From: "Serge E. Hallyn" <serge@hallyn.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
Christoph Lameter <cl@linux.com>,
Serge Hallyn <serge.hallyn@ubuntu.com>,
Serge Hallyn <serge.hallyn@canonical.com>,
Aaron Jones <aaronmdjones@gmail.com>, Ted Ts'o <tytso@mit.edu>,
LSM List <linux-security-module@vger.kernel.org>,
Andrew Morton <akpm@linuxfoundation.org>,
"Andrew G. Morgan" <morgan@kernel.org>,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
Austin S Hemmelgarn <ahferroin7@gmail.com>,
Markku Savela <msa@moth.iki.fi>,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>,
Michael Kerrisk <mtk.manpages@gmail.com>,
Jonathan Corbet <corbet@lwn.net>
Subject: Re: [PATCH] capabilities: Ambient capability set V1
Date: Thu, 26 Feb 2015 15:19:54 -0600 [thread overview]
Message-ID: <20150226211954.GC19273@mail.hallyn.com> (raw)
In-Reply-To: <CALCETrXGO+ejHAfic4fozf1y48WDBdk3Mo=dFt8MMxtN1HOuUg@mail.gmail.com>
On Thu, Feb 26, 2015 at 12:58:33PM -0800, Andy Lutomirski wrote:
> On Thu, Feb 26, 2015 at 12:55 PM, Serge E. Hallyn <serge@hallyn.com> wrote:
> > On Thu, Feb 26, 2015 at 12:51:57PM -0800, Andy Lutomirski wrote:
> >> On Thu, Feb 26, 2015 at 12:34 PM, Serge E. Hallyn <serge@hallyn.com> wrote:
> >> > On Thu, Feb 26, 2015 at 02:13:00PM -0600, Christoph Lameter wrote:
> >> >> On Thu, 26 Feb 2015, Serge E. Hallyn wrote:
> >> >>
> >> >> > Andrew Morgan was against that. What if we changed
> >> >> >
> >> >> > pE' = pP' & (fE | pA)
> >> >> >
> >> >> > to
> >> >> >
> >> >> > if (pA)
> >> >> > pE' = pP' & fE
> >> >> > else
> >> >> > pE' = pP'
> >> >> >
> >> >>
> >> >> Same problem as before. The ambient bits will not be set in pE'.
> >> >
> >> > And what if I weren't scatterbrained and we did
> >> >
> >> > if (pA)
> >> > pE' = pP'
> >> > else
> >> > pE' = pP' & fE
> >> >
> >> > All pP' bits would be set in pE'.
> >>
> >> That seems reasonable to me, except for my paranoia:
> >>
> >> What if there's a program with CAP_DAC_OVERRIDE in fP and fE set to
> >> the empty set (i.e. the magic effective bit cleared), and the program
> >> relies on that. A malicious user has CAP_NET_BIND and sets pA =
> >> CAP_NET_BIND. Boom!
> >>
> >> If we changed that to if (pA') and zeroed pA if fP is non-empty then
> >> this problem goes away.
> >
> > Hm, the problem is that then the empty pA is inherited by children.
> > I do see that any program with fP set should probably run with only
> > what it requested. Would
> >
> > if (pA && is_empty(fP))
> > pE' = pP'
> > else
> > pE' = pP' & fE
> >
> > help? Or are you worried about a program with fP set which then
> > executes other programs?
>
> The particular worry I expressed there was just about pE.
>
> I'm still extremely nervous about allowing nonempty pA to propagate to
> setuid or nonzero fP programs. It's less obviously dangerous if pA is
> never a superset of pP, but it could still cause problems with setuid
> programs that execute intentionally deprivileged helpers.
I don't think that what you want is compatible with what Christoph
wants. (He also thinks that what I want is not compatible with what
he wants, but I still think it is)
The approach I'm taking is that pA is useless if pI is not set. For
a privileged program to fill its pI is a pretty special thing now,
so this shouldn't be catching anyone by surprise. Furthermore,
the privileged program which is filling both its pI and pA
and then executing other files could achieve the same result
by filling pI and setting file capaiblities on all executables.
