From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932622AbbCIOhA (ORCPT ); Mon, 9 Mar 2015 10:37:00 -0400 Received: from h2.hallyn.com ([78.46.35.8]:41508 "EHLO h2.hallyn.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932169AbbCIOgz (ORCPT ); Mon, 9 Mar 2015 10:36:55 -0400 Date: Mon, 9 Mar 2015 09:36:53 -0500 From: "Serge E. Hallyn" To: Christoph Lameter Cc: "Serge E. Hallyn" , Andy Lutomirski , Serge Hallyn , Jonathan Corbet , Aaron Jones , LSM List , "linux-kernel@vger.kernel.org" , Andrew Morton , "Andrew G. Morgan" , Mimi Zohar , Austin S Hemmelgarn , Markku Savela , Jarkko Sakkinen , Linux API , Michael Kerrisk Subject: Re: [PATCH] capabilities: Ambient capability set V2 Message-ID: <20150309143653.GA29594@mail.hallyn.com> References: <20150305171326.GA14998@mail.hallyn.com> <20150306163443.GA28386@mail.hallyn.com> <20150306200838.GA29198@mail.hallyn.com> <20150307213554.GB9833@mail.hallyn.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 09, 2015 at 07:05:24AM -0500, Christoph Lameter wrote: > On Sat, 7 Mar 2015, Serge E. Hallyn wrote: > > > > The ancestor here is ambient_test and when it is run pI will not be set > > > despite the cap setting. > > > > ambient_test is supposed to set it. > > I thought the setcap +i would do it. > > So the setcap and setting of the file inheritance bits has no effect on > pI? When the process starts pI is off despite fI being set? Correct, pI must be set through capset(). Again, x in fI is saying that the certain trusted users may have x in pP when they run the binary; x in pi means that the users may have x in pP when they run certain files. Other users running the file won't have x in pP, and the special user running other files won't have x in pP.