From: Kees Cook <kees.cook@canonical.com>
To: "Serge E. Hallyn" <serue@us.ibm.com>
Cc: lkml <linux-kernel@vger.kernel.org>,
linux-security-module@vger.kernel.org,
Andrew Morgan <morgan@kernel.org>,
Steve Grubb <sgrubb@redhat.com>,
Andreas Gruenbacher <agruen@suse.de>,
Michael Kerrisk <mtk.manpages@gmail.com>,
George Wilson <gcwilson@us.ibm.com>
Subject: Re: drop SECURITY_FILE_CAPABILITIES?
Date: Tue, 10 Nov 2009 09:23:35 -0800 [thread overview]
Message-ID: <20091110172335.GI5129@outflux.net> (raw)
In-Reply-To: <20091110140739.GA15534@us.ibm.com>
Hi,
On Tue, Nov 10, 2009 at 08:07:39AM -0600, Serge E. Hallyn wrote:
> Just a probe to see what people think. I've seen two cases
> in about the last month where software was confounded by
> an assumption that prctl(PR_CAPBSET_DROP, CAP_SOMETHING)
> would succeed if privileged, but not handling the fact
> that SECURITY_FILE_CAPABILITIES=n means you can't do that.
>
> Are we at the point yet where we feel we can get rid of
> the SECURITY_FILE_CAPABILITIES=n case?
It seems to me that the process caps bounding set (and file caps) are the
way forward and retaining the =n option is nonsense, especially since caps
are an integral part of the kernel.
> Does anyone know of cases where CONFIG_SECURITY_FILE_CAPABILITIES=n
> is still perceived as useful?
Building a kernel that willfully ignores fscaps? I don't see the point.
It saves only a few bytes of code, AFAICT, and if it needs to be disabled
for some reason, the kernel boot option "no_file_caps" can be set.
At the very least it should default to "y" and/or have its help updated to
include the list of things it enables.
-Kees
--
Kees Cook
Ubuntu Security Team
prev parent reply other threads:[~2009-11-10 17:24 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-10 14:07 drop SECURITY_FILE_CAPABILITIES? Serge E. Hallyn
2009-11-10 15:28 ` Steve Grubb
2009-11-10 15:53 ` Serge E. Hallyn
2009-11-10 17:51 ` Steve Grubb
2009-11-11 0:19 ` Serge E. Hallyn
2009-11-18 16:40 ` Andrew G. Morgan
2009-11-18 17:49 ` Steve Grubb
2009-11-18 18:36 ` Andrew G. Morgan
2009-11-18 19:33 ` Steve Grubb
2009-11-18 19:39 ` Andrew G. Morgan
2009-11-19 15:35 ` Andrew G. Morgan
2009-11-19 20:26 ` Steve Grubb
2009-11-10 17:23 ` Kees Cook [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20091110172335.GI5129@outflux.net \
--to=kees.cook@canonical.com \
--cc=agruen@suse.de \
--cc=gcwilson@us.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=morgan@kernel.org \
--cc=mtk.manpages@gmail.com \
--cc=serue@us.ibm.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.