kernel_optimize_test/kernel
Eric Paris 6ff1b4426e [PATCH] make reading /proc/sys/kernel/cap-bould not require CAP_SYS_MODULE
Reading /proc/sys/kernel/cap-bound requires CAP_SYS_MODULE.  (see
proc_dointvec_bset in kernel/sysctl.c)

sysctl appears to drive all over proc reading everything it can get it's
hands on and is complaining when it is being denied access to read
cap-bound.  Clearly writing to cap-bound should be a sensitive operation
but requiring CAP_SYS_MODULE to read cap-bound seems a bit to strong.  I
believe the information could with reasonable certainty be obtained by
looking at a bunch of the output of /proc/pid/status which has very low
security protection, so at best we are just getting a little obfuscation of
information.

Currently SELinux policy has to 'dontaudit' capability checks for
CAP_SYS_MODULE for things like sysctl which just want to read cap-bound.
In doing so we also as a byproduct have to hide warnings of potential
exploits such as if at some time that sysctl actually tried to load a
module.  I wondered if anyone would have a problem opening cap-bound up to
read from anyone?

Acked-by: Chris Wright <chrisw@sous-sol.org>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: James Morris <jmorris@namei.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-02-11 10:51:19 -08:00
..
irq devres: device resource management 2007-02-09 17:39:36 -05:00
power [PATCH] Drop free_pages() 2007-02-11 10:51:18 -08:00
time [PATCH] clocksource: small cleanup 2006-12-10 09:57:22 -08:00
.gitignore
acct.c [PATCH] kernel: change uses of f_{dentry, vfsmnt} to use f_path 2006-12-08 08:28:42 -08:00
audit.c [PATCH] Add include/linux/freezer.h and move definitions from sched.h 2006-12-07 08:39:27 -08:00
audit.h [PATCH] audit: AUDIT_PERM support 2006-09-11 13:32:30 -04:00
auditfilter.c [PATCH] audit: fix kstrdup() error check 2006-12-22 08:55:49 -08:00
auditsc.c [PATCH] struct path: convert kernel 2006-12-08 08:28:46 -08:00
capability.c [PATCH] pidspace: is_init() 2006-09-29 09:18:12 -07:00
compat.c [PATCH] Create compat_sys_migrate_pages 2006-11-03 12:27:59 -08:00
configs.c [PATCH] struct seq_operations and struct file_operations constification 2006-12-07 08:39:46 -08:00
cpu.c [PATCH] Change cpu_up and co from __devinit to __cpuinit 2007-01-11 18:18:20 -08:00
cpuset.c [PATCH] cpuset procfs warning fix 2006-12-30 10:56:43 -08:00
delayacct.c [PATCH] slab: remove kmem_cache_t 2006-12-07 08:39:25 -08:00
dma.c [PATCH] struct seq_operations and struct file_operations constification 2006-12-07 08:39:46 -08:00
exec_domain.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
exit.c [PATCH] namespaces: fix task exit disaster 2007-01-30 13:40:36 -08:00
extable.c [PATCH] symbol_put_addr() locks kernel 2006-05-15 11:20:55 -07:00
fork.c [PATCH] fork_idle() should be __cpuinit, not __devinit 2007-02-01 16:17:06 -08:00
futex_compat.c [PATCH] __user annotations: futex 2006-10-10 15:37:22 -07:00
futex.c [PATCH] kernel: change uses of f_{dentry, vfsmnt} to use f_path 2006-12-08 08:28:42 -08:00
hrtimer.c [PATCH] posix-timers: Fix clock_nanosleep() doesn't return the remaining time in compatibility mode 2006-09-29 09:18:15 -07:00
itimer.c [PATCH] hrtimers: remove data field 2006-03-26 08:57:03 -08:00
kallsyms.c [PATCH] move kallsyms data to .rodata 2006-12-08 08:28:37 -08:00
Kconfig.hz [PATCH] HZ: 300Hz support 2006-12-07 08:39:36 -08:00
Kconfig.preempt
kexec.c Merge branch 'release' of master.kernel.org:/pub/scm/linux/kernel/git/aegl/linux-2.6 2006-12-07 15:39:22 -08:00
kfifo.c [PATCH] memory ordering in __kfifo primitives 2006-09-29 09:18:13 -07:00
kmod.c [PATCH] rename struct namespace to struct mnt_namespace 2006-12-08 08:28:51 -08:00
kprobes.c [PATCH] kprobes: replace magic numbers with enum 2007-01-30 16:01:35 -08:00
ksysfs.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
kthread.c WorkStruct: Pass the work_struct pointer instead of context data 2006-11-22 14:55:48 +00:00
latency.c [PATCH] severing module.h->sched.h 2006-12-04 02:00:22 -05:00
lockdep_internals.h [PATCH] lockdep: more chains 2006-12-07 08:39:43 -08:00
