aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSerge E. Hallyn <serue@us.ibm.com>2009-11-23 17:21:30 -0500
committerJames Morris <jmorris@namei.org>2009-11-23 23:06:47 -0500
commitb3a222e52e4d4be77cc4520a57af1a4a0d8222d1 (patch)
tree1c3d5df529a404636b996ef39c991c9b8813aa12
parent0bce95279909aa4cc401a2e3140b4295ca22e72a (diff)
remove CONFIG_SECURITY_FILE_CAPABILITIES compile option
As far as I know, all distros currently ship kernels with default CONFIG_SECURITY_FILE_CAPABILITIES=y. Since having the option on leaves a 'no_file_caps' option to boot without file capabilities, the main reason to keep the option is that turning it off saves you (on my s390x partition) 5k. In particular, vmlinux sizes came to: without patch fscaps=n: 53598392 without patch fscaps=y: 53603406 with this patch applied: 53603342 with the security-next tree. Against this we must weigh the fact that there is no simple way for userspace to figure out whether file capabilities are supported, while things like per-process securebits, capability bounding sets, and adding bits to pI if CAP_SETPCAP is in pE are not supported with SECURITY_FILE_CAPABILITIES=n, leaving a bit of a problem for applications wanting to know whether they can use them and/or why something failed. It also adds another subtly different set of semantics which we must maintain at the risk of severe security regressions. So this patch removes the SECURITY_FILE_CAPABILITIES compile option. It drops the kernel size by about 50k over the stock SECURITY_FILE_CAPABILITIES=y kernel, by removing the cap_limit_ptraced_target() function. Changelog: Nov 20: remove cap_limit_ptraced_target() as it's logic was ifndef'ed. Signed-off-by: Serge E. Hallyn <serue@us.ibm.com> Acked-by: Andrew G. Morgan" <morgan@kernel.org> Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r--include/linux/capability.h2
-rw-r--r--include/linux/init_task.h4
-rw-r--r--kernel/capability.c2
-rw-r--r--security/Kconfig9
-rw-r--r--security/commoncap.c72
5 files changed, 2 insertions, 87 deletions
diff --git a/include/linux/capability.h b/include/linux/capability.h
index c8f2a5f70ed5..39e5ff512fbe 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -92,9 +92,7 @@ struct vfs_cap_data {
92#define _KERNEL_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3 92#define _KERNEL_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3
93#define _KERNEL_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_3 93#define _KERNEL_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_3
94 94
95#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
96extern int file_caps_enabled; 95extern int file_caps_enabled;
97#endif
98 96
99typedef struct kernel_cap_struct { 97typedef struct kernel_cap_struct {
100 __u32 cap[_KERNEL_CAPABILITY_U32S]; 98 __u32 cap[_KERNEL_CAPABILITY_U32S];
diff --git a/include/linux/init_task.h b/include/linux/init_task.h
index 21a6f5d9af22..8d10aa7fd4c9 100644
--- a/include/linux/init_task.h
+++ b/include/linux/init_task.h
@@ -83,16 +83,12 @@ extern struct group_info init_groups;
83#define INIT_IDS 83#define INIT_IDS
84#endif 84#endif
85 85
86#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
87/* 86/*
88 * Because of the reduced scope of CAP_SETPCAP when filesystem 87 * Because of the reduced scope of CAP_SETPCAP when filesystem
89 * capabilities are in effect, it is safe to allow CAP_SETPCAP to 88 * capabilities are in effect, it is safe to allow CAP_SETPCAP to
90 * be available in the default configuration. 89 * be available in the default configuration.
91 */ 90 */
92# define CAP_INIT_BSET CAP_FULL_SET 91# define CAP_INIT_BSET CAP_FULL_SET
93#else
94# define CAP_INIT_BSET CAP_INIT_EFF_SET
95#endif
96 92
97#ifdef CONFIG_TREE_PREEMPT_RCU 93#ifdef CONFIG_TREE_PREEMPT_RCU
98#define INIT_TASK_RCU_PREEMPT(tsk) \ 94#define INIT_TASK_RCU_PREEMPT(tsk) \
diff --git a/kernel/capability.c b/kernel/capability.c
index c450375e855f..7f876e60521f 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -29,7 +29,6 @@ EXPORT_SYMBOL(__cap_empty_set);
29EXPORT_SYMBOL(__cap_full_set); 29EXPORT_SYMBOL(__cap_full_set);
30EXPORT_SYMBOL(__cap_init_eff_set); 30EXPORT_SYMBOL(__cap_init_eff_set);
31 31
32#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
33int file_caps_enabled = 1; 32int file_caps_enabled = 1;
34 33
35static int __init file_caps_disable(char *str) 34static int __init file_caps_disable(char *str)
@@ -38,7 +37,6 @@ static int __init file_caps_disable(char *str)
38 return 1; 37 return 1;
39} 38}
40__setup("no_file_caps", file_caps_disable); 39__setup("no_file_caps", file_caps_disable);
41#endif
42 40
43/* 41/*
44 * More recent versions of libcap are available from: 42 * More recent versions of libcap are available from:
diff --git a/security/Kconfig b/security/Kconfig
index 95cc08913ca1..226b9556b25f 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -91,15 +91,6 @@ config SECURITY_PATH
91 implement pathname based access controls. 91 implement pathname based access controls.
92 If you are unsure how to answer this question, answer N. 92 If you are unsure how to answer this question, answer N.
93 93
94config SECURITY_FILE_CAPABILITIES
95 bool "File POSIX Capabilities"
96 default n
97 help
98 This enables filesystem capabilities, allowing you to give
99 binaries a subset of root's powers without using setuid 0.
