From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755867AbbCFTDJ (ORCPT ); Fri, 6 Mar 2015 14:03:09 -0500 Received: from mail-lb0-f173.google.com ([209.85.217.173]:40519 "EHLO mail-lb0-f173.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754448AbbCFTDF (ORCPT ); Fri, 6 Mar 2015 14:03:05 -0500 MIME-Version: 1.0 In-Reply-To: References: <20150301233359.GA22196@mail.hallyn.com> <20150305171326.GA14998@mail.hallyn.com> <20150306163443.GA28386@mail.hallyn.com> From: Andy Lutomirski Date: Fri, 6 Mar 2015 11:02:43 -0800 Message-ID: Subject: Re: [PATCH] capabilities: Ambient capability set V2 To: Christoph Lameter Cc: "Serge E. Hallyn" , Serge Hallyn , Jonathan Corbet , Aaron Jones , LSM List , "linux-kernel@vger.kernel.org" , Andrew Morton , "Andrew G. Morgan" , Mimi Zohar , Austin S Hemmelgarn , Markku Savela , Jarkko Sakkinen , Linux API , Michael Kerrisk Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Mar 6, 2015 at 10:53 AM, Christoph Lameter wrote: > On Fri, 6 Mar 2015, Serge E. Hallyn wrote: > >> Sorry, something about that patch-patch didn't make sense to me, but I >> need to look more closely. My objection was that you were able to get the >> pA capabilities into pP without them being in your pI. Your proposed >> change didn't seem like it would fix that. > > Just tried to fix that. Could it be that cap_inherited is never set even > for a binary that has > > christoph@fujitsu-haswell:~$ getcap ambient_test > > ambient_test = cap_setpcap,cap_net_admin,cap_net_raw,cap_sys_nice+eip I think that's right. fI doesn't set pI. --Andy