Debian Bug report logs - #337599
linux-image-2.6.13-1-k7: Please make SECURITY_CAPABILITIES as module

version graph

Package: realtime-lsm; Maintainer for realtime-lsm is (unknown);

Reported by: "Mario Izquierdo \(mariodebian\)" <mariodebian@gmail.com>

Date: Sat, 5 Nov 2005 08:33:04 UTC

Severity: wishlist

Tags: experimental

Found in version realtime-lsm/0.1.1-6

Fixed in version 0.8.7-3.1+rm

Done: Marco Rodrigues <gothicx@sapo.pt>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, mariodebian@gmail.com, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#337599; Package linux-image-2.6.13-1-k7. Full text and rfc822 format available.

Acknowledgement sent to "Mario Izquierdo \(mariodebian\)" <mariodebian@gmail.com>:
New Bug report received and forwarded. Copy sent to mariodebian@gmail.com, Debian Kernel Team <debian-kernel@lists.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Mario Izquierdo \(mariodebian\)" <mariodebian@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: linux-image-2.6.13-1-k7: Please make SECURITY_CAPABILITIES as module
Date: Sun, 16 Oct 2005 14:13:04 +0200
Package: linux-image-2.6.13-1-k7
Version: 2.6.13-1
Severity: wishlist
Tags: experimental

I want to compile realtime-lsm module in 2.6.13-1-k7 but
module-asisstant don't work:

# rgrep CAPABILITIES /boot/config-2.6.12-1-k7
CONFIG_SECURITY_CAPABILITIES=m

# rgrep CAPABILITIES /boot/config-2.6.13-1-k7
CONFIG_SECURITY_CAPABILITIES=y

In 2.6.12-1-k7 is module.

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.13-1-k7
Locale: LANG=es_ES@euro, LC_CTYPE=es_ES@euro (charmap=UTF-8) (ignored: LC_ALL set to es_ES.UTF-8)

Versions of packages linux-image-2.6.13-1-k7 depends on:
ii  initrd-tools                  0.1.82     tools to create initrd image for p
ii  module-init-tools             3.2-pre9-2 tools for managing Linux kernel mo

linux-image-2.6.13-1-k7 recommends no packages.

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Kernel Team <debian-kernel@lists.debian.org>:
Bug#337599; Package linux-image-2.6.13-1-k7. Full text and rfc822 format available.

Acknowledgement sent to Bastian Blank <waldi@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Kernel Team <debian-kernel@lists.debian.org>. Full text and rfc822 format available.

Message #10 received at 337599@bugs.debian.org (full text, mbox):

From: Bastian Blank <waldi@debian.org>
To: "Mario Izquierdo (mariodebian)" <mariodebian@gmail.com>, 337599@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#337599: linux-image-2.6.13-1-k7: Please make SECURITY_CAPABILITIES as module
Date: Sat, 5 Nov 2005 10:50:29 +0100
[Message part 1 (text/plain, inline)]
reassign 337599 realtime-lsm
thanks

On Sun, Oct 16, 2005 at 02:13:04PM +0200, Mario Izquierdo (mariodebian) wrote:
> I want to compile realtime-lsm module in 2.6.13-1-k7 but
> module-asisstant don't work:

This was already decided to be a realtime-lsm bug.

Bastian

-- 
It is undignified for a woman to play servant to a man who is not hers.
		-- Spock, "Amok Time", stardate 3372.7
[signature.asc (application/pgp-signature, inline)]

Bug reassigned from package `linux-image-2.6.13-1-k7' to `realtime-lsm'. Request was from Bastian Blank <waldi@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Guenter Geiger (Debian/GNU) <geiger@debian.org>:
Bug#337599; Package realtime-lsm. Full text and rfc822 format available.

Acknowledgement sent to Alexandre Touret <alexandre.touret@free.fr>:
Extra info received and forwarded to list. Copy sent to Guenter Geiger (Debian/GNU) <geiger@debian.org>. Full text and rfc822 format available.

