From: Casey Schaufler <casey@schaufler-ca.com>
To: Darrel Goeddel <dgoeddel@TrustedCS.com>,
"selinux@tycho.nsa.gov" <selinux@tycho.nsa.gov>
Subject: Re: [patch] selinux_capget()
Date: Mon, 13 Dec 2004 16:48:49 -0800 (PST) [thread overview]
Message-ID: <20041214004849.25751.qmail@web50201.mail.yahoo.com> (raw)
In-Reply-To: <41BE1887.4010201@trustedcs.com>
--- Darrel Goeddel <dgoeddel@trustedcs.com> wrote:
> Currently, SELinux restricts the use of capabilities
> by a process based on the
> process domain's access to the capability security
> class. This restriction is
> not reflected in the capabilities returned by the
> capget system call. I have
> attached a small patch which would remove the
> "disallowed" capabilities from the
> effective set that is returned from the call. This
> seems to be a good idea to
> me because it gives an accurate picture of the the
> capabilities that a process
> can use. Does anyone else have an opinion on this?
I do! I do!
The POSIX 1003.1e/2c (previously P1003.6) working
group that developed the capabilities interface
upon which Linux capabilities are based discussed
this issue at length. The concensus was that such
a "correction" should not be made. One example that
was used to demonstrate the rationale is a system
(such as IRIX) on which you are allowed to perform
a privileged operation if you have the capability
or if your UID is zero (i.e. you are root). The
getcap() call should not "correct" the effective
set of capabilities to indicate they are all on
for a root process, but should instead return the
actual set. This is in line with the "stat" behavior
which reports the actual mode bits, even if they
include "w" on a read-only file system.
Briefly, the intent of the POSIX specification
is that you should not "correct" the effective set
due to the impact of additional policies or
conditions.
=====
Casey Schaufler
casey@schaufler-ca.com
__________________________________
Do you Yahoo!?
Yahoo! Mail - Find what you need with new enhanced search.
http://info.mail.yahoo.com/mail_250
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2004-12-14 0:48 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-12-13 22:32 [patch] selinux_capget() Darrel Goeddel
2004-12-14 0:05 ` James Morris
2004-12-14 0:48 ` Casey Schaufler [this message]
2004-12-14 6:09 ` James Morris
2004-12-14 14:37 ` Stephen Smalley
2004-12-14 15:14 ` Stephen Smalley
2004-12-14 15:53 ` Darrel Goeddel
2004-12-14 16:11 ` Stephen Smalley
2004-12-14 16:22 ` Casey Schaufler
2004-12-20 1:16 ` Russell Coker
2004-12-20 4:51 ` Casey Schaufler
2004-12-20 1:10 ` Russell Coker
2004-12-21 20:32 ` Valdis.Kletnieks
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20041214004849.25751.qmail@web50201.mail.yahoo.com \
--to=casey@schaufler-ca.com \
--cc=dgoeddel@TrustedCS.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.