drop SECURITY_FILE_CAPABILITIES? (fwd)
Dave Jones
davej at redhat.com
Wed Nov 11 16:32:24 UTC 2009
On Wed, Nov 11, 2009 at 09:52:02AM -0500, Adam Jackson wrote:
> On Tue, 2009-11-10 at 18:00 -0500, Dave Jones wrote:
> > On Wed, Nov 11, 2009 at 09:56:57AM +1100, James Morris wrote:
> > > How might this affect the Fedora kernel?
> >
> > We set it =y, so it wouldn't affect us if I understand correctly.
> > Also, I'm not sure that anything in userspace is actually using
> > this feature yet anyway.
>
> google codesearch to the rescue:
>
> http://google.com/codesearch?hl=en&sa=N&filter=0&q=prctl.*PR_CAPBSET_DROP
afaik, that prctl is available regardless of the option being set.
I meant I don't think anything we ship is using the file capabilities,
which is a way of marking executable files with the caps they need
instead of having them be setuid.
(I'm not even sure what tool we would use to set those capabilities,
or if we ship it)
Dave
More information about the Fedora-kernel-list
mailing list