From gilboad at gmail.com Tue Nov 3 06:54:49 2009 From: gilboad at gmail.com (Gilboa Davara) Date: Tue, 03 Nov 2009 08:54:49 +0200 Subject: Checking if running kernel compiled with CONFIG_PREEMPT In-Reply-To: References: Message-ID: <1257231289.32548.5.camel@gilboa-home-dev.localdomain> On Fri, 2009-10-30 at 17:21 +0000, planetf1 wrote: > I have a 2.6.31 kernel from F12. > > I believe I've built it with CONFIG_PREEMPT but given the intracacies of > the rpm build, what's the easiest way to check an installed kernel to > see if that flag had been used during build? grep CONFIG_PREEMPT /boot/config-$(uname -r) (Replace the uname -r by the kernel version for kernels other than the current running kernel) - Gilboa From jmorris at namei.org Tue Nov 10 22:56:57 2009 From: jmorris at namei.org (James Morris) Date: Wed, 11 Nov 2009 09:56:57 +1100 (EST) Subject: drop SECURITY_FILE_CAPABILITIES? (fwd) Message-ID: How might this affect the Fedora kernel? ---------- Forwarded message ---------- Date: Tue, 10 Nov 2009 08:07:39 -0600 From: Serge E. Hallyn To: lkml Cc: linux-security-module at vger.kernel.org, Andrew Morgan , Steve Grubb , Kees Cook , Andreas Gruenbacher , Michael Kerrisk , George Wilson Subject: drop SECURITY_FILE_CAPABILITIES? Hey, Just a probe to see what people think. I've seen two cases in about the last month where software was confounded by an assumption that prctl(PR_CAPBSET_DROP, CAP_SOMETHING) would succeed if privileged, but not handling the fact that SECURITY_FILE_CAPABILITIES=n means you can't do that. Are we at the point yet where we feel we can get rid of the SECURITY_FILE_CAPABILITIES=n case? Note that there is a boot arg no_file_caps which prevents file capabilities from being used if SECURITY_FILE_CAPABILITIES=y. I think that's the case most users will care about, whereas the remaining differences between CONFIG_SECURITY_FILE_CAPABILITIES=y and =n are that with CONFIG_SECURITY_FILE_CAPABILITIES=y : (1) certain security hooks (task_setscheduler, task_setioprio, and task_setnice) do capability set comparisions, (2) it is possible to drop capabilities from the bounding set, (3) it is possible to set per-task securelevels, (4) and it is possible to add any capability to your inheritable set if you have CAP_SETPCAP. Does anyone know of cases where CONFIG_SECURITY_FILE_CAPABILITIES=n is still perceived as useful? thanks, -serge -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html From davej at redhat.com Tue Nov 10 23:00:08 2009 From: davej at redhat.com (Dave Jones) Date: Tue, 10 Nov 2009 18:00:08 -0500 Subject: drop SECURITY_FILE_CAPABILITIES? (fwd) In-Reply-To: References: Message-ID: <20091110230008.GA4547@redhat.com> On Wed, Nov 11, 2009 at 09:56:57AM +1100, James Morris wrote: > How might this affect the Fedora kernel? We set it =y, so it wouldn't affect us if I understand correctly. Also, I'm not sure that anything in userspace is actually using this feature yet anyway. Dave From ajax at redhat.com Wed Nov 11 14:52:02 2009 From: ajax at redhat.com (Adam Jackson) Date: Wed, 11 Nov 2009 09:52:02 -0500 Subject: drop SECURITY_FILE_CAPABILITIES? (fwd) In-Reply-To: <20091110230008.GA4547@redhat.com> References: <20091110230008.GA4547@redhat.com> Message-ID: <1257951122.7251.2280.camel@atropine.boston.devel.redhat.com> On Tue, 2009-11-10 at 18:00 -0500, Dave Jones wrote: > On Wed, Nov 11, 2009 at 09:56:57AM +1100, James Morris wrote: > > How might this affect the Fedora kernel? > > We set it =y, so it wouldn't affect us if I understand correctly. > Also, I'm not sure that anything in userspace is actually using > this feature yet anyway. google codesearch to the rescue: http://google.com/codesearch?hl=en&sa=N&filter=0&q=prctl.*PR_CAPBSET_DROP - ajax From davej at redhat.com Wed Nov 11 16:32:24 2009 From: davej at redhat.com (Dave Jones) Date: Wed, 11 Nov 2009 11:32:24 -0500 Subject: drop SECURITY_FILE_CAPABILITIES? (fwd) In-Reply-To: <1257951122.7251.2280.camel@atropine.boston.devel.redhat.com> References: <20091110230008.GA4547@redhat.com> <1257951122.7251.2280.camel@atropine.boston.devel.redhat.com> Message-ID: <20091111163224.GA7156@redhat.com> On Wed, Nov 11, 2009 at 09:52:02AM -0500, Adam Jackson wrote: > On Tue, 2009-11-10 at 18:00 -0500, Dave Jones wrote: > > On Wed, Nov 11, 2009 at 09:56:57AM +1100, James Morris wrote: > > > How might this affect the Fedora kernel? > > > > We set it =y, so it wouldn't affect us if I understand correctly. > > Also, I'm not sure that anything in userspace is actually using > > this feature yet anyway. > > google codesearch to the rescue: > > http://google.com/codesearch?hl=en&sa=N&filter=0&q=prctl.*PR_CAPBSET_DROP afaik, that prctl is available regardless of the option being set. I meant I don't think anything we ship is using the file capabilities, which is a way of marking executable files with the caps they need instead of having them be setuid. (I'm not even sure what tool we would use to set those capabilities, or if we ship it) Dave From eparis at redhat.com Wed Nov 11 16:40:17 2009 From: eparis at redhat.com (Eric Paris) Date: Wed, 11 Nov 2009 11:40:17 -0500 Subject: drop SECURITY_FILE_CAPABILITIES? (fwd) In-Reply-To: <20091111163224.GA7156@redhat.com> References: <20091110230008.GA4547@redhat.com> <1257951122.7251.2280.camel@atropine.boston.devel.redhat.com> <20091111163224.GA7156@redhat.com> Message-ID: <1257957617.3744.2.camel@dhcp231-106.rdu.redhat.com> On Wed, 2009-11-11 at 11:32 -0500, Dave Jones wrote: > On Wed, Nov 11, 2009 at 09:52:02AM -0500, Adam Jackson wrote: > > On Tue, 2009-11-10 at 18:00 -0500, Dave Jones wrote: > > > On Wed, Nov 11, 2009 at 09:56:57AM +1100, James Morris wrote: > > > > How might this affect the Fedora kernel? > > > > > > We set it =y, so it wouldn't affect us if I understand correctly. > > > Also, I'm not sure that anything in userspace is actually using > > > this feature yet anyway. > > > > google codesearch to the rescue: > > > > http://google.com/codesearch?hl=en&sa=N&filter=0&q=prctl.*PR_CAPBSET_DROP > > afaik, that prctl is available regardless of the option being set. > I meant I don't think anything we ship is using the file capabilities, > which is a way of marking executable files with the caps they need > instead of having them be setuid. > > (I'm not even sure what tool we would use to set those capabilities, > or if we ship it) /usr/sbin/setcap from libcap But you are right, Fedora makes no use of file capabilities anywhere in the distro to my knowledge. -Eric