From: "Serge E. Hallyn" <serge@hallyn.com>
To: "Andrew G. Morgan" <morgan@kernel.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
Christoph Lameter <cl@linux.com>,
casey@schaufler-ca.com, Andy Lutomirski <luto@amacapital.net>,
Jonathan Corbet <corbet@lwn.net>,
Aaron Jones <aaronmdjones@gmail.com>, "Ted Ts'o" <tytso@mit.edu>,
linux-security-module@vger.kernel.org,
lkml <linux-kernel@vger.kernel.org>,
akpm@linuxfoundation.org
Subject: Re: [capabilities] Allow normal inheritance for a configurable set of capabilities
Date: Thu, 5 Feb 2015 01:34:34 +0100 [thread overview]
Message-ID: <20150205003434.GC23013@mail.hallyn.com> (raw)
In-Reply-To: <CALQRfL5iyu0n5rJCNLUVNMiekBEXzEnPFU-Fz0AibJ+E0d6o-Q@mail.gmail.com>
Quoting Andrew G. Morgan (morgan@kernel.org):
> I'm not generally in favor of this. Mostly because this seems to be a
> mini-root kind of inheritance that propagates privilege to binaries
> that aren't prepared for privilege.
Earlier in this thread, Casey said:
| One of the holes in the 1003.1e spec is what to do with a program file
| that does not have a capability set attached to it. The two options are
| drop all capabilities and leave the capabilities alone. The latter gives
| you what you're asking for. The former is arguably safer.
and
| It's what we did in Trusted Irix. It made life much easier.
I'm going to need to clear my head a bit before I try to compare that to
the root cause of the sendmail capabilities bug.
> I don't really buy the mmap code
> concern because the model as it stands says that you trust the binary
> (and all of the various ways it was programmed to execute code) with
> specific privileges. If the binary mmap's some code (PAM modules come
> to mind) then that is part of what it was programmed to/allowed to do.
That's not really the point... The point is that yes, a mini-root is
exactly what is being asked for :) I'm not saying I expect an adversary
to do the mmap+jump, but that currently it is a, and the only, way to
do unprivileged userid with retaining some privileges to run legacy
programs.
> That being said, if you really really want this kind of thing, then
> make it a single secure bit (with another lock on/off bit) which, when
> set, makes: fI default to X.
>
> pP' = (X & fP) | (pI & fI)
>
> That way the per-process bounding set still works as advertised and
> you don't need to worry about the existing semantics being violated.
Maybe that is the way to go...
-serge
next prev parent reply other threads:[~2015-02-05 0:34 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-02 16:21 [capabilities] Allow normal inheritance for a configurable set of capabilities Christoph Lameter
2015-02-02 17:12 ` Serge Hallyn
2015-02-02 17:18 ` Andy Lutomirski
2015-02-02 18:09 ` Serge Hallyn
2015-02-03 15:16 ` Christoph Lameter
2015-02-03 15:23 ` Christoph Lameter
2015-02-03 15:55 ` Serge E. Hallyn
2015-02-03 17:18 ` Christoph Lameter
2015-02-03 17:26 ` Serge E. Hallyn
2015-02-04 15:15 ` Andrew G. Morgan
2015-02-04 15:50 ` Christoph Lameter
2015-02-04 15:56 ` Serge E. Hallyn
2015-02-04 16:12 ` Andrew G. Morgan
2015-02-04 16:34 ` Andy Lutomirski
2015-02-04 16:54 ` Andrew G. Morgan
2015-02-04 17:34 ` Serge E. Hallyn
2015-02-04 18:12 ` Christoph Lameter
2015-02-04 16:43 ` Christoph Lameter
2015-02-04 16:27 ` Andy Lutomirski
2015-02-05 0:34 ` Serge E. Hallyn [this message]
2015-02-05 15:23 ` Serge E. Hallyn
2015-02-25 21:50 ` Pavel Machek
2015-02-25 23:59 ` Christoph Lameter
2015-02-26 12:27 ` Pavel Machek
2015-02-27 20:15 ` Andy Lutomirski
2015-02-27 20:48 ` Pavel Machek
2015-02-27 20:56 ` Andy Lutomirski
2015-02-27 22:47 ` Pavel Machek
2015-02-02 17:54 ` Casey Schaufler
2015-02-02 18:08 ` Serge Hallyn
2015-02-02 18:47 ` Mimi Zohar
2015-02-02 19:05 ` Austin S Hemmelgarn
2015-02-02 20:35 ` Casey Schaufler
2015-02-03 16:04 ` Serge E. Hallyn
2015-02-02 19:00 ` Casey Schaufler
2015-02-05 0:20 ` Serge E. Hallyn
2015-02-02 20:37 ` Andy Lutomirski
2015-02-02 20:54 ` Casey Schaufler
2015-02-03 15:51 ` Serge E. Hallyn
2015-02-03 16:37 ` Casey Schaufler
2015-02-03 17:28 ` Serge E. Hallyn
2015-02-03 17:50 ` Casey Schaufler
2015-02-03 19:45 ` Christoph Lameter
2015-02-03 20:13 ` Andy Lutomirski
2015-02-03 23:14 ` Christoph Lameter
2015-02-03 23:17 ` Andy Lutomirski
2015-02-04 2:27 ` Christoph Lameter
2015-02-04 6:05 ` Markku Savela
2015-02-04 13:17 ` Christoph Lameter
2015-02-04 13:41 ` Markku Savela
2015-02-04 14:56 ` Jarkko Sakkinen
2015-02-03 15:17 ` Christoph Lameter
2015-02-03 15:40 ` Casey Schaufler
2015-02-03 15:46 ` Serge E. Hallyn
2015-02-03 17:19 ` Christoph Lameter
2015-02-03 17:29 ` Serge E. Hallyn
2015-02-25 21:50 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150205003434.GC23013@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=aaronmdjones@gmail.com \
--cc=akpm@linuxfoundation.org \
--cc=casey@schaufler-ca.com \
--cc=cl@linux.com \
--cc=corbet@lwn.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=morgan@kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.