Re: [PATCH] execve.2: EPERM from filesystem capabilities.

[Krzysztof Adamski <k@japko.eu>]

On Wed, Mar 09, 2016 at 01:49:41AM +0100, Michael Kerrisk (man-pages) wrote:
>Hello Krzysztof
>
>Sorry for the delayed follow up.
>
>On 10/12/2015 09:45 PM, Krzysztof Adamski wrote:
>> An EPERM error can be returned when using filesystem capabilities and
>> capabilities to be added are not in permitted set.
>>
>> This error return values was introduced by this patch:
>> 5459c16 security: protect legacy applications from executing with
>> insufficient privilege
>
>Can you explain in more detail the scenario where EPERM can be produced.
>I can't see/produce it. Also, the code in the commit that you mention,
>which was part of Linux 2.6.27, was thoroughly changed in Linux 2.6.29.

Hi Michael,
If you're interested in details, I explained it quite extensively here:
http://k.japko.eu/systemd-nspawn-ping-debug.html

The summary is that I used nspawn from systemd which drops some 
capabilites (CAP_NET_ADMIN is amoung them) when spawning a container.  
Now, since I used Fedora in container, my ping binary had filesystem 
capabilites set:

# getcap /bin/ping
/bin/ping = cap_net_admin,cap_net_raw+ep

So when executing this application, kernel tried to give me 
CAP_NET_ADMIN capabilities but they where not on permitted set so I've 
got EPERM.

It was found in kernel 4.1 back then and I just retested this on kernel 
4.3. Unfortunately I don't have time now to verify this for the latest 
kernel but I would be surprised if this feature was removed.

Would you like me to extend/change the description in the patch somehow?

Best regards,
Krzysztof Adamski
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html