From: William Lee Irwin III <wli@holomorphy.com>
To: Andrea Arcangeli <andrea@suse.de>
Cc: Andrew Morton <akpm@osdl.org>,
linux-kernel@vger.kernel.org, kenneth.w.chen@intel.com
Subject: Re: disable-cap-mlock
Date: Thu, 1 Apr 2004 08:48:25 -0800 [thread overview]
Message-ID: <20040401164825.GD791@holomorphy.com> (raw)
In-Reply-To: <20040401135920.GF18585@dualathlon.random>
On Thu, Apr 01, 2004 at 03:59:20PM +0200, Andrea Arcangeli wrote:
> Oracle needs this sysctl, I designed it and Ken Chen implemented it. I
> guess google also won't dislike it.
> This is a lot simpler than the mlock rlimit and this is people really
> need (not the rlimit). The rlimit thing can still be applied on top of
> this. This should be more efficient too (besides its simplicity).
> can you apply to mainline?
> http://www.us.kernel.org/pub/linux/kernel/people/andrea/patches/v2.6/2.6.5-rc3-aa1/disable-cap-mlock-1
Something like this would have the minor advantage of zero core impact.
Testbooted only. vs. 2.6.5-rc3-mm4
-- wli
$ diffstat -p1 patches/capable_sysctl
security/Kconfig | 6 +
security/Makefile | 1
security/sysctl_capable.c | 205 ++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 212 insertions(+)
Index: mm4-2.6.5-rc3/security/sysctl_capable.c
===================================================================
--- mm4-2.6.5-rc3.orig/security/sysctl_capable.c 2004-02-07 18:26:35.000000000 -0800
+++ mm4-2.6.5-rc3/security/sysctl_capable.c 2004-04-01 08:41:08.000000000 -0800
@@ -0,0 +1,205 @@
+#include <linux/config.h>
+#include <linux/sysctl.h>
+#include <linux/capability.h>
+#include <linux/security.h>
+#include <linux/init.h>
+#include <linux/module.h>
+
+/*
+ * apparently only 0-28 are used
+ * states:
+ * 0: checks enabled
+ * 1: checks disabled
+ * 2: root-only
+ * 3: no access whatsoever
+ */
+#define CAP_SYSCTL_CHOWN (1 + CAP_CHOWN)
+#define CAP_SYSCTL_DAC_OVERRIDE (1 + CAP_DAC_OVERRIDE)
+#define CAP_SYSCTL_DAC_READ_SEARCH (1 + CAP_DAC_READ_SEARCH)
+#define CAP_SYSCTL_FOWNER (1 + CAP_FOWNER)
+#define CAP_SYSCTL_FSETID (1 + CAP_FSETID)
+#define CAP_SYSCTL_KILL (1 + CAP_KILL)
+#define CAP_SYSCTL_SETGID (1 + CAP_SETGID)
+#define CAP_SYSCTL_SETUID (1 + CAP_SETUID)
+#define CAP_SYSCTL_SETPCAP (1 + CAP_SETPCAP)
+#define CAP_SYSCTL_LINUX_IMMUTABLE (1 + CAP_LINUX_IMMUTABLE)
+#define CAP_SYSCTL_NET_BIND_SERVICE (1 + CAP_NET_BIND_SERVICE)
+#define CAP_SYSCTL_NET_BROADCAST (1 + CAP_NET_BROADCAST)
+#define CAP_SYSCTL_NET_ADMIN (1 + CAP_NET_ADMIN)
+#define CAP_SYSCTL_NET_RAW (1 + CAP_NET_RAW)
+#define CAP_SYSCTL_IPC_LOCK (1 + CAP_IPC_LOCK)
+#define CAP_SYSCTL_IPC_OWNER (1 + CAP_IPC_OWNER)
+#define CAP_SYSCTL_SYS_MODULE (1 + CAP_SYS_MODULE)
+#define CAP_SYSCTL_SYS_RAWIO (1 + CAP_SYS_RAWIO)
+#define CAP_SYSCTL_SYS_CHROOT (1 + CAP_SYS_CHROOT)
+#define CAP_SYSCTL_SYS_PTRACE (1 + CAP_SYS_PTRACE)
+#define CAP_SYSCTL_SYS_PACