The LSM kernel patch moves most of the existing POSIX.1e capabilities
logic into an optional security module stored in the file
security/capability.c
. This change allows
users who do not want to use capabilities to omit this code entirely
from their kernel, instead using the dummy module for traditional
superuser logic or any other module that they desire. This change
also allows the developers of the capabilities logic to maintain and
enhance their code more freely, without needing to integrate patches
back into the base kernel.
In addition to moving the capabilities logic, the LSM kernel patch could move the capability-related fields from the kernel data structures into the new security fields managed by the security modules. However, at present, the LSM kernel patch leaves the capability fields in the kernel data structures. In his original remarks, Linus suggested that this might be preferable so that other security modules can be easily stacked with the capabilities module without needing to chain multiple security structures on the security field. It also avoids imposing extra overhead on the capabilities module to manage the security fields. However, the LSM framework could certainly support such a move if it is determined to be desirable, with only a few additional changes described below.
At present, the capabilities logic for computing process capabilities
on execve
and set*uid
,
checking capabilities for a particular process, saving and checking
capabilities for netlink messages, and handling the
capget
and capset
system
calls have been moved into the capabilities module. There are still a
few locations in the base kernel where capability-related fields are
directly examined or modified, but the current version of the LSM
patch does allow a security module to completely replace the
assignment and testing of capabilities. These few locations would
need to be changed if the capability-related fields were moved into
the security field. The following is a list of known locations that
still perform such direct examination or modification of
capability-related fields:
fs/open.c
:sys_access
fs/lockd/host.c
:nlm_bind_host
fs/nfsd/auth.c
:nfsd_setuser
fs/proc/array.c
:task_cap