Message #17 received at 337599@bugs.debian.org (full text, mbox):

From: Alexandre Touret <alexandre.touret@free.fr>
To: Debian Bug Tracking System <337599@bugs.debian.org>
Subject: realtime-lsm: Realtime-lsm cant build with kernel 2.6.14-2-k7 too
Date: Thu, 17 Nov 2005 22:39:16 +0100
Package: realtime-lsm
Version: 0.1.1-6
Followup-For: Bug #337599

I have downloaded the kernel packaged in linux-image .deb and I cant build the package realtime-lsm with m-a

I have the following log

dh_clean
make COMMONCAP=none clean
make[1]: Entering directory `/usr/src/modules/realtime-lsm'
rm -f *.ko *.o none
rm -f *.mod.* .*.cmd
make[1]: Leaving directory `/usr/src/modules/realtime-lsm'
/usr/bin/make  -f debian/rules kdist_clean kdist_config binary-modules
make[1]: Entering directory `/usr/src/modules/realtime-lsm'
dh_clean
make COMMONCAP=none clean
make[2]: Entering directory `/usr/src/modules/realtime-lsm'
rm -f *.ko *.o none
rm -f *.mod.* .*.cmd
make[2]: Leaving directory `/usr/src/modules/realtime-lsm'
/usr/bin/gcc-4.0
for templ in /usr/src/modules/realtime-lsm/debian/realtime-lsm-module-_KVERS_.postinst /usr/src/modules/realtime-lsm/debian/realtime-lsm-module-_KVERS_.postinst.backup /usr/src/modules/realtime-lsm/debian/realtime-lsm-module-_KVERS_.postinst.modules.in; do \
    cp $templ `echo $templ | sed -e 's/_KVERS_/2.6.14-2-k7/g'` ; \
  done
for templ in `ls debian/*.modules.in` ; do \
    test -e ${templ%.modules.in}.backup || cp ${templ%.modules.in} ${templ%.modules.in}.backup 2>/dev/null || true; \
    sed -e 's/##KVERS##/2.6.14-2-k7/g ;s/#KVERS#/2.6.14-2-k7/g ; s/_KVERS_/2.6.14-2-k7/g ; s/##KDREV##/2.6.14-3/g ; s/#KDREV#/2.6.14-3/g ; s/_KDREV_/2.6.14-3/g' < $templ > ${templ%.modules.in}; \
  done
dh_testdir
dh_testroot
dh_clean -k
make KERNEL_DIR=/usr/src/linux MODVERSIONS=detect KERNEL=linux-2.6.14-2-k7 COMMONCAP=none
make[2]: Entering directory `/usr/src/modules/realtime-lsm'
Failed: Security Capabilities not configured as module
Realtime LSM will not work with /usr/src/linux
Please rerun `make config' on the kernel and try again.
make[2]: *** [none] Erreur 1
make[2]: Leaving directory `/usr/src/modules/realtime-lsm'
make[1]: *** [binary-modules] Erreur 2
make[1]: Leaving directory `/usr/src/modules/realtime-lsm'
make: *** [kdist_build] Erreur 2

Regards,
Alexandre Touret

-- System Information:
Debian Release: testing/unstable
  APT prefers stable
  APT policy: (900, 'stable'), (600, 'testing'), (300, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-2-k7
Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro (charmap=ISO-8859-15)

realtime-lsm depends on no packages.

Versions of packages realtime-lsm recommends:
pn  realtime-lsm-module           <none>     (no description available)



Information forwarded to debian-bugs-dist@lists.debian.org, Guenter Geiger (Debian/GNU) <geiger@debian.org>:
Bug#337599; Package realtime-lsm. Full text and rfc822 format available.

Acknowledgement sent to Roland Stigge <stigge@antcom.de>:
Extra info received and forwarded to list. Copy sent to Guenter Geiger (Debian/GNU) <geiger@debian.org>. Full text and rfc822 format available.

Message #22 received at 337599@bugs.debian.org (full text, mbox):

From: Roland Stigge <stigge@antcom.de>
To: debian-multimedia@lists.debian.org
Cc: 337599@bugs.debian.org, joq@io.com
Subject: realtime-lsm for default Debian kernel
Date: Wed, 04 Apr 2007 15:49:34 +0200
[Message part 1 (text/plain, inline)]
Hi,

with the attached patch, you can use realtime-lsm (realtime capabilities
for ordinary users for e.g. JACK applications).

Note: This change is only useful for CONFIG_SECURITY_CAPABILITIES=y
configurations like the current Debian kernels. As soon as the kernel
really supports general stackable LSM, all this should become obsolete.

