From: Albert Cahalan <albert@users.sf.net>
To: Chris Wright <chrisw@osdl.org>
Cc: Albert Cahalan <albert@users.sourceforge.net>,
Stephen Smalley <sds@epoch.ncsc.mil>,
linux-kernel mailing list <linux-kernel@vger.kernel.org>,
luto@myrealbox.com, olaf+list.linux-kernel@olafdietsche.de,
Valdis.Kletnieks@vt.edu
Subject: Re: [PATCH] capabilites, take 2
Date: 14 May 2004 15:32:32 -0400 [thread overview]
Message-ID: <1084563151.955.695.camel@cube> (raw)
In-Reply-To: <20040514141145.Z21045@build.pdx.osdl.net>
On Fri, 2004-05-14 at 17:11, Chris Wright wrote:
> * Albert Cahalan (albert@users.sourceforge.net) wrote:
> > On Fri, 2004-05-14 at 14:06, Stephen Smalley wrote:
> > > You missed the point. Capability scheme maps far too
> > > many operations to a single capability; CAP_SYS_ADMIN
> > > in Linux is a good example.
> >
> > What I said: lovely, but not exactly groundbreaking.
> >
> > Suppose we break up CAP_SYS_ADMIN into 41 other bits.
> > There you go. It's silly to argue that a system with
> > more bits is some kind of major advance over one with
> > just a few bits. There is a quality-of-implementation
> > issue here, not some fundamental difference.
>
> Needing more bits isn't the only problem.
That's what much of the document went on about. The
rest of the document was mostly generic MAC concepts.
> > > TE model
> > > defers organization of operations into equivalence
> > > classes to the policy writer.
> >
> > I don't see anything special here either. With a
> > plain capability-bit system, you could allow for
> > user-defined aliases that map to multiple bits.
> > In some random /etc config file:
> >
> > define ADMIN := FOO | BAR | BAZ
>
> This doesn't effect the inflexibility of a single definition for domain
> transistion that's inherent in the capabilty system.
Sure. I already noted this.
> > Lack of granularity is an implementation detail.
> > (Blame the SGI folks that wouldn't listen to me.)
> > Lack of granularity is not a design flaw.
>
> It's a design flaw. More bits won't help. There's an important missing
> piece...credentials for both subject and object. Both of which can be
> dynamic, and differ per subject's view of an object.
There is no meaningful object.
subject: process 12345
object: ??????
operation: lock memory
For a few capability bits, there is a meaningful object
and you could use SELinux in place of the capability bits.
For most of the capability bits, this is not the case.
> > What I'm looking for:
> >
> > 1. configure the kernel by ...
> > 2. ensure that /bin/foo runs early in boot
> > 3. put "blah blah blah" in /etc/foo.conf
> >
> > That is, is there a small set of simple config files
> > and binaries that I could just slap onto an existing
> > system to ensure that a particular app is granted an
> > extra capability bit?
> >
> > If yes, then the ugly old-Oracle hack is not needed.
>
> Nearly. There's the minor issue that execve() clears that bit more
> agressively than desired for non-root processes. Otherwise pam can do
> it with pam_cap. Which is all we're trying to fix here.
Stephen Smalley suggested that SELinux could take the
place of our capability bits. So I'm asking how you do
that, using the most minimal SELinux config.
If he really has a way, then there is no need to change
the execve() behavior in the Linux 2.6.x kernels.
Perhaps we just need an LSM hook to re-add the capability
bit after execve() drops it. That's a tiny change that
doesn't affect any existing system.
next prev parent reply other threads:[~2004-05-14 21:55 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-05-14 12:03 [PATCH] capabilites, take 2 Albert Cahalan
2004-05-14 14:53 ` Andy Lutomirski
2004-05-14 17:58 ` Chris Wright
2004-05-14 15:21 ` Stephen Smalley
2004-05-14 15:19 ` Albert Cahalan
2004-05-14 18:06 ` Stephen Smalley
2004-05-14 17:32 ` Albert Cahalan
2004-05-14 21:11 ` Chris Wright
2004-05-14 19:32 ` Albert Cahalan [this message]
2004-05-14 18:00 ` Chris Wright
2004-05-14 17:48 ` Chris Wright
[not found] <fa.dt4cg55.jnqvr5@ifi.uio.no>
[not found] ` <fa.mu5rj3d.24gtbp@ifi.uio.no>
2004-05-14 15:57 ` Andy Lutomirski
2004-05-14 16:01 ` Stephen Smalley
2004-05-14 16:18 ` Andy Lutomirski
2004-05-14 16:37 ` Stephen Smalley
2004-05-14 18:07 ` Chris Wright
-- strict thread matches above, loose matches on Subject: below --
2004-05-13 20:08 Andy Lutomirski
2004-05-14 1:20 ` Chris Wright
2004-05-14 1:35 ` Valdis.Kletnieks
2004-05-14 4:51 ` Chris Wright
2004-05-14 5:33 ` Olaf Dietsche
2004-05-14 6:04 ` Valdis.Kletnieks
2004-05-14 7:09 ` Olaf Dietsche
2004-05-14 2:27 ` Andy Lutomirski
2004-05-14 4:48 ` Chris Wright
2004-05-14 5:58 ` Andy Lutomirski
2004-05-14 17:45 ` Chris Wright
2004-05-14 6:39 ` Olaf Dietsche
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1084563151.955.695.camel@cube \
--to=albert@users.sf.net \
--cc=Valdis.Kletnieks@vt.edu \
--cc=albert@users.sourceforge.net \
--cc=chrisw@osdl.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@myrealbox.com \
--cc=olaf+list.linux-kernel@olafdietsche.de \
--cc=sds@epoch.ncsc.mil \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox