From: serge@hallyn.com (Serge E. Hallyn)
To: linux-security-module@vger.kernel.org
Subject: setcap/getcap limitations
Date: Thu, 11 May 2017 22:37:18 -0500 [thread overview]
Message-ID: <20170512033718.GA29494@mail.hallyn.com> (raw)
In-Reply-To: <20170511211146.GZ25861@madcap2.tricolour.ca>
Quoting Richard Guy Briggs (rgb at redhat.com):
> Capabilities gurus,
I cc:d Andrew as he maintains the source package,
> These may arguably be useless or meaningless combinations, but I found them
> sufficiently puzzling as to need to document and report the behaviour. They
> appear to be leftovers from a time when fE may have been a bitfield rather than
> a boolean.
>
>
> 1 - BUG: setcap manpage refers to non-existant cap_from_text(3) and cap_set_file(3)
> manpages (fedora). (It turns out it is in libcap-devel which makes
> sense, but isn't very useful for users of setcap/getcap(8) rather than
> developers.)
Hm, yeah, I suppose. In the libcap source though they all come
together. Perhaps this is cause for distro bugs to make a
common libcap-doc package which both libcap-devel and libcap2-bin
depend on? Really not sure of the best solution.
> 2 - BUG: setcap requires dummy capability present to set or clear effective bit
Getting ready for a short road trip, will look at the rest this weekend.
> While attempting to issue the setcap command to set or clear the effective bit,
> the latter of which is a boolean rather than a capability set, a fatal error
> was returned with a usage message that didn't make much sense:
> # setcap +e /tmp/test
> fatal error: Invalid argument
> usage: setcap [-q] [-v] (-r|-|<caps>) <filename> [ ... (-r|-|<capsN>) <filenameN> ]
> Note <filename> must be a regular (non-symlink) file.
> So in order to set it, I need to use a dummy capability, such as:
> # setcap cap_sys_admin+e /tmp/test
>
>
> 3- BUG: getcap doesn't show effective bit set if no other fP or fI bits are set
>
> # setcap cap_sys_admin+pe /tmp/test
> # getcap /tmp/test
> /tmp/test = cap_sys_admin+ep
> # getfattr --absolute-names --e hex -n security.capability /tmp/test
> security.capability=0x0100000200002000000000000000000000000000
> # setfattr -n security.capability -v 0x0100000200000000000000000000000000000000 /tmp/test
> # getcap /tmp/test
> /tmp/test =
> # getfattr --absolute-names --e hex -n security.capability /tmp/test
> security.capability=0x0100000200000000000000000000000000000000
> # setcap cap_sys_admin-p /tmp/test
> # getfattr --absolute-names --e hex -n security.capability /tmp/test
> # file: /tmp/test
> security.capability=0x0000000200000000000000000000000000000000
> So, getcap lies, where getfattr is more honest but awkward.
>
>
> Q: How do I set one fP capability and a different fI capability?
>
> >From looking at the manpage for cap_from_text, it appears that capability sets
> can be specified in a similar manner to chmod(1), using "=", "+" and "-"
> operators, but pracitical poking doesn't seem to work that way. "+" seems to
> work like "=" and "-" seems to clear all except the version field.
> Other than resorting to setfattr, how can I set something like
> cap_sys_admin+p with cap_audit_read,cap_audit_write,cap_audit_control+i ?
>
>
> 4 - BUG: The capabilities version doesn't get cleared when all cap bits are
> cleared. This fools kernel into thinking there are fcaps set.
>
> As can be seen above, if setcap is used with "<capability>-<p|e|i>" to unset
> capabilities then the version field is leftover, set. Arguably the -r option
> should have been used to remove the attribute entirely, but in this case, the
> kernel assumes that capabilities are in use due to a valid version number
> present (VFS_CAP_REVISION_MASK). This could be solved in the kernel by
> clearing that attribute field entirely if there are no values set other than
> the version number, or by having "has_cap" check for a value more than just the
> version number. Is it possible to remove some capabilities from a file but not
> all? Or is it intended to simply specify the new set of capabilities that are
> to be set and ignore or strip away the unwanted ones from the set?
>
>
> Thanks!
>
>
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-05-12 3:37 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-11 21:11 setcap/getcap limitations Richard Guy Briggs
2017-05-12 3:37 ` Serge E. Hallyn [this message]
2017-08-20 3:20 ` Richard Guy Briggs
2017-08-31 15:56 ` Serge E. Hallyn
2017-09-04 12:08 ` Richard Guy Briggs
2017-12-15 15:37 ` Serge E. Hallyn
2017-12-15 16:28 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170512033718.GA29494@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).