap_t * permitted) { + *effective = *inheritable = *permitted = 0; + if (!issecure(SECURE_NOROOT)) { + if (target->euid == 0) { + *permitted |= (~0 & ~CAP_FS_MASK); + *effective |= (~0 & ~CAP_TO_MASK(CAP_SETPCAP) & ~CAP_FS_MASK); + } + if (target->fsuid == 0) { + *permitted |= CAP_FS_MASK; + *effective |= CAP_FS_MASK; + } + } return 0; } @@ -35,7 +46,7 @@ static int dummy_capset_check (struct task_struct *target, kernel_cap_t * inheritable, kernel_cap_t * permitted) { - return 0; + return -EPERM; } static void dummy_capset_set (struct task_struct *target, |