From: sds@tycho.nsa.gov (Stephen Smalley)
To: linux-security-module@vger.kernel.org
Subject: [RFC PATCH 1/2] security, capabilities: Add CAP_SYS_MOUNT
Date: Mon, 23 Oct 2017 08:57:39 -0400 [thread overview]
Message-ID: <1508763459.24902.1.camel@tycho.nsa.gov> (raw)
In-Reply-To: <20171021134303.20685-1-nicolas@belouin.fr>
On Sat, 2017-10-21 at 15:43 +0200, Nicolas Belouin wrote:
> With CAP_SYS_ADMIN being bloated and inapropriate for actions such
> as mounting/unmounting filesystems, the creation of a new capability
> is needed.
> CAP_SYS_MOUNT is meant to give a process the ability to call for
> mount,
> umount and umount2 syscalls.
If adding a new capability isn't deemed acceptable, then another option
would be to introduce LSM hooks where there isn't already coverage and
implement finer-grained permission checks there. In some cases, that
already occurs for mount and umount*. That also offers the possibility
of taking the object of the operation into account, unlike capabilities
which are only subject/process-based.
>
> Signed-off-by: Nicolas Belouin <nicolas@belouin.fr>
> ---
> ?include/uapi/linux/capability.h?????| 5 ++++-
> ?security/selinux/include/classmap.h | 4 ++--
> ?2 files changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/include/uapi/linux/capability.h
> b/include/uapi/linux/capability.h
> index 230e05d35191..ce230aa6d928 100644
> --- a/include/uapi/linux/capability.h
> +++ b/include/uapi/linux/capability.h
> @@ -365,8 +365,11 @@ struct vfs_ns_cap_data {
> ?
> ?#define CAP_AUDIT_READ 37
> ?
> +/* Allow mounting, unmounting filesystems */
> ?
> -#define CAP_LAST_CAP?????????CAP_AUDIT_READ
> +#define CAP_SYS_MOUNT 38
> +
> +#define CAP_LAST_CAP?????????CAP_SYS_MOUNT
> ?
> ?#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
> ?
> diff --git a/security/selinux/include/classmap.h
> b/security/selinux/include/classmap.h
> index 35ffb29a69cb..a873dce97fd5 100644
> --- a/security/selinux/include/classmap.h
> +++ b/security/selinux/include/classmap.h
> @@ -24,9 +24,9 @@
> ? ????"audit_control", "setfcap"
> ?
> ?#define COMMON_CAP2_PERMS??"mac_override", "mac_admin", "syslog", \
> - "wake_alarm", "block_suspend", "audit_read"
> + "wake_alarm", "block_suspend", "audit_read",
> "sys_mount"
> ?
> -#if CAP_LAST_CAP > CAP_AUDIT_READ
> +#if CAP_LAST_CAP > CAP_SYS_MOUNT
> ?#error New capability defined, please update COMMON_CAP2_PERMS.
> ?#endif
> ?
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
prev parent reply other threads:[~2017-10-23 12:57 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-21 13:43 [RFC PATCH 1/2] security, capabilities: Add CAP_SYS_MOUNT Nicolas Belouin
2017-10-21 13:43 ` [RFC PATCH 2/2] fs: add the possibility to use CAP_SYS_MOUNT to (u)mount a fs Nicolas Belouin
2017-10-21 17:31 ` [kernel-hardening] [RFC PATCH 1/2] security, capabilities: Add CAP_SYS_MOUNT Casey Schaufler
2017-10-21 18:41 ` Nicolas Belouin
2017-10-22 0:54 ` Casey Schaufler
2017-10-23 12:57 ` Stephen Smalley [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1508763459.24902.1.camel@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).