| Message ID | 20220120180116.167702-3-flaniel@linux.microsoft.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Add capabilities file to sysfs | expand |
Hi. Le jeudi 20 janvier 2022, 19:01:16 CET Francis Laniel a écrit : > This new read-only file prints the capabilities values with their names: > cat /sys/kernel/security/capabilities > 0 CAP_CHOWN > 1 CAP_DAC_OVERRIDE > ... > 40 CAP_CHECKPOINT_RESTORE > > Signed-off-by: Francis Laniel <flaniel@linux.microsoft.com> > --- > security/inode.c | 16 ++++++++++++++++ > 1 file changed, 16 insertions(+) > > diff --git a/security/inode.c b/security/inode.c > index 6c326939750d..cef78b497bab 100644 > --- a/security/inode.c > +++ b/security/inode.c > @@ -21,6 +21,7 @@ > #include <linux/security.h> > #include <linux/lsm_hooks.h> > #include <linux/magic.h> > +#include <linux/capability.h> > > static struct vfsmount *mount; > static int mount_count; > @@ -328,6 +329,19 @@ static const struct file_operations lsm_ops = { > }; > #endif > > +static struct dentry *capabilities_dentry; > +static ssize_t capabilities_read(struct file *unused, char __user *buf, > + size_t count, loff_t *ppos) > +{ > + return simple_read_from_buffer(buf, count, ppos, cap_string, > + strlen(cap_string)); > +} > + > +static const struct file_operations capabilities_ops = { > + .read = capabilities_read, > + .llseek = generic_file_llseek, > +}; > + > static int __init securityfs_init(void) > { > int retval; > @@ -345,6 +359,8 @@ static int __init securityfs_init(void) > lsm_dentry = securityfs_create_file("lsm", 0444, NULL, NULL, > &lsm_ops); > #endif > + capabilities_dentry = securityfs("capabilities", 0444, NULL, NULL, > + capabilities_ops); Sorry, I sent the old version of the patch and did not fixup this... Kernel robot kindly show me this error. I swear the output in the cover letter was done on the compiled kernel within a VM. I will send a v4 correcting this but I will wait to get some reviews on v3 to not send to not generate too much traffic here. > return 0; > } > core_initcall(securityfs_init); Best regards.
diff --git a/security/inode.c b/security/inode.c index 6c326939750d..cef78b497bab 100644 --- a/security/inode.c +++ b/security/inode.c @@ -21,6 +21,7 @@ #include <linux/security.h> #include <linux/lsm_hooks.h> #include <linux/magic.h> +#include <linux/capability.h> static struct vfsmount *mount; static int mount_count; @@ -328,6 +329,19 @@ static const struct file_operations lsm_ops = { }; #endif +static struct dentry *capabilities_dentry; +static ssize_t capabilities_read(struct file *unused, char __user *buf, + size_t count, loff_t *ppos) +{ + return simple_read_from_buffer(buf, count, ppos, cap_string, + strlen(cap_string)); +} + +static const struct file_operations capabilities_ops = { + .read = capabilities_read, + .llseek = generic_file_llseek, +}; + static int __init securityfs_init(void) { int retval; @@ -345,6 +359,8 @@ static int __init securityfs_init(void) lsm_dentry = securityfs_create_file("lsm", 0444, NULL, NULL, &lsm_ops); #endif + capabilities_dentry = securityfs("capabilities", 0444, NULL, NULL, + capabilities_ops); return 0; } core_initcall(securityfs_init);
This new read-only file prints the capabilities values with their names: cat /sys/kernel/security/capabilities 0 CAP_CHOWN 1 CAP_DAC_OVERRIDE ... 40 CAP_CHECKPOINT_RESTORE Signed-off-by: Francis Laniel <flaniel@linux.microsoft.com> --- security/inode.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+)