fedora 9 help with unknown symbols in kernel -- cap_capget cap_capset_set
stan
eiqep_eiwo_y at cox.net
Tue Jun 17 14:00:28 UTC 2008
Skunk Worx wrote:
[snip]
>>
>> I'm looking at the source code for the two kernels now.
>>
>> 2.6.23:
>> -------
>> extern int cap_capget (struct task_struct *target, kernel_cap_t
>> *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted);
>> ./linux-2.6.23/include/linux/security.h
>>
>> and
>>
>> int cap_capget (struct task_struct *target, kernel_cap_t *effective,
>> EXPORT_SYMBOL(cap_capget);
>> ./linux-2.6.23/security/commoncap.c
>>
>>
>> 2.6.25:
>> -------
>> extern int cap_capget (struct task_struct *target, kernel_cap_t
>> *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted);
>> ./linux-2.6.25/include/linux/security.h
>>
>> and
>>
>> int cap_capget (struct task_struct *target, kernel_cap_t *effective,
>> ./linux-2.6.25/security/commoncap.c
>>
>> ...so someone took out a group of EXPORT_SYMBOLS :
>>
>> EXPORT_SYMBOL(cap_capable);
>> EXPORT_SYMBOL(cap_settime);
>> EXPORT_SYMBOL(cap_ptrace);
>> EXPORT_SYMBOL(cap_capget);
>> EXPORT_SYMBOL(cap_capset_check);
>> EXPORT_SYMBOL(cap_capset_set);
>> EXPORT_SYMBOL(cap_bprm_set_security);
>> EXPORT_SYMBOL(cap_bprm_apply_creds);
>> EXPORT_SYMBOL(cap_bprm_secureexec);
>> EXPORT_SYMBOL(cap_inode_setxattr);
>> EXPORT_SYMBOL(cap_inode_removexattr);
>> EXPORT_SYMBOL(cap_task_post_setuid);
>> EXPORT_SYMBOL(cap_task_reparent_to_init);
>> EXPORT_SYMBOL(cap_syslog);
>> EXPORT_SYMBOL(cap_vm_enough_memory);
>>
>> This seems relevant :
>>
>> http://lists.openwall.net/linux-kernel/2007/08/14/418
>>
>> ...esp. the statement : "- remove a bunch of no longer used exports"
>>
>> Sounds like people can't use the POSIX capability API to set things
>> like CAP_SYS_NICE in their drivers any more, or maybe there is a new
>> way to do such things.
>>
>> At least one of our ring nodes (sometimes more) need to adjust the
>> scheduler to keep up with the incoming data.
>>
>> ---
>> John
>>
>
> ...I think I found it :
>
> http://lwn.net/Articles/211207/
>
> http://www.friedhoff.org/posixfilecaps.html
>
> Very cool...I am looking forward to trying this.
>
> ---
> John
>
Very cool indeed. Thanks for posting this. The article is a great read.
And I too will be trying this out. I checked and Fedora 9 only provides
libcap 2.0.6 whereas 2.0.8 is needed for all the neat capabilities.
This is powerful. What a great way to lock down an installation.
Almost seems like the dual of the selinux work.
More information about the fedora-test-list
mailing list