Your patch: allows guests to change /proc/sys/kernel/cap-bound.
My patch: prevents chcontext from intersecting I, E, and P with
cap-bound. (instead, it uses bcapabilities)
I don't change the meanings of any variables.
Here's an example of the breakage.
Context 0:
$ sudo cat /proc/sys/kernel/cap-bound
128
$ /usr/sbin/getpcaps =
Capabilities for `=': =i cap_setpcap-i
$ cat /proc/self/status |grep Cap
CapInh: 00000000fffffeff
CapPrm: 0000000000000000
CapEff: 0000000000000000
$ sudo cat /proc/self/status |grep Cap
CapInh: 00000000fffffeff
CapPrm: 00000000fffffeff
CapEff: 00000000fffffeff
$ /usr/sbin/execcap " = cap_setuid,cap_setgid+i " /usr/sbin/getpcaps =
Capabilities for `=': = cap_setgid,cap_setuid+i
$ /usr/sbin/execcap " = cap_setuid,cap_setgid+i " cat /proc/self/status
|grep Cap
CapInh: 00000000000000c0
CapPrm: 0000000000000000
CapEff: 0000000000000000
$ /usr/sbin/execcap " = cap_setuid,cap_setgid+i " sudo /usr/sbin/getpcaps =
Capabilities for `=': = cap_setgid,cap_setuid+eip
$ /usr/sbin/execcap " = cap_setuid,cap_setgid+i " sudo cat
/proc/self/status |grep Cap
CapInh: 00000000000000c0
CapPrm: 00000000000000c0
CapEff: 00000000000000c0
Starting a vserver:
# vserver test start
vnamespace: vc_set_namespace(): Function not implemented
An error occured while executing the vserver startup sequence; when
there are no other messages, it is very likely that the init-script
(/etc/rc.d/rc 3) failed.
Common causes are:
* /etc/rc.d/rc on Fedora Core 1 and RH9 fails always; the 'apt-rpm' build
method knows how to deal with this, but on existing installations,
appending 'true' to this file will help.
Failed to start vserver 'test'
Want to know why? It's because my cap-bound excludes CAP_CONTEXT, and
the chcontext() call is intersecting with cap-bound. Thus, the vserver
process is left with setuid only. (cap-bound is 128)
Filtering on bcapabilities instead makes things work right.
Do you have another solution?
Joe
Received on Tue Jun 17 03:14:09 2008