From: Albert Cahalan <albert@users.sf.net>
To: Stephen Smalley <sds@epoch.ncsc.mil>
Cc: Albert Cahalan <albert@users.sourceforge.net>,
linux-kernel mailing list <linux-kernel@vger.kernel.org>,
luto@myrealbox.com, Chris Wright <chrisw@osdl.org>,
olaf+list.linux-kernel@olafdietsche.de, Valdis.Kletnieks@vt.edu
Subject: Re: [PATCH] capabilites, take 2
Date: 14 May 2004 11:19:36 -0400 [thread overview]
Message-ID: <1084547976.952.644.camel@cube> (raw)
In-Reply-To: <1084548061.17741.119.camel@moss-spartans.epoch.ncsc.mil>
On Fri, 2004-05-14 at 11:21, Stephen Smalley wrote:
> On Fri, 2004-05-14 at 08:03, Albert Cahalan wrote:
> > This would be an excellent time to reconsider how capabilities
> > are assigned to bits. You're breaking things anyway; you might
> > as well do all the breaking at once. I want local-use bits so
> > that the print queue management access isn't by magic UID/GID.
> > We haven't escaped UID-as-priv if server apps and setuid apps
> > are still making UID-based access control decisions.
>
> Capabilities are a broken model for privilege management; try RBAC/TE
> instead. http://www.securecomputing.com/pdf/secureos.pdf has notes
> about the history and comparison of capabilities vs. TE.
I just read that. It's a very unfair marketing document.
Among other things, it suggests that a capability system
is stuck with about 40 bits while their own version of
capabilities (a duck is a duck...) has 80 bits. Lovely,
but not exactly groundbreaking. There is the bit about
a 3-argument security call, but a careful reading will
reveal that one argument is unused (NULL?) when dealing
with abilities like "can set the clock".
About the only thing of interest is that capability
transitions can be arbitrary. You're not limited to
an obscure set of equations that nobody can agree on.
The cost: complicated site-specific config files and
the inability to support capability-aware apps that
set+clear their own bits.
There is some value in unifying the handling of
capability bits with the handling of actor-to-actee
security controls. This simplifies the documentation,
and thus reduces the likelyhood of admin mistakes.
> Instead of adding new capability bits, replace capable()
> calls with LSM hook calls that offer you finer granularity
> both in operation and in object-based decisions, and then
> use a security module like SELinux to map that to actual
> permission checks.
Eh, why? That's mostly a search-and-replace on the name,
since capable() makes a perfectly fine LSM hook.
> SELinux provides a framework for
> defining security classes and permissions, including both definitions
> used by the kernel and definitions used by userspace policy enforcers
> (ala security-enhanced X).
Nice.
So what about the old-Oracle problem? You have a
server that needs the ability to hog and lock memory.
Is there an almost-empty SELinux policy that would
provide this while leaving the rest of the system
acting as UNIX-like systems have always acted?
If so, we have a winner.
One still does need to provide apps with a way to
answer "can I do FOO, BAR, and BAZ?" and "am I
running with elevated privileges?". Some way to
dispose of unneeded privileges would be good too.
Hopefully extra libraries wouldn't be needed.
next prev parent reply other threads:[~2004-05-14 17:42 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-05-14 12:03 [PATCH] capabilites, take 2 Albert Cahalan
2004-05-14 14:53 ` Andy Lutomirski
2004-05-14 17:58 ` Chris Wright
2004-05-14 15:21 ` Stephen Smalley
2004-05-14 15:19 ` Albert Cahalan [this message]
2004-05-14 18:06 ` Stephen Smalley
2004-05-14 17:32 ` Albert Cahalan
2004-05-14 21:11 ` Chris Wright
2004-05-14 19:32 ` Albert Cahalan
2004-05-14 18:00 ` Chris Wright
2004-05-14 17:48 ` Chris Wright
[not found] <fa.dt4cg55.jnqvr5@ifi.uio.no>
[not found] ` <fa.mu5rj3d.24gtbp@ifi.uio.no>
2004-05-14 15:57 ` Andy Lutomirski
2004-05-14 16:01 ` Stephen Smalley
2004-05-14 16:18 ` Andy Lutomirski
2004-05-14 16:37 ` Stephen Smalley
2004-05-14 18:07 ` Chris Wright
-- strict thread matches above, loose matches on Subject: below --
2004-05-13 20:08 Andy Lutomirski
2004-05-14 1:20 ` Chris Wright
2004-05-14 1:35 ` Valdis.Kletnieks
2004-05-14 4:51 ` Chris Wright
2004-05-14 5:33 ` Olaf Dietsche
2004-05-14 6:04 ` Valdis.Kletnieks
2004-05-14 7:09 ` Olaf Dietsche
2004-05-14 2:27 ` Andy Lutomirski
2004-05-14 4:48 ` Chris Wright
2004-05-14 5:58 ` Andy Lutomirski
2004-05-14 17:45 ` Chris Wright
2004-05-14 6:39 ` Olaf Dietsche
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1084547976.952.644.camel@cube \
--to=albert@users.sf.net \
--cc=Valdis.Kletnieks@vt.edu \
--cc=albert@users.sourceforge.net \
--cc=chrisw@osdl.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@myrealbox.com \
--cc=olaf+list.linux-kernel@olafdietsche.de \
--cc=sds@epoch.ncsc.mil \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox