From: "Serge E. Hallyn" <serge@hallyn.com>
To: "Andrew G. Morgan" <morgan@kernel.org>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
Michael Kerrisk <mtk.manpages@gmail.com>,
Andy Lutomirski <luto@kernel.org>,
linux-security-module <linux-security-module@vger.kernel.org>,
ksrot@redhat.com
Subject: Re: Anomalous output from getpcaps(1) for process with all capabilities
Date: Mon, 23 Dec 2019 13:14:21 -0600 [thread overview]
Message-ID: <20191223191421.GA32030@mail.hallyn.com> (raw)
In-Reply-To: <CALQRfL50+JUGcWk_NyyKvviCeNUPQdjjP=OGoewvH-mU6Pn2hQ@mail.gmail.com>
On Sun, Dec 22, 2019 at 10:00:06AM -0800, Andrew G. Morgan wrote:
> I can take a look, but I'm not really convinced this isn't going to
> cause me grief at some point in the future when the kernel adds
> support for another capability and all' does not equal all. I've done
> some digging and I thought it was worth writing up.
>
> Today, the kernel treats 'all' (as it is defined by libcap today)
> differently for file and process capabilities. I suspect this is
> contributing to expectations about what all means, because all as
> defined today is effectively useless, and somewhere in the kernel
> we've worked around it for filecaps when we shouldn't have.
>
> Explanation of kernel bug (no use of 'all' here):
>
> 1) placing, say, bit-63 (undef today) and bit-0 (cap_chown) on the
> permitted (fP) vector of a file, yields a file that can execute - it
> gets pP=cap_chown.
>
> cd libcap/progs ; make ; cp capsh pcapsh ; sudo setcap
> 63,cap_setpcap,cap_chown=p pcapsh
>
> ./pcapsh --print
>
> 2) dropping cap_chown from the bounding set causes this same file to
> not run (insufficient privilege) because the file has been setup to
> require cap_chown, but can't have it so (by design) we deny execution
> altogether -- this fails:
>
> ./pcapsh --drop=cap_chown --print == --print
>
> To be consistent, (1) should fail because bit-63 is being dropped by
> the bounding set at execution time. That is, a binary that requires
> some future definition for capability #63 to run successfully should
> fail on a kernel that does not support it today. This but was
> introduced with this kernel commit:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/security/commoncap.c?id=7d8b6c63751cfbbe5eef81a48c22978b3407a3ad
>
> Ironically, the commit message declares the fact that (4) now passes
> is the fix. The real fix is to think about what we mean by 'all'.
Yes, I get the feeling you're right.
It'd be nice to simply say "you can only enable the caps you know
about, bit by bit." The problem is, we have distributions, and we
have containers, and demanding that all filecap-enabled binaries be
fixed up every time you switch to a new kernel with more or fewer
capabilities is unworkable.
One thing we could do is declare that bit nbits-1 (63 in 64 bit caps)
means "all caps that the kernel knows about." If 63 and any other
caps are enabled, then -EINVAL. If/when we switch to 128 bit caps,
then bit 63 becomes a valid cap there, and 127 is 'all'.
Of course that's not at all backward compatible, so would have to be
done in a new capability version.
-serge
prev parent reply other threads:[~2019-12-23 19:14 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-15 15:43 Anomalous output from getpcaps(1) for process with all capabilities Michael Kerrisk (man-pages)
[not found] ` <CALQRfL7i5r1d1K3fOuwyJ0BtmrsVMC8zzdd0Z7=14n3X8QNw5g@mail.gmail.com>
2019-12-15 18:35 ` Andrew G. Morgan
2019-12-15 19:17 ` Michael Kerrisk (man-pages)
2019-12-15 23:26 ` Andrew G. Morgan
2019-12-16 4:52 ` Michael Kerrisk (man-pages)
2019-12-16 5:10 ` Michael Kerrisk (man-pages)
[not found] ` <CALQRfL4_kVKX=qJ0nDnEGgVeUHtQG5BDTCX72KfZr0toc-Mpuw@mail.gmail.com>
2019-12-21 3:08 ` Serge E. Hallyn
2019-12-21 3:27 ` Andrew G. Morgan
2019-12-21 4:36 ` Serge E. Hallyn
2019-12-22 18:00 ` Andrew G. Morgan
2019-12-22 23:36 ` Andrew G. Morgan
2019-12-23 18:05 ` Serge E. Hallyn
[not found] ` <CALQRfL6yKpXmpnuapJhBxso7ZyXxpw6uiAMu4S4m_DBkwv3FXA@mail.gmail.com>
2019-12-23 19:20 ` Serge E. Hallyn
2019-12-23 19:14 ` Serge E. Hallyn [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191223191421.GA32030@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=ksrot@redhat.com \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@kernel.org \
--cc=morgan@kernel.org \
--cc=mtk.manpages@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).