Background: What realtime-lsm currently does is replace the
capability_ops of the default security capabilities. This is done by
unloading the capability module and loading realtime.ko instead (they
can't be used both). This renders an unusable state for Debian kernels
with CONFIG_SECURITY_CAPABILITIES=y. The attached patch instead
unregisters the current capabilities (only if really necessary, the old
approach of trying to register "realtime" as a secondary module on
problems is kept). On realtime.ko unload, the old state is restored.

The only potential problem I see is loading realtime.ko, unloading
capability.ko and then unloading realtime.ko (which restores
capabilities of a module that doesn't exist anymore: capability.ko).
Maybe we can guard against that, somehow? But this would be the
CONFIG_SECURITY_CAPABILITIES=m case, where we need to get rid of
capability.ko before loading realtime.ko anyway. Kind of academical
question...

So what do you think?

Thanks,

Roland
[realtime-lsm.patch (text/x-patch, inline)]
--- realtime-lsm/Makefile	2006-07-10 02:26:22.000000000 +0200
+++ realtime-lsm-new/Makefile	2007-04-04 15:14:37.000000000 +0200
@@ -1,7 +1,6 @@
 PACKAGE := realtime-lsm
 VERSION := 0.8.7
 SOURCES := Makefile realtime.c
-COMMONCAP := commoncap.c
 DIST_EXTRA := AUTHORS ChangeLog COPYING INSTALL README
 DISTFILES := $(SOURCES) $(DIST_EXTRA)
 
@@ -11,28 +10,17 @@
 
 obj-m := realtime.o
 
-realtime-objs:= realtime.o commoncap.o
-
 
 ifndef KERNELRELEASE
 
-all:	$(SOURCES) config
+all:	$(SOURCES)
 	$(MAKE) modules -C $(KERNEL_DIR) SUBDIRS=$(shell pwd)
 
-config:
-	@if grep CONFIG_SECURITY_CAPABILITIES=m $(KERNEL_DIR)/.config; \
-	then ln -sf $(KERNEL_DIR)/security/$(COMMONCAP) .; \
-	else echo "Failed: Security Capabilities not configured as module"; \
-	     echo "Realtime LSM will not work with $(KERNEL_DIR)"; \
-	     echo "Please rerun \`make config' on the kernel and try again."; \
-	     false; \
-	fi
-
 install:
 	$(MAKE) modules_install -C $(KERNEL_DIR) SUBDIRS=$(shell pwd)
 
 clean:
-	-rm -f *.ko *.o $(COMMONCAP)
+	-rm -f *.ko *.o
 	-rm -f *.mod.* .*.cmd
 	-rm -rf .tmp_versions
 
--- realtime-lsm/realtime.c	2006-05-22 20:11:02.000000000 +0200
+++ realtime-lsm-new/realtime.c	2007-04-04 15:16:51.000000000 +0200
@@ -94,6 +94,8 @@
 #define MY_NAME __stringify(KBUILD_MODNAME)
 
 static int secondary;	/* flag to keep track of how we were registered */
+static int substitute;  /* we substituted current / default security ops */
+static struct security_operations *old_ops;
 
 static int __init realtime_init(void)
 {
@@ -102,13 +104,30 @@
 
 		/* try registering with primary module */
 		if (mod_reg_security(MY_NAME, &capability_ops)) {
-			printk(KERN_INFO RT_ERR "Failure registering "
-			       "capabilities with primary security module.\n");
-			printk(KERN_INFO RT_ERR "Is kernel configured "
-			       "with CONFIG_SECURITY_CAPABILITIES=m?\n");
-			return -EINVAL;
+
+			/* try to unregister current (default) capabilities */
+			old_ops = security_ops;
+			if (unregister_security(security_ops)) {
+				printk(KERN_INFO RT_ERR "Failure on "
+					"unregistering old capabilities.\n");
+				return -EINVAL;
+			}
+
+			/* substitute with realtime capabilities */
+			if (register_security(&capability_ops)) {
+				printk(KERN_INFO RT_ERR "Failure registering "
+					"substitute security capabilities.\n");
+				if (register_security(old_ops)) {
+					printk(KERN_ERR "FATAL: Couldn't "
+						"re-register old security "
+						"capabilities. Lost them!\n");
+				}
+				return -EINVAL;
+			}
+			substitute = 1;
+		} else {
+			secondary = 1;
 		}
-		secondary = 1;
 	}
 
 	if (rt_any)
@@ -136,6 +155,12 @@
 		printk(KERN_INFO RT_ERR
 		       "Failure unregistering capabilities with the kernel\n");
 	}
+	if (substitute) {
+		if (register_security(old_ops)) {
+			printk(KERN_INFO RT_ERR "Failure re-registering "
+				"default capabilities with the kernel\n");
+		}
+	}
 	printk(KERN_INFO "Realtime Capability LSM exiting\n");
 }
 

Information forwarded to debian-bugs-dist@lists.debian.org, Guenter Geiger (Debian/GNU) <geiger@debian.org>:
Bug#337599; Package realtime-lsm. Full text and rfc822 format available.

