Re: [PATCH][LSM] Early init for security modules and various cleanups
Chris Wright (chris@wirex.com)
Mon, 2 Jun 2003 03:09:46 -0700
* Grzegorz Jaskiewicz (gj@pointblue.com.pl) wrote:
> On Mon, 2 Jun 2003, Chris Wright wrote:
>
> > @@ -91,7 +92,7 @@
> > * Superuser processes are usually more important, so we make it
> > * less likely that we kill those.
> > */
> > - if (cap_t(p->cap_effective) & CAP_TO_MASK(CAP_SYS_ADMIN) ||
> > + if (!security_capable(p,CAP_SYS_ADMIN) ||
> > p->uid == 0 || p->euid == 0)
> > points /= 4;
> ..............
> > - if (cap_t(p->cap_effective) & CAP_TO_MASK(CAP_SYS_RAWIO))
> > + if (!security_capable(p,CAP_SYS_RAWIO))
> > points /= 4;
>
> Correct me if i am wrong, but I think it is not a good idea to favor
> applications with more
> capabilities, as ussualy those are most wanted target on a system.
security_capable() returns 0 if that capability bit is set. so there is
no functional change here, just allows the security module to see the
capability check that was hand coded.
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/