100
101 If in doubt, answer N.
102
103config INTEL_TXT 94config INTEL_TXT
104 bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)" 95 bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)"
105 depends on HAVE_INTEL_TXT 96 depends on HAVE_INTEL_TXT
diff --git a/security/commoncap.c b/security/commoncap.c
index 45b87af4ae5d..f800fdb3de94 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -173,7 +173,6 @@ int cap_capget(struct task_struct *target, kernel_cap_t *effective,
173 */ 173 */
174static inline int cap_inh_is_capped(void) 174static inline int cap_inh_is_capped(void)
175{ 175{
176#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
177 176
178 /* they are so limited unless the current task has the CAP_SETPCAP 177 /* they are so limited unless the current task has the CAP_SETPCAP
179 * capability 178 * capability
@@ -181,7 +180,6 @@ static inline int cap_inh_is_capped(void)
181 if (cap_capable(current, current_cred(), CAP_SETPCAP, 180 if (cap_capable(current, current_cred(), CAP_SETPCAP,
182 SECURITY_CAP_AUDIT) == 0) 181 SECURITY_CAP_AUDIT) == 0)
183 return 0; 182 return 0;
184#endif
185 return 1; 183 return 1;
186} 184}
187 185
@@ -239,8 +237,6 @@ static inline void bprm_clear_caps(struct linux_binprm *bprm)
239 bprm->cap_effective = false; 237 bprm->cap_effective = false;
240} 238}
241 239
242#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
243
244/** 240/**
245 * cap_inode_need_killpriv - Determine if inode change affects privileges 241 * cap_inode_need_killpriv - Determine if inode change affects privileges
246 * @dentry: The inode/dentry in being changed with change marked ATTR_KILL_PRIV 242 * @dentry: The inode/dentry in being changed with change marked ATTR_KILL_PRIV
@@ -421,49 +417,6 @@ out:
421 return rc; 417 return rc;
422} 418}
423 419
424#else
425int cap_inode_need_killpriv(struct dentry *dentry)
426{
427 return 0;
428}
429
430int cap_inode_killpriv(struct dentry *dentry)
431{
432 return 0;
433}
434
435int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps)
436{
437 memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data));
438 return -ENODATA;
439}
440
441static inline int get_file_caps(struct linux_binprm *bprm, bool *effective)
442{
443 bprm_clear_caps(bprm);
444 return 0;
445}
446#endif
447
448/*
449 * Determine whether a exec'ing process's new permitted capabilities should be
450 * limited to just what it already has.
451 *
452 * This prevents processes that are being ptraced from gaining access to
453 * CAP_SETPCAP, unless the process they're tracing already has it, and the
454 * binary they're executing has filecaps that elevate it.
455 *
456 * Returns 1 if they should be limited, 0 if they are not.
457 */
458static inline int cap_limit_ptraced_target(void)
459{
460#ifndef CONFIG_SECURITY_FILE_CAPABILITIES
461 if (capable(CAP_SETPCAP))
462 return 0;
463#endif
464 return 1;
465}
466
467/** 420/**
468 * cap_bprm_set_creds - Set up the proposed credentials for execve(). 421 * cap_bprm_set_creds - Set up the proposed credentials for execve().
469 * @bprm: The execution parameters, including the proposed creds 422 * @bprm: The execution parameters, including the proposed creds
@@ -523,9 +476,8 @@ skip:
523 new->euid = new->uid; 476 new->euid = new->uid;
524 new->egid = new->gid; 477 new->egid = new->gid;
525 } 478 }
526 if (cap_limit_ptraced_target()) 479 new->cap_permitted = cap_intersect(new->cap_permitted,
527 new->cap_permitted = cap_intersect(new->cap_permitted, 480 old->cap_permitted);
528 old->cap_permitted);
529 } 481 }
530 482
531 new->suid = new->fsuid = new->euid; 483 new->suid = new->fsuid = new->euid;
@@ -739,7 +691,6 @@ int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags)
739 return 0; 691 return 0;
740} 692}
741 693
742#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
743/* 694/*
744 * Rationale: code calling task_setscheduler, task_setioprio, and 695 * Rationale: code calling task_setscheduler, task_setioprio, and
745 * task_setnice, assumes that 696 * task_setnice, assumes that
@@ -820,22 +771,6 @@ static long cap_prctl_drop(struct cred *new, unsigned long cap)
820 return 0; 771 return 0;
821} 772}
822 773
823#else
824int cap_task_setscheduler (struct task_struct *p, int policy,
825 struct sched_param *lp)
826{
827 return 0;
828}
829int cap_task_setioprio (struct task_struct *p, int ioprio)
830{
831 return 0;
832}
833int cap_task_setnice (struct task_struct *p, int nice)
834{
835 return 0;
836}
837#endif
838
839/** 774/**
840 * cap_task_prctl - Implement process control functions for this security module 775 * cap_task_prctl - Implement process control functions for this security module
841 * @option: The process control function requested 776 * @option: The process control function requested
@@ -866,7 +801,6 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
866 error = !!cap_raised(new->cap_bset, arg2); 801 error = !!cap_raised(new->cap_bset, arg2);
867 goto no_change; 802 goto no_change;
868 803
869#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
870 case PR_CAPBSET_DROP: 804 case PR_CAPBSET_DROP:
871 error = cap_prctl_drop(new, arg2); 805 error = cap_prctl_drop(new, arg2);
872 if (error < 0) 806 if (error < 0)
@@ -917,8 +851,6 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
917 error = new->securebits; 851 error = new->securebits;
918 goto no_change; 852 goto no_change;
919 853
920#endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */
921
922 case PR_GET_KEEPCAPS: 854 case PR_GET_KEEPCAPS:
923 if (issecure(SECURE_KEEP_CAPS)) 855 if (issecure(SECURE_KEEP_CAPS))
924 error = 1; 856 error = 1;