lockdep_proc.c [PATCH] struct seq_operations and struct file_operations constification 2006-12-07 08:39:46 -08:00
lockdep.c [PATCH] lockdep: printk warning fix 2006-12-30 10:56:43 -08:00
Makefile Remove stack unwinder for now 2006-12-15 08:47:51 -08:00
module.c /sys/modules/*/holders 2007-02-07 10:37:12 -08:00
mutex-debug.c [PATCH] lockdep: show more details about self-test failures 2006-12-07 08:39:43 -08:00
mutex-debug.h [PATCH] lockdep: better lock debugging 2006-07-03 15:27:01 -07:00
mutex.c [PATCH] lockdep: avoid lockdep warning in md 2006-12-08 08:28:39 -08:00
mutex.h [PATCH] lockdep: prove mutex locking correctness 2006-07-03 15:27:04 -07:00
nsproxy.c Revert "[PATCH] namespaces: fix exit race by splitting exit" 2007-01-30 13:35:18 -08:00
panic.c [PATCH] x86: Clean up x86 NMI sysctls 2006-09-30 01:47:55 +02:00
params.c /sys/modules/*/holders 2007-02-07 10:37:12 -08:00
pid.c [PATCH] namespaces: fix task exit disaster 2007-01-30 13:40:36 -08:00
posix-cpu-timers.c [PATCH] posix-cpu-timers: prevent signal delivery starvation 2006-10-17 08:18:43 -07:00
posix-timers.c [PATCH] slab: remove kmem_cache_t 2006-12-07 08:39:25 -08:00
printk.c [PATCH] make kernel/printk.c:ignore_loglevel_setup() static 2006-12-22 08:55:47 -08:00
profile.c [PATCH] fix "kvm: add vm exit profiling" 2007-01-23 07:52:05 -08:00
ptrace.c [PATCH] pidspace: is_init() 2006-09-29 09:18:12 -07:00
rcupdate.c [PATCH] rcu: add a prefetch() in rcu_do_batch() 2006-12-07 08:39:40 -08:00
rcutorture.c [PATCH] rcu: rcutorture suspend fix 2006-12-30 10:55:55 -08:00
relay.c [PATCH] relay: remove inlining 2006-12-22 08:55:51 -08:00
resource.c devres: device resource management 2007-02-09 17:39:36 -05:00
rtmutex_common.h [PATCH] pi-futex: futex_lock_pi/futex_unlock_pi support 2006-06-27 17:32:47 -07:00
rtmutex-debug.c Remove all inclusions of <linux/config.h> 2006-10-04 03:38:54 -04:00
rtmutex-debug.h [PATCH] lockdep: better lock debugging 2006-07-03 15:27:01 -07:00
rtmutex-tester.c [PATCH] Add include/linux/freezer.h and move definitions from sched.h 2006-12-07 08:39:27 -08:00
rtmutex.c [PATCH] clean up and remove some extra spinlocks from rtmutex 2006-09-29 09:18:09 -07:00
rtmutex.h [PATCH] lockdep: better lock debugging 2006-07-03 15:27:01 -07:00
rwsem.c [PATCH] lockdep: prove rwsem locking correctness 2006-07-03 15:27:04 -07:00
sched.c [PATCH] sched: tasks cannot run on cpus onlined after boot 2007-01-11 18:18:20 -08:00
seccomp.c
signal.c [PATCH] PM: Fix freezing of stopped tasks 2006-12-13 09:05:49 -08:00
softirq.c [PATCH] softirq: remove BUG_ONs which can incorrectly trigger 2006-12-07 08:39:43 -08:00
softlockup.c [PATCH] check return value of cpu_callback 2006-09-29 09:18:14 -07:00
spinlock.c [PATCH] lockdep: spin_lock_irqsave_nested() 2006-11-25 13:28:34 -08:00
srcu.c [PATCH] SRCU: report out-of-memory errors 2006-10-04 07:55:30 -07:00
stacktrace.c [PATCH] lockdep: stacktrace subsystem, core 2006-07-03 15:27:02 -07:00
stop_machine.c [PATCH] stop_machine.c copyright 2006-09-29 09:18:24 -07:00
sys_ni.c [PATCH] Create compat_sys_migrate_pages 2006-11-03 12:27:59 -08:00
sys.c [PATCH] notifiers: fix blocking_notifier_call_chain() scalability 2007-01-23 11:08:03 -08:00
sysctl.c [PATCH] make reading /proc/sys/kernel/cap-bould not require CAP_SYS_MODULE 2007-02-11 10:51:19 -08:00
taskstats.c [PATCH] taskstats: cleanup reply assembling 2006-12-07 08:39:34 -08:00
time.c [PATCH] NTP: Move all the NTP related code to ntp.c 2006-10-01 00:39:26 -07:00
timer.c [PATCH] schedule_timeout(): improve warning message 2006-12-22 08:55:49 -08:00
tsacct.c [PATCH] io-accounting: via taskstats 2006-12-10 09:55:41 -08:00
uid16.c [PATCH] Add more prevent_tail_call() 2006-04-19 16:27:18 -07:00
user.c [PATCH] slab: remove kmem_cache_t 2006-12-07 08:39:25 -08:00
utsname.c [PATCH] namespaces: utsname: implement CLONE_NEWUTS flag 2006-10-02 07:57:22 -07:00
wait.c [PATCH] uninline init_waitqueue_head() 2006-07-10 13:24:25 -07:00
workqueue.c [PATCH] fix kernel-doc warnings in 2.6.20-rc1 2006-12-22 08:55:47 -08:00