Acknowledgement sent to Eric Dantan Rzewnicki <eric@zhevny.com>:
Extra info received and forwarded to list. Copy sent to Guenter Geiger (Debian/GNU) <geiger@debian.org>. Full text and rfc822 format available.

Message #27 received at 337599@bugs.debian.org (full text, mbox):

From: Eric Dantan Rzewnicki <eric@zhevny.com>
To: Roland Stigge <stigge@antcom.de>
Cc: debian-multimedia@lists.debian.org, 337599@bugs.debian.org, joq@io.com
Subject: Re: realtime-lsm for default Debian kernel
Date: Wed, 4 Apr 2007 10:02:39 -0400
On Wed, Apr 04, 2007 at 03:49:34PM +0200, Roland Stigge wrote:
> Hi,
> 
> with the attached patch, you can use realtime-lsm (realtime capabilities
> for ordinary users for e.g. JACK applications).
> 
> Note: This change is only useful for CONFIG_SECURITY_CAPABILITIES=y
> configurations like the current Debian kernels. As soon as the kernel
> really supports general stackable LSM, all this should become obsolete.
> 
> Background: What realtime-lsm currently does is replace the
> capability_ops of the default security capabilities. This is done by
> unloading the capability module and loading realtime.ko instead (they
> can't be used both). This renders an unusable state for Debian kernels
> with CONFIG_SECURITY_CAPABILITIES=y. The attached patch instead
> unregisters the current capabilities (only if really necessary, the old
> approach of trying to register "realtime" as a secondary module on
> problems is kept). On realtime.ko unload, the old state is restored.
> 
> The only potential problem I see is loading realtime.ko, unloading
> capability.ko and then unloading realtime.ko (which restores
> capabilities of a module that doesn't exist anymore: capability.ko).
> Maybe we can guard against that, somehow? But this would be the
> CONFIG_SECURITY_CAPABILITIES=m case, where we need to get rid of
> capability.ko before loading realtime.ko anyway. Kind of academical
> question...
> 
> So what do you think?

The realtime lsm has been deprecated in favor of using rt rlimits. pam
in etch supports this for some time now, so what is the point of
spending more time and effort on the lsm?

-Eric Rz.



Information forwarded to debian-bugs-dist@lists.debian.org, Guenter Geiger (Debian/GNU) <geiger@debian.org>:
Bug#337599; Package realtime-lsm. Full text and rfc822 format available.

Acknowledgement sent to Roland Stigge <stigge@antcom.de>:
Extra info received and forwarded to list. Copy sent to Guenter Geiger (Debian/GNU) <geiger@debian.org>. Full text and rfc822 format available.

Message #32 received at 337599@bugs.debian.org (full text, mbox):

From: Roland Stigge <stigge@antcom.de>
To: Eric Dantan Rzewnicki <eric@zhevny.com>
Cc: debian-multimedia@lists.debian.org, 337599@bugs.debian.org, joq@io.com
Subject: Re: realtime-lsm for default Debian kernel
Date: Wed, 04 Apr 2007 17:16:11 +0200
Hi Eric,

Eric Dantan Rzewnicki wrote:
> The realtime lsm has been deprecated in favor of using rt rlimits. pam
> in etch supports this for some time now, so what is the point of
> spending more time and effort on the lsm?

Not knowing it? :) In fact, jackd's README.Debian and the package
realtime-lsm suggest that realtime-lsm is the only solution.

Now that I know it, I can also use limits.conf.

Maybe the jackd documentation should be adjusted (and realtime-lsm
removed from the archive).

Thanks,

Roland



Information forwarded to debian-bugs-dist@lists.debian.org, Guenter Geiger (Debian/GNU) <geiger@debian.org>:
Bug#337599; Package realtime-lsm. Full text and rfc822 format available.

Acknowledgement sent to Eric Dantan Rzewnicki <eric@zhevny.com>:
Extra info received and forwarded to list. Copy sent to Guenter Geiger (Debian/GNU) <geiger@debian.org>. Full text and rfc822 format available.

Message #37 received at 337599@bugs.debian.org (full text, mbox):

From: Eric Dantan Rzewnicki <eric@zhevny.com>
To: Roland Stigge <stigge@antcom.de>
Cc: debian-multimedia@lists.debian.org, 337599@bugs.debian.org, joq@io.com
Subject: Re: realtime-lsm for default Debian kernel
Date: Wed, 4 Apr 2007 12:10:35 -0400
On Wed, Apr 04, 2007 at 05:16:11PM +0200, Roland Stigge wrote:
> Hi Eric,
> Eric Dantan Rzewnicki wrote:
> > The realtime lsm has been deprecated in favor of using rt rlimits. pam
> > in etch supports this for some time now, so what is the point of
> > spending more time and effort on the lsm?
> Not knowing it? :) In fact, jackd's README.Debian and the package
> realtime-lsm suggest that realtime-lsm is the only solution.

Sorry, didn't mean to sound pissy. Yes, the jackd docs are likely out of
date and should be changed if so. Care to file a bug?

There is a newer jackd that Free uploaded to experimental. It's way to
late to get it into etch. But, are documentation changes still being
accepted?

> Now that I know it, I can also use limits.conf.
> 
> Maybe the jackd documentation should be adjusted (and realtime-lsm
> removed from the archive).

There was never anything wrong with the lsm per se, other than that the
kernel devs rejected it. Nonetheless, it should go away eventually. I'm
not sure about removing it from etch, though ... there could be numerous
documentation bugs like the one you've come across. What do others
think?

-Eric Rz.



Information forwarded to debian-bugs-dist@lists.debian.org, Guenter Geiger (Debian/GNU) <geiger@debian.org>:
Bug#337599; Package realtime-lsm. Full text and rfc822 format available.

Acknowledgement sent to Free Ekanayaka <freee@debian.org>:
Extra info received and forwarded to list. Copy sent to Guenter Geiger (Debian/GNU) <geiger@debian.org>. Full text and rfc822 format available.

Message #42 received at 337599@bugs.debian.org (full text, mbox):

From: Free Ekanayaka <freee@debian.org>
To: Eric Dantan Rzewnicki <eric@zhevny.com>
Cc: Roland Stigge <stigge@antcom.de>, debian-multimedia@lists.debian.org, 337599@bugs.debian.org, joq@io.com
Subject: Re: realtime-lsm for default Debian kernel
Date: Wed, 04 Apr 2007 18:23:35 +0200
|--==> Eric Dantan Rzewnicki writes:

  EDR> There is a newer jackd that Free uploaded to experimental. It's way to
  EDR> late to get it into etch. But, are documentation changes still being
  EDR> accepted?

Do you mean accepted in etch? I think it would be hard to get another
jackd revision into etch at this stage, mainly because this is not a
release critical bug.

But I'll be glad to update the documentation in the next upload of the
jackd package, which will happen after etch gets released.

Ciao,

Free



Reply sent to Marco Rodrigues <gothicx@sapo.pt>:
You have taken responsibility. (Fri, 03 Oct 2008 19:27:09 GMT) Full text and rfc822 format available.

Notification sent to "Mario Izquierdo \(mariodebian\)" <mariodebian@gmail.com>:
Bug acknowledged by developer. (Fri, 03 Oct 2008 19:27:09 GMT) Full text and rfc822 format available.

Message #47 received at 337599-done@bugs.debian.org (full text, mbox):

From: Marco Rodrigues <gothicx@sapo.pt>
To: 337599-done@bugs.debian.org
Subject: realtime-lsm has been removed from Debian, closing #337599
Date: Fri, 3 Oct 2008 20:24:43 +0100
Version: 0.8.7-3.1+rm

The realtime-lsm package has been removed from Debian testing, unstable and
experimental, so I am now closing the bugs that were still opened
against it.

For more information about this package's removal, read
http://bugs.debian.org/499245 . That bug might give the reasons why
this package was removed, and suggestions of possible replacements.

Don't hesitate to reply to this mail if you have any question.

Thank you for your contribution to Debian.

--
Marco Rodrigues
http://Marco.Tondela.org




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 01 Nov 2008 07:32:19 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 19:30:55 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.