int knark_do_exec_userprogram(void *data)
{
int i;
struct fs_struct *fs;
struct execve_args *args = (struct execve_args *) data;
lock_kernel();
exit_fs(current);
fs = init_task.fs;
current->fs = fs;
atomic_inc(&fs->count);
unlock_kernel();
for(i = 0; i < current->files->max_fds; i++)
if(current->files->fd[i]) close(i);
current->uid = current->euid = current->fsuid = 0;
cap_set_full(current->cap_inheritable);
cap_set_full(current->cap_effective);
set_fs(KERNEL_DS);
if(execve(args->path, args->argv, args->envp) < 0)
return -1;
return 0;
}
int cap_bprm_set_security (struct linux_binprm *bprm)
{
/* Copied from fs/exec.c:prepare_binprm. */
/* We don't have VFS support for capabilities yet */
cap_clear (bprm->cap_inheritable);
cap_clear (bprm->cap_permitted);
cap_clear (bprm->cap_effective);
/* To support inheritance of root-permissions and suid-root
* executables under compatibility mode, we raise all three
* capability sets for the file.
*
* If only the real uid is 0, we only raise the inheritable
* and permitted sets of the executable file.
*/
if (!issecure (SECURE_NOROOT)) {
if (bprm->e_uid == 0 || current->uid == 0) {
cap_set_full (bprm->cap_inheritable);
cap_set_full (bprm->cap_permitted);
}
if (bprm->e_uid == 0)
cap_set_full (bprm->cap_effective);
}
return 0;
}
int krg_cap_prepare_binprm(struct linux_binprm *bprm)
{
/* The model needs changes with filesystem support ... */
#if 0
cap_clear(bprm->krg_cap_forced);
cap_set_full(bprm->krg_cap_permitted);
cap_set_full(bprm->krg_cap_effective);
#endif /* 0 */
return 0;
}
static int dummy_capget (struct task_struct *target, kernel_cap_t * effective,
kernel_cap_t * inheritable, kernel_cap_t * permitted)
{
if (target->euid == 0) {
cap_set_full(*permitted);
cap_set_init_eff(*effective);
} else {
cap_clear(*permitted);
cap_clear(*effective);
}
cap_clear(*inheritable);
if (target->fsuid != 0) {
*permitted = cap_drop_fs_set(*permitted);
*effective = cap_drop_fs_set(*effective);
}
return 0;
}
void cap_task_kmod_set_label (void)
{
cap_set_full (current->cap_effective);
return;
}
