Re: [PATCH][LSM] Early init for security modules and various cleanups

Chris Wright (chris@wirex.com)
Mon, 2 Jun 2003 03:09:46 -0700


* Grzegorz Jaskiewicz (gj@pointblue.com.pl) wrote:
> On Mon, 2 Jun 2003, Chris Wright wrote:
>
> > @@ -91,7 +92,7 @@
> > * Superuser processes are usually more important, so we make it
> > * less likely that we kill those.
> > */
> > - if (cap_t(p->cap_effective) & CAP_TO_MASK(CAP_SYS_ADMIN) ||
> > + if (!security_capable(p,CAP_SYS_ADMIN) ||
> > p->uid == 0 || p->euid == 0)
> > points /= 4;
> ..............
> > - if (cap_t(p->cap_effective) & CAP_TO_MASK(CAP_SYS_RAWIO))
> > + if (!security_capable(p,CAP_SYS_RAWIO))
> > points /= 4;
>
> Correct me if i am wrong, but I think it is not a good idea to favor
> applications with more
> capabilities, as ussualy those are most wanted target on a system.

security_capable() returns 0 if that capability bit is set. so there is
no functional change here, just allows the security module to see the
capability check that was hand coded.

thanks,
-chris

-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/