linux-security-module November 2007 archive
Main Archive Page > Month Archives  > linux-security-module archives
linux-security-module: [RFC PATCH 1/2] capabilities: define CONF

[RFC PATCH 1/2] capabilities: define CONFIG_COMMONCAP

From: Serge E. Hallyn <serue_at_nospam>
Date: Thu Nov 15 2007 - 23:16:15 GMT
To: Linux Containers <>,

>From 1512a99aedb7a75ac993ccef91a42c97e1baefc5 Mon Sep 17 00:00:00 2001
From: Serge E. Hallyn <> Date: Fri, 28 Sep 2007 10:33:33 -0500
Subject: [PATCH 1/2] capabilities: define CONFIG_COMMONCAP

currently the compilation of commoncap.c is determined through Makefile logic. So there is no single CONFIG variable which can be relied upon to know whether it will be compiled.

Define CONFIG_COMMONCAP to be true when lsm is not compiled in, or when the capability or rootplug modules are compiled. These are the cases when commoncap is currently compiled. Use this variable in security/Makefile to determine commoncap.c's compilation.

Apart from being a logic cleanup, this is needed by the upcoming cap_bset patch so that prctl can know whether PR_SET_BSET should be supported.

Changelog: Nov 15: make CONFIG_FILE_CAPABILITIES just depend on COMMONCAP. Unfortunately since rootplug doesn't hook cap_setxattr, it would be not quite right to allow CONFIG_FILE_CAPABILITIES with rootplug.

Signed-off-by: Serge E. Hallyn <> --- security/Kconfig | 6 +++++- security/Makefile | 9 +++------ 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/security/Kconfig b/security/Kconfig index 8086e61..de7f9fe 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -80,9 +80,13 @@ config SECURITY_CAPABILITIES This enables the "default" Linux capabilities functionality. If you are unsure how to answer this question, answer Y. +config COMMONCAP + bool + default !SECURITY || SECURITY_CAPABILITIES || SECURITY_ROOTPLUG + config SECURITY_FILE_CAPABILITIES bool "File POSIX Capabilities (EXPERIMENTAL)" - depends on (SECURITY=n || SECURITY_CAPABILITIES!=n) && EXPERIMENTAL + depends on COMMONCAP && !SECURITY_ROOTPLUG && EXPERIMENTAL default n help This enables filesystem capabilities, allowing you to give diff --git a/security/Makefile b/security/Makefile index ef87df2..7cccc81 100644 --- a/security/Makefile +++ b/security/Makefile @@ -5,14 +5,11 @@ obj-$(CONFIG_KEYS) += keys/ subdir-$(CONFIG_SECURITY_SELINUX) += selinux -# if we don't select a security model, use the default capabilities -ifneq ($(CONFIG_SECURITY),y) -obj-y += commoncap.o -endif +obj-$(CONFIG_COMMONCAP) += commoncap.o # Object file lists obj-$(CONFIG_SECURITY) += security.o dummy.o inode.o # Must precede capability.o in order to stack properly. obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o -obj-$(CONFIG_SECURITY_CAPABILITIES) += commoncap.o capability.o -obj-$(CONFIG_SECURITY_ROOTPLUG) += commoncap.o root_plug.o +obj-$(CONFIG_SECURITY_CAPABILITIES) += capability.o +obj-$(CONFIG_SECURITY_ROOTPLUG) += root_plug.o -- - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to More majordomo info at