From: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
To: Nicolas Viennot <Nicolas.Viennot@twosigma.com>,
Christian Brauner <christian.brauner@ubuntu.com>,
Adrian Reber <areber@redhat.com>,
Cyrill Gorcunov <gorcunov@gmail.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Kirill Tkhai <ktkhai@virtuozzo.com>
Cc: mtk.manpages@gmail.com, Oleg Nesterov <oleg@redhat.com>,
Pavel Emelyanov <ovzxemul@gmail.com>,
Kees Cook <keescook@chromium.org>,
Casey Schaufler <casey@schaufler-ca.com>,
lkml <linux-kernel@vger.kernel.org>,
linux-security-module <linux-security-module@vger.kernel.org>,
Jann Horn <jannh@google.com>, Andrei Vagin <avagin@gmail.com>,
Dmitry Safonov <0x7f454c46@gmail.com>
Subject: Inconsistent capability requirements for prctl_set_mm_exe_file()
Date: Tue, 27 Oct 2020 13:11:40 +0100 [thread overview]
Message-ID: <7655a573-544f-05a4-36dc-0c84c73ac9ee@gmail.com> (raw)
Hello Nicolas, Cyrill, and others,
@Nicolas, your commit ebd6de6812387a changed the capability
requirements for the prctl_set_mm_exe_file() operation from
ns_capable(CAP_SYS_ADMIN)
to
ns_capable(CAP_SYS_ADMIN) || ns_capable(CAP_CHECKPOINT_RESTORE).
That's fine I guess, but while looking at that change, I found
an anomaly.
The same prctl_set_mm_exe_file() functionality is also available
via the prctl() PR_SET_MM_EXE_FILE operation, which was added
by Cyrill's commit b32dfe377102ce668. However, there the
prctl_set_mm_exe_file() operation is guarded by a check
capable(CAP_SYS_RESOURCE).
There are two things I note:
* The capability requirements are different in the two cases.
* In one case the checks are with ns_capable(), while in the
other case the check is with capable().
In both cases, the inconsistencies predate Nicolas's patch,
and appear to have been introduced in Kirill Tkhai's commit
4d28df6152aa3ff.
I'm not sure what is right, but those inconsistencies seem
seem odd, and presumably unintended. Similarly, I'm not
sure what fix, if any, should be applied. However, I thought
it worth mentioning these details, since the situation is odd
and surprising.
Thanks,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
next reply other threads:[~2020-10-27 12:11 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-27 12:11 Michael Kerrisk (man-pages) [this message]
2020-10-27 12:51 ` Inconsistent capability requirements for prctl_set_mm_exe_file() Jann Horn
2020-10-27 12:51 ` Cyrill Gorcunov
2020-10-27 17:22 ` Kirill Tkhai
2020-10-27 19:37 ` Cyrill Gorcunov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7655a573-544f-05a4-36dc-0c84c73ac9ee@gmail.com \
--to=mtk.manpages@gmail.com \
--cc=0x7f454c46@gmail.com \
--cc=Nicolas.Viennot@twosigma.com \
--cc=areber@redhat.com \
--cc=avagin@gmail.com \
--cc=casey@schaufler-ca.com \
--cc=christian.brauner@ubuntu.com \
--cc=ebiederm@xmission.com \
--cc=gorcunov@gmail.com \
--cc=jannh@google.com \
--cc=keescook@chromium.org \
--cc=ktkhai@virtuozzo.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=ovzxemul@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).