From: "Serge E. Hallyn" <serue@us.ibm.com>
To: lkml <linux-kernel@vger.kernel.org>
Cc: Ashwin Ganti <ashwin.ganti@gmail.com>,
David Howells <dhowells@redhat.com>, Greg KH <greg@kroah.com>,
rsc@swtch.com, ericvh@gmail.com,
linux-security-module@vger.kernel.org,
Ron Minnich <rminnich@gmail.com>,
jt.beard@gmail.com, Andrew Morgan <morgan@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Oleg Nesterov <oleg@redhat.com>, Eric Paris <eparis@redhat.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Randy Dunlap <rdunlap@xenotime.net>,
Michael Kerrisk <mtk.manpages@gmail.com>,
Alan Cox <alan@lxorguk.ukuu.org.uk>,
Kyle Moffett <kyle@moffetthome.net>,
Steve Grubb <sgrubb@redhat.com>
Subject: [PATCH 2/3] p9auth: add CAP_GRANT_ID to authorize use of /dev/caphash
Date: Tue, 27 Apr 2010 11:43:36 -0500 [thread overview]
Message-ID: <20100427164336.GB7530@us.ibm.com> (raw)
In-Reply-To: <20100427164139.GA7359@us.ibm.com>
Granting userid capabilities to another task is a dangerous
privilege. Don't just let file permissions authorize it.
Define CAP_GRANT_ID as a new capability needed to write to
/dev/caphash.
For one thing this lets us start a factotum server early on
in init, then have init drop CAP_GRANT_ID from its bounding
set so the rest of the system cannot regain it.
(This patch is only useful if the next patch, introducing p9auth fs, is
upstreamed)
TODO - patch for capabilities.7 manpage
Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Andrew Morgan <morgan@kernel.org>
Cc: James Morris <jmorris@namei.org>
Cc: linux-security-module@vger.kernel.org
---
include/linux/capability.h | 6 +++++-
security/selinux/include/classmap.h | 2 +-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/include/linux/capability.h b/include/linux/capability.h
index 39e5ff5..ba2cbfe 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -355,7 +355,11 @@ struct cpu_vfs_cap_data {
#define CAP_MAC_ADMIN 33
-#define CAP_LAST_CAP CAP_MAC_ADMIN
+/* Allow granting setuid capabilities through p9auth /dev/caphash */
+
+#define CAP_GRANT_ID 34
+
+#define CAP_LAST_CAP CAP_GRANT_ID
#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 8b32e95..f0ec53a 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -142,7 +142,7 @@ struct security_class_mapping secclass_map[] = {
"node_bind", "name_connect", NULL } },
{ "memprotect", { "mmap_zero", NULL } },
{ "peer", { "recv", NULL } },
- { "capability2", { "mac_override", "mac_admin", NULL } },
+ { "capability2", { "mac_override", "mac_admin", "grant_id", NULL } },
{ "kernel_service", { "use_as_override", "create_files_as", NULL } },
{ "tun_socket",
{ COMMON_SOCK_PERMS, NULL } },
--
1.7.0.4
next prev parent reply other threads:[~2010-04-27 20:44 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-04-27 16:41 [PATCH 0/3] p9auth fs: introduction Serge E. Hallyn
2010-04-27 16:42 ` [PATCH 1/3] p9auth: split core function out of some set*{u,g}id functions Serge E. Hallyn
2010-05-04 14:52 ` David Howells
2010-04-27 16:43 ` Serge E. Hallyn [this message]
2010-04-27 16:45 ` [PATCH 3/3] RFC: p9auth: add p9auth fs Serge E. Hallyn
2010-04-28 11:17 ` Oleg Nesterov
2010-04-28 15:10 ` Serge E. Hallyn
2010-04-28 15:39 ` Oleg Nesterov
2010-05-03 23:50 ` Serge E. Hallyn
2010-05-04 14:57 ` David Howells
2010-05-04 15:14 ` Serge E. Hallyn
-- strict thread matches above, loose matches on Subject: below --
2010-04-21 1:27 [PATCH 1/3] p9auth: split core function out of some set*{u,g}id functions Serge E. Hallyn
2010-04-21 1:28 ` [PATCH 2/3] p9auth: add CAP_GRANT_ID to authorize use of /dev/caphash Serge E. Hallyn
2010-04-21 2:54 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100427164336.GB7530@us.ibm.com \
--to=serue@us.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=ashwin.ganti@gmail.com \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=eparis@redhat.com \
--cc=ericvh@gmail.com \
--cc=greg@kroah.com \
--cc=jt.beard@gmail.com \
--cc=kyle@moffetthome.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=morgan@kernel.org \
--cc=mtk.manpages@gmail.com \
--cc=oleg@redhat.com \
--cc=rdunlap@xenotime.net \
--cc=rminnich@gmail.com \
--cc=rsc@swtch.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.