From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Tue, 10 Feb 2009 15:38:46 -0600 From: "Serge E. Hallyn" To: Xavier Toth Cc: Stephen Smalley , SELinux List Subject: Re: problem with capabilities inheritance and auditing in python Message-ID: <20090210213846.GB11776@us.ibm.com> References: <1234188170.28831.10.camel@localhost.localdomain> <1234210633.28831.87.camel@localhost.localdomain> <20090209204200.GA25401@us.ibm.com> <20090210183438.GA14133@us.ibm.com> <1234298002.4642.140.camel@localhost.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii In-Reply-To: Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov Quoting Xavier Toth (txtoth@gmail.com): > On Tue, Feb 10, 2009 at 2:33 PM, Stephen Smalley wrote: > > On Tue, 2009-02-10 at 14:20 -0600, Xavier Toth wrote: > >> On Tue, Feb 10, 2009 at 12:34 PM, Serge E. Hallyn wrote: > >> > Quoting Xavier Toth (txtoth@gmail.com): > >> >> I was not putting capabilities on the script but rather on a compiled > >> >> wrapper which execs a python script in which I need to do auditing. > >> >> Will this not work? > >> > > >> > No, because of the way capabilities are re-calculated on exec(). > >> > > >> > pI' = pI > >> > pP' = (X&fP) | (pI & fI) > >> > pE' = fE ? pP' : 0 > >> > > >> > So since the interpreter has fI=fP=fE=0 and is not setuid root (which > >> > would fill in fP and/or fE to emulate privileged root), pP' and pE' will > >> > be empty after exec(). > >> > > >> > Now you could use a wrapper as follows: Have the wrapper fill pI, > >> > and then fill fI on the python interpreter. Any user who has an > >> > empty pI (which generally is all users) will execute python scripts > >> > with no privilege, but when the wrapper execs the script, pP' will > >> > be filled with (pI&fI) = full. > >> > > >> > -serge > >> > > >> > >> Thanks for the clarification. > >> For anyone one that is interested I've included some test code. The > >> wrapper is a modified version of a wrapper Stephen sent me a link to. > >> Basic steps to test are: > >> 1) edit the wrapper to set the path to the audit_test.py script > >> 2) compiler the wrapper > >> gcc -o audit-wrapper audit-wrapper.c -lcap > >> 3) set the capabilities on the wrapper and python > >> setcap cap_audit_write,cap_setfcap=epi audit-wrapper > > > > Why cap_setfcap (set file capability)? > > The wrapper adds the 'i' back to cap_audit_write as it goes away when > audit-wrapper runs. > I was printing the capabilities in the wrapper for > debug purposes when I noticed that it capabilities were "= > cap_audit_write,cap_setfcap+ep". I think without the i cap_audit_write > can't be inherited by the child process. > > > And do you need to set fI on the wrapper at all, given that it isn't > > inheriting anything from its caller? > > Without cap_setfcap cap_set_proc fails, without cap_audit_write > cap_set_proc fails (see cap_set_proc man page). > > > > >> setcap cap_audit_write=ei /usr/bin/python > > > > Is setting fE required on the interpreter? > > I tried 'i' only it wouldn't work without 'e'. Right, without 'e' the final exec() will end up with cap_audit_write in pP' but not pE', so you won't be able to actually exercise the privilege (without using cap_set_proc() which I assume python doesn't support). It's no big deal, but your use of fI still is more liberal than it needs to be. The following should suffice: setcap cap_audit_write=p audit-wrapper setcap cap_audit_write=ei /usr/bin/python Now anyone running audit-wrapper will get cap_audit_write in pP', but not be able to exercise it (it's not in pE'). Audit-wrapper can put cap_audit_write into pI because it's in pP. Finally, when audit-wrapper execs the python script, that will run with pP'=pI'=pP'=cap_audit_write. -serge -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.