Re: [PATCH v3 2/2] capabilities: Add a securebit to disable PR_CAP_AMBIENT_RAISE

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Serge E. Hallyn" <serge@hallyn.com>
To: Andy Lutomirski <luto@kernel.org>
Cc: Serge Hallyn <serge.hallyn@ubuntu.com>,
	Andrew Morton <akpm@linuxfoundation.org>,
	James Morris <james.l.morris@oracle.com>,
	Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
	Ted Ts'o <tytso@mit.edu>, "Andrew G. Morgan" <morgan@kernel.org>,
	Linux API <linux-api@vger.kernel.org>,
	Mimi Zohar <zohar@linux.vnet.ibm.com>,
	Michael Kerrisk <mtk.manpages@gmail.com>,
	Austin S Hemmelgarn <ahferroin7@gmail.com>,
	linux-security-module <linux-security-module@vger.kernel.org>,
	Aaron Jones <aaronmdjones@gmail.com>,
	Serge Hallyn <serge.hallyn@canonical.com>,
	LKML <linux-kernel@vger.kernel.org>,
	Markku Savela <msa@moth.iki.fi>,
	Kees Cook <keescook@chromium.org>,
	Jonathan Corbet <corbet@lwn.net>,
	Christoph Lameter <cl@linux.com>,
	Andy Lutomirski <luto@amacapital.net>
Subject: Re: [PATCH v3 2/2] capabilities: Add a securebit to disable PR_CAP_AMBIENT_RAISE
Date: Thu, 4 Jun 2015 17:03:01 -0500	[thread overview]
Message-ID: <20150604220301.GA5920@mail.hallyn.com> (raw)
In-Reply-To: <8b3a8b2fa031e043483f2f444f0b51aed0681e85.1432770087.git.luto@kernel.org>

On Wed, May 27, 2015 at 04:47:59PM -0700, Andy Lutomirski wrote:
> Per Andrew Morgan's request, add a securebit to allow admins to
> disable PR_CAP_AMBIENT_RAISE.  This securebit will prevent processes
> from adding capabilities to their ambient set.
> 
> For simplicity, this disables PR_CAP_AMBIENT_RAISE entirely rather
> than just disabling setting previously cleared bits.
> 
> Acked-By: Andrew G. Morgan <morgan@kernel.org>
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Christoph Lameter <cl@linux.com>
> Cc: Serge Hallyn <serge.hallyn@canonical.com>

Acked-by: Serge Hallyn <serge.hallyn@canonical.com>

> Cc: Andy Lutomirski <luto@amacapital.net>
> Cc: Jonathan Corbet <corbet@lwn.net>
> Cc: Aaron Jones <aaronmdjones@gmail.com>
> CC: Ted Ts'o <tytso@mit.edu>
> Cc: linux-security-module@vger.kernel.org
> Cc: linux-kernel@vger.kernel.org
> Cc: linux-api@vger.kernel.org
> Cc: akpm@linuxfoundation.org
> Cc: Andrew G. Morgan <morgan@kernel.org>
> Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
> Cc: Austin S Hemmelgarn <ahferroin7@gmail.com>
> Cc: Markku Savela <msa@moth.iki.fi>
> Cc: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
> Cc: Michael Kerrisk <mtk.manpages@gmail.com>
> Signed-off-by: Andy Lutomirski <luto@kernel.org>
> ---
>  include/uapi/linux/securebits.h | 11 ++++++++++-
>  security/commoncap.c            |  3 ++-
>  2 files changed, 12 insertions(+), 2 deletions(-)
> 
> diff --git a/include/uapi/linux/securebits.h b/include/uapi/linux/securebits.h
> index 985aac9e6bf8..35ac35cef217 100644
> --- a/include/uapi/linux/securebits.h
> +++ b/include/uapi/linux/securebits.h
> @@ -43,9 +43,18 @@
>  #define SECBIT_KEEP_CAPS	(issecure_mask(SECURE_KEEP_CAPS))
>  #define SECBIT_KEEP_CAPS_LOCKED (issecure_mask(SECURE_KEEP_CAPS_LOCKED))
>  
> +/* When set, a process cannot add new capabilities to its ambient set. */
> +#define SECURE_NO_CAP_AMBIENT_RAISE		6
> +#define SECURE_NO_CAP_AMBIENT_RAISE_LOCKED	7  /* make bit-6 immutable */
> +
> +#define SECBIT_NO_CAP_AMBIENT_RAISE (issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE))
> +#define SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED \
> +			(issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE_LOCKED))
> +
>  #define SECURE_ALL_BITS		(issecure_mask(SECURE_NOROOT) | \
>  				 issecure_mask(SECURE_NO_SETUID_FIXUP) | \
> -				 issecure_mask(SECURE_KEEP_CAPS))
> +				 issecure_mask(SECURE_KEEP_CAPS) | \
> +				 issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE))
>  #define SECURE_ALL_LOCKS	(SECURE_ALL_BITS << 1)
>  
>  #endif /* _UAPI_LINUX_SECUREBITS_H */
> diff --git a/security/commoncap.c b/security/commoncap.c
> index 835a7584f7ea..22b7b91c5eae 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -987,7 +987,8 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
>  			if (arg2 == PR_CAP_AMBIENT_RAISE &&
>  			    (!cap_raised(current_cred()->cap_permitted, arg3) ||
>  			     !cap_raised(current_cred()->cap_inheritable,
> -					 arg3)))
> +					 arg3) ||
> +			     issecure(SECURE_NO_CAP_AMBIENT_RAISE)))
>  				return -EPERM;
>  
>  			new = prepare_creds();
> -- 
> 2.1.0
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

     prev parent reply	other threads:[~2015-06-04 22:03 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-05-27 23:47 [PATCH v3 0/2] capabilities: Ambient capability patchset Andy Lutomirski
     [not found] ` <cover.1432770087.git.luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2015-05-27 23:47   ` [PATCH v3 1/2] capabilities: Ambient capabilities Andy Lutomirski
2015-05-27 23:47     ` Andy Lutomirski
2015-06-09 23:09     ` Kees Cook
     [not found]       ` <CAGXu5j+Y85U9pjZUO0LM8rOO-YJrqvwzsXNjmaxN=D+JiQrpJw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-06-10  0:00         ` Andy Lutomirski
2015-06-10  0:00           ` Andy Lutomirski
     [not found]           ` <CALCETrXz9e_PiAZaGRLuunyDu3-nRW_jopvvXcQwU3gN=sm_SA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-06-10 19:24             ` Kees Cook
2015-06-10 19:24               ` Kees Cook
2015-06-04 19:33   ` [PATCH v3 0/2] capabilities: Ambient capability patchset Andy Lutomirski
2015-06-04 19:33     ` Andy Lutomirski
2015-05-27 23:47 ` [PATCH v3 2/2] capabilities: Add a securebit to disable PR_CAP_AMBIENT_RAISE Andy Lutomirski
2015-06-04 22:03   ` Serge E. Hallyn [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150604220301.GA5920@mail.hallyn.com \
    --to=serge@hallyn.com \
    --cc=aaronmdjones@gmail.com \
    --cc=ahferroin7@gmail.com \
    --cc=akpm@linuxfoundation.org \
    --cc=cl@linux.com \
    --cc=corbet@lwn.net \
    --cc=james.l.morris@oracle.com \
    --cc=jarkko.sakkinen@linux.intel.com \
    --cc=keescook@chromium.org \
    --cc=linux-api@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=luto@kernel.org \
    --cc=morgan@kernel.org \
    --cc=msa@moth.iki.fi \
    --cc=mtk.manpages@gmail.com \
    --cc=serge.hallyn@canonical.com \
    --cc=serge.hallyn@ubuntu.com \
    --cc=tytso@mit.edu \
    --cc=zohar@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.