Hi,
what is the right way to get the current capability setting inherited through
execve()?
My goal is a wrapper program that sets the needed capabilities and then
execve()s the real program. These capabilities should also be inherited if
the real program spawns childs via fork/exec.
Is that possible?
I read the appropriate parts of fs/exec.c where
/*
* This function is used to produce the new IDs and capabilities
* from the old ones and the file's capabilities.
*
* The formula used for evolving capabilities is:
*
* pI' = pI
* (***) pP' = (fP & X) | (fI & pI)
* pE' = pP' & fE [NB. fE is 0 or ~0]
*
* I=Inheritable, P=Permitted, E=Effective // p=process, f=file
* ' indicates post-exec(), and X is the global 'cap_bset'.
*
*/
is implemented. The problem is that fP and fE are either 0 or ~0 depending on
the current uid or the uid of the file to be executed (if S_ISUID). Thus pP'
is only masked by cap_bset which is a global constant (0xfffffeff).
Torsten
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE+XlsbwicyCTir8T4RAjaaAJ9dU8E0YWy1fBnf6OdIX0wr7aQQ2gCgwObJ
aSAxVyLvV0n4MN4E84VVERg=
=YE3a
-----END PGP SIGNATURE-----
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/