From: Herbert Poetzl <herbert@13thfloor.at>
To: Ulrich Drepper <drepper@gmail.com>
Cc: Linus Torvalds <torvalds@osdl.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Linux-VServer <vserver@list.linux-vserver.org>
Subject: Re: The Future of Linux Capabilities ...
Date: Tue, 28 Dec 2004 03:21:39 +0100 [thread overview]
Message-ID: <20041228022139.GA16185@mail.13thfloor.at> (raw)
In-Reply-To: <a36005b5041227152268e68af9@mail.gmail.com>
On Mon, Dec 27, 2004 at 03:22:32PM -0800, Ulrich Drepper wrote:
> On Mon, 27 Dec 2004 02:40:41 +0100, Herbert Poetzl <herbert@13thfloor.at> wrote:
> > II) add 32 (or more) sub-capabilities which depend
> > on the parent capability to be usable, and add
> > appropriate syscalls for them.
> >
> > example: CAP_IPC_LOCK gets two subcapabilities
> > (e.g. SCAP_SHM_LOCK and SCAP_MEM_LOCK) which
>
> I won't try to say anything about III, but I is not really suitable,
> it breaks code currently using capabilities. Or at least makes them
> less secure.
let me assure you that III) does neither break the existing code
nor reduce security, for the following reasons:
a) the per process capability is a requirement for
_all_ subcapabilities (when the cap is in the cap_mask)
b) the capability system isn't changed for caps not
in the cap_mask
c) reducing a cap by removing a subcapability can only
increase security not lower it
> With sub-capabilities the interface diverges from the
> POSIX capabilities interfaces, but at least one can keep backward
> compatibilities.
to some extend, yes ...
> An alternative would be to keep the existing capabilities, and add new
> ones for all the cases which need splitting. If the old value is
> set/reset, all the split-out values are "magically" affected as well.
I consider the 'magically' part another solution I didn't
list in my previous mail, but it is a kind of variation
from II) where we do not necessarily need subcaps for _all_
aspects of a capability (as a matter of fact it's one less)
> This would help keeping the interfaces in line with POSIX and no
> additions to the userlevel libcap would be needed. Yes, new cap[gs]et
> syscalls would be needed, but this fact is hidden from the user.
I guess it might be doable, although the 'magically' part
would require to keep masks for all caps which got split
to select the corresponding sub-capabilities ...
thanks,
Herbert
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
prev parent reply other threads:[~2004-12-28 2:21 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-12-27 1:40 The Future of Linux Capabilities Herbert Poetzl
2004-12-27 19:36 ` Pavel Machek
2005-01-02 19:43 ` Andreas Schwab
2005-01-03 0:04 ` [Vserver] " Herbert Poetzl
2004-12-27 23:22 ` Ulrich Drepper
2004-12-28 2:21 ` Herbert Poetzl [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20041228022139.GA16185@mail.13thfloor.at \
--to=herbert@13thfloor.at \
--cc=drepper@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@osdl.org \
--cc=vserver@list.linux-vserver.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.