From: Frank v Waveren <fvw@var.cx>
To: "Serge E. Hallyn" <serue@us.ibm.com>
Cc: linux-kernel@vger.kernel.org
Subject: Re: linux capabilities oddity
Date: Thu, 27 Jul 2006 16:19:59 +0200 [thread overview]
Message-ID: <20060727141959.GC22794@var.cx> (raw)
In-Reply-To: <20060725184719.GA8076@sergelap.austin.ibm.com>
[-- Attachment #1: Type: text/plain, Size: 2377 bytes --]
On Tue, Jul 25, 2006 at 01:47:19PM -0500, Serge E. Hallyn wrote:
> Quoting Frank v Waveren (fvw@var.cx):
> > While debugging an odd problem where /proc/sys/kernel/cap-bound wasn't
> > working, I came across the following code at
> > linux-2.6.x/security/commoncap.c:140:
> >
> > void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
> > {
> > /* Derived from fs/exec.c:compute_creds. */
> > kernel_cap_t new_permitted, working;
> >
> > new_permitted = cap_intersect (bprm->cap_permitted, cap_bset);
> > working = cap_intersect (bprm->cap_inheritable,
> > current->cap_inheritable);
> > new_permitted = cap_combine (new_permitted, working);
> > ...
> >
> > Here the new permitted set gets limited to the bits in cap_bset, which
> > is as it should be, but then the intersection of the of the current
> > and exec inheritable masks get added to that set, whereas as I
> > understand it, cap_bset should always be the bounding set.
> [...]
>
> Actually going by the faq
> (http://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.4/capfaq-0.2.txt)
> it seems like the cap_intersect with current->cap_inheritable is *too*
> limiting. I haven't checked what the posix draft actually says, but the
> bprm->cap_inheritable is called the 'forced' set, and is supposed to be
> like setuid.
I don't think the force set should be able to override the cap bound
though. Like the force/setuid analogy, I think we can compare the
cap_bset to the old securelevel system, which means that it should be
the bounding factor. Even if you have setuids on a system with a
raised securelevel, they still can't do the restricted operations.
Once again, this is not based on what the POSIX 1003.1e says, as a
matter of fact I can't find anything about lowering the systemwide
bound externally (as opposed to by not having forced-set executables
and dropping the caps from all processes) at all in a quick grep of
the document, so I suspect this is entirely outside of the spec anyway.
--
Frank v Waveren Key fingerprint: BDD7 D61E
fvw@var.cx 5D39 CF05 4BFC F57A
Public key: hkp://wwwkeys.pgp.net/468D62C8 FA00 7D51 468D 62C8
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
prev parent reply other threads:[~2006-07-27 14:19 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-07-23 14:36 linux capabilities oddity Frank v Waveren
2006-07-25 18:47 ` Serge E. Hallyn
2006-07-27 14:19 ` Frank v Waveren [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060727141959.GC22794@var.cx \
--to=fvw@var.cx \
--cc=linux-kernel@vger.kernel.org \
--cc=serue@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.