Setting pA gives them a different tradeoff (limiting the
capabilities trust to its process tree, but to all binaries)
which should do what Christoph wants. By limiting the effective pA to fP
if fP is not empty, we'r eonly prevneting the file which
had fP set from running in an unexpected way which should be
safer. (But if it executes another file, that file, it will
receive the original pA)
next prev parent reply other threads:[~2015-02-26 21:19 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-05 21:56 [PATCH] capabilities: Ambient capability set V1 Christoph Lameter
[not found] ` <alpine.DEB.2.11.1502051554500.4876-gkYfJU5Cukgdnm+yROfE0A@public.gmane.org>
2015-02-23 14:58 ` Christoph Lameter
2015-02-23 15:44 ` Andy Lutomirski
[not found] ` <CALCETrWJCcBBGGp21C4cdtiU79K-P3t+6rFJUWcXcLR1jqrrFQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-02-23 15:53 ` Christoph Lameter
2015-02-23 15:59 ` Andy Lutomirski
2015-02-23 16:41 ` Christoph Lameter
2015-02-23 23:51 ` Andy Lutomirski
2015-02-24 15:48 ` Christoph Lameter
2015-02-23 16:16 ` Serge Hallyn
2015-02-23 16:33 ` Andy Lutomirski
[not found] ` <CALCETrW78805ayUL=ZYBdFwVdDvJZus2JL0VVmEBE8=L1Nm5Sw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-02-23 16:45 ` Serge E. Hallyn
2015-02-23 16:47 ` Christoph Lameter
2015-02-23 16:44 ` Christoph Lameter
2015-02-23 16:46 ` Serge E. Hallyn
2015-02-23 16:50 ` Christoph Lameter
2015-02-23 18:15 ` Serge Hallyn
2015-02-23 18:27 ` Christoph Lameter
2015-02-24 5:19 ` Serge E. Hallyn
[not found] ` <20150224051928.GA14755-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2015-02-24 15:47 ` Serge E. Hallyn
2015-02-24 15:58 ` Christoph Lameter
2015-02-24 16:44 ` Serge Hallyn
2015-02-24 17:28 ` Christoph Lameter
2015-02-25 3:32 ` Serge Hallyn
2015-02-25 20:25 ` Christoph Lameter
2015-02-26 15:35 ` Serge E. Hallyn
[not found] ` <20150226153524.GC15182-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2015-02-26 18:28 ` Christoph Lameter
2015-02-26 19:32 ` Serge E. Hallyn
2015-02-26 19:38 ` Andy Lutomirski
[not found] ` <CALCETrWpKiurZEEOT25i_xrtQyk5dht+wjUO4+tGs+N_7JCdYA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-02-26 20:16 ` Christoph Lameter
2015-02-26 20:33 ` Serge E. Hallyn
[not found] ` <20150226193200.GA17709-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2015-02-26 20:13 ` Christoph Lameter
2015-02-26 20:34 ` Serge E. Hallyn
2015-02-26 20:51 ` Andy Lutomirski
2015-02-26 20:55 ` Serge E. Hallyn
[not found] ` <20150226205512.GA19273-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2015-02-26 20:58 ` Andy Lutomirski
2015-02-26 21:19 ` Serge E. Hallyn [this message]
2015-02-26 21:29 ` Christoph Lameter
2015-02-26 21:09 ` Christoph Lameter
[not found] ` <alpine.DEB.2.11.1502261507450.8274-gkYfJU5Cukgdnm+yROfE0A@public.gmane.org>
2015-02-26 21:13 ` Serge E. Hallyn
2015-02-26 21:23 ` Christoph Lameter
2015-02-26 21:32 ` Serge E. Hallyn
2015-02-26 21:37 ` Christoph Lameter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150226211954.GC19273@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=aaronmdjones@gmail.com \
--cc=ahferroin7@gmail.com \
--cc=akpm@linuxfoundation.org \
--cc=cl@linux.com \
--cc=corbet@lwn.net \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=morgan@kernel.org \
--cc=msa@moth.iki.fi \
--cc=mtk.manpages@gmail.com \
--cc=serge.hallyn@canonical.com \
--cc=serge.hallyn@ubuntu.com \
--cc=tytso@mit.edu \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).