Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757488AbWKWXXE (ORCPT ); Thu, 23 Nov 2006 18:23:04 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1757485AbWKWXXD (ORCPT ); Thu, 23 Nov 2006 18:23:03 -0500 Received: from moutng.kundenserver.de ([212.227.126.183]:57293 "EHLO moutng.kundenserver.de") by vger.kernel.org with ESMTP id S1757482AbWKWXXB (ORCPT ); Thu, 23 Nov 2006 18:23:01 -0500 Date: Fri, 24 Nov 2006 00:21:44 +0100 From: Chris Friedhoff To: "Serge E. Hallyn" Cc: Andrew Morton , Chris Friedhoff , linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, Stephen Smalley , James Morris , Chris Wright , KaiGai Kohei , Alexey Dobriyan Subject: Re: security: introduce file caps Message-Id: <20061124002144.18231ae9.chris@friedhoff.org> In-Reply-To: <20061123214159.GA23800@sergelap.austin.ibm.com> References: <20061114030655.GB31893@sergelap> <20061123001458.fe73f64a.akpm@osdl.org> <20061123002207.5e18bade.akpm@osdl.org> <20061123131203.f7b6972f.chris@friedhoff.org> <20061123103920.8d908952.akpm@osdl.org> <20061123214159.GA23800@sergelap.austin.ibm.com> X-Mailer: Sylpheed version 2.2.10 (GTK+ 2.8.20; i486-slackware-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Provags-ID: kundenserver.de abuse@kundenserver.de login:9d7f00276fac4b25ba506f26988c1e36 Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1501 Lines: 48 I can confirm this behavior, but only in the interaction of xinit and X. ping and ntpdate behave with a patched kernel but CONFIG_SECURITY_FS_CAPABILITIES=n like expected, even with empty or wrong capabilities. Tested with 2.6.18.3 kernel Chris On Thu, 23 Nov 2006 15:41:59 -0600 "Serge E. Hallyn" wrote: > Quoting Andrew Morton (akpm@osdl.org): > > On Thu, 23 Nov 2006 13:12:03 +0100 > > Chris Friedhoff wrote: > > > > > xinit respects capabilities (at least i guess), so when the system has > > > capability-support, the binary /usr/X11R6/bin/xinit neeeds the > > > capability cap_kill even when no capability extended attribute exists > > > for this binary. > > > > > > setfcaps cap_kill=ep /usr/X11R6/bin/xinit > > > > > > I documented this here: > > > http://www.friedhoff.org/fscaps.html#Xorg,%20xinit,%20xfce,%20kde > > > > > > and for more: > > > http://www.friedhoff.org/fscaps.html > > > > > > > Even when CONFIG_SECURITY_FS_CAPABILITIES=n? > > No, the patch shouldn't change behavior when > CONFIG_SECURITY_FS_CAPABILITIES=n, though of course I see why it did. I > will send a fixed patch tomorrow or this weekend. > > sorry, > -serge -------------------- Chris Friedhoff chris@friedhoff.org - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/