From: Stephen Smalley <sds@tycho.nsa.gov>
To: Xavier Toth <txtoth@gmail.com>
Cc: "Serge E. Hallyn" <serue@us.ibm.com>,
SELinux List <selinux@tycho.nsa.gov>
Subject: Re: problem with capabilities inheritance and auditing in python
Date: Tue, 10 Feb 2009 16:38:45 -0500 [thread overview]
Message-ID: <1234301925.7397.47.camel@localhost.localdomain> (raw)
In-Reply-To: <cadfc0e40902101337y5d786bd1q57fa72a99aec5ee7@mail.gmail.com>
On Tue, 2009-02-10 at 15:37 -0600, Xavier Toth wrote:
> On Tue, Feb 10, 2009 at 3:25 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> > On Tue, 2009-02-10 at 14:20 -0600, Xavier Toth wrote:
> >> On Tue, Feb 10, 2009 at 12:34 PM, Serge E. Hallyn <serue@us.ibm.com> wrote:
> >> > Quoting Xavier Toth (txtoth@gmail.com):
> >> >> I was not putting capabilities on the script but rather on a compiled
> >> >> wrapper which execs a python script in which I need to do auditing.
> >> >> Will this not work?
> >> >
> >> > No, because of the way capabilities are re-calculated on exec().
> >> >
> >> > pI' = pI
> >> > pP' = (X&fP) | (pI & fI)
> >> > pE' = fE ? pP' : 0
> >> >
> >> > So since the interpreter has fI=fP=fE=0 and is not setuid root (which
> >> > would fill in fP and/or fE to emulate privileged root), pP' and pE' will
> >> > be empty after exec().
> >> >
> >> > Now you could use a wrapper as follows: Have the wrapper fill pI,
> >> > and then fill fI on the python interpreter. Any user who has an
> >> > empty pI (which generally is all users) will execute python scripts
> >> > with no privilege, but when the wrapper execs the script, pP' will
> >> > be filled with (pI&fI) = full.
> >> >
> >> > -serge
> >> >
> >>
> >> Thanks for the clarification.
> >> For anyone one that is interested I've included some test code. The
> >> wrapper is a modified version of a wrapper Stephen sent me a link to.
> >> Basic steps to test are:
> >> 1) edit the wrapper to set the path to the audit_test.py script
> >> 2) compiler the wrapper
> >> gcc -o audit-wrapper audit-wrapper.c -lcap
> >> 3) set the capabilities on the wrapper and python
> >> setcap cap_audit_write,cap_setfcap=epi audit-wrapper
> >> setcap cap_audit_write=ei /usr/bin/python
> >> 4) run audit-wrapper
> >> 5) check audit log for audit records.
> >>
> >> I also ran audit_test.py without the wrapper to verify that no audit
> >> would occur.
> >>
> >> Ted
> >>
> >> ------------------------------------------------------------------------------
> >> audit-wrapper.c
> >> ------------------------------------------------------------------------
> >>
> > <snip>
> >> cap_t cur = cap_from_text("cap_audit_write+i");
> >> int ret = cap_set_proc(cur);
> >> if (ret) {
> >> perror("cap_set_proc");
> >> return 1;
> >> }
> >> cap_free(cur);
> >
> > Looks like you could make your wrapper generic for any capabilities by
> > having it copy the permitted (or effective) set to the inheritable set.
> > Something like this:
> > cap_t cur = cap_get_proc();
> > cap_value_t caps[1];
> > cap_flag_value_t value;
> > int i, rc;
> > for (i = 0; i < CAP_LAST_CAP; i++) {
> > rc = cap_get_flag(cur, i, CAP_PERMITTED, &value);
> > if (rc < 0) {
> > perror("cap_get_flag");
> > return 1;
> > }
> > caps[0] = i;
> > rc = cap_set_flag(cur, CAP_INHERITABLE, 1, caps, value);
> > if (rc < 0) {
> > perror("cap_set_flag");
> > return 1;
> > }
> > }
> > rc = cap_set_proc(cur);
> > if (rc < 0) {
> > perror("cap_set_proc");
> > return 1;
> > }
> > cap_free(cur);
> >
> > Serge - is there any easier way?
> >
> > --
> > Stephen Smalley
> > National Security Agency
> >
> >
>
> "If any flag in cap_p is set for any capability not currently permitted
> for the calling process, the function will fail"
That's ok, because you've set cap_audit_write=p on the wrapper, so
cap_audit_write is in the permitted set and putting it into your
inheritable set requires no further privilege. Certainly not
cap_setpcap. I tried it here.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2009-02-10 21:38 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-02-05 17:08 problem with capabilities inheritance and auditing in python Xavier Toth
2009-02-05 18:10 ` Stephen Smalley
2009-02-06 21:56 ` Xavier Toth
2009-02-09 14:02 ` Stephen Smalley
2009-02-09 16:42 ` Xavier Toth
2009-02-09 20:17 ` Stephen Smalley
2009-02-09 20:42 ` Serge E. Hallyn
2009-02-10 17:00 ` Xavier Toth
2009-02-10 18:34 ` Serge E. Hallyn
2009-02-10 20:20 ` Xavier Toth
2009-02-10 20:33 ` Stephen Smalley
2009-02-10 20:59 ` Xavier Toth
2009-02-10 21:08 ` Stephen Smalley
2009-02-10 21:30 ` Serge E. Hallyn
2009-02-10 21:38 ` Serge E. Hallyn
2009-02-10 21:45 ` Xavier Toth
2009-02-10 21:25 ` Stephen Smalley
2009-02-10 21:37 ` Xavier Toth
2009-02-10 21:38 ` Stephen Smalley [this message]
2009-02-10 21:46 ` Serge E. Hallyn
2009-02-10 21:44 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1234301925.7397.47.camel@localhost.localdomain \
--to=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=serue@us.ibm.com \
--cc=txtoth@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.