qubes-linux-kernel/patches.suse/file-capabilities-disable-by-default.diff

57 lines
1.7 KiB
Diff
Raw Normal View History

From: Andreas Gruenbacher <agruen@suse.de>
Subject: Disable file capabilities by default
Patch-mainline: probably never
Disable file capabilities by default: we are still lacking documentation
and file capability awareness in system management tools.
Signed-off-by: Andreas Gruenbacher <agruen@suse.de>
---
Documentation/kernel-parameters.txt | 8 +++++++-
kernel/capability.c | 9 ++++++++-
2 files changed, 15 insertions(+), 2 deletions(-)
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -1697,7 +1697,13 @@ and is between 256 and 4096 characters.
no_file_caps Tells the kernel not to honor file capabilities. The
only way then for a file to be executed with privilege
- is to be setuid root or executed by root.
+ is to be setuid root or executed by root. They
+ default to disabled.
+
+ file_caps Tells the kernel to honor file capabilities. The
+ only way then for a file to be executed with privilege
+ is to be setuid root or executed by root. They default
+ to disabled.
nohalt [IA-64] Tells the kernel not to use the power saving
function PAL_HALT_LIGHT when idle. This increases
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -29,7 +29,7 @@ EXPORT_SYMBOL(__cap_empty_set);
EXPORT_SYMBOL(__cap_full_set);
EXPORT_SYMBOL(__cap_init_eff_set);
-int file_caps_enabled = 1;
+int file_caps_enabled;
static int __init file_caps_disable(char *str)
{
@@ -38,6 +38,13 @@ static int __init file_caps_disable(char
}
__setup("no_file_caps", file_caps_disable);
+static int __init file_caps_enable(char *str)
+{
+ file_caps_enabled = 1;
+ return 1;
+}
+__setup("file_caps", file_caps_enable);
+
/*
* More recent versions of libcap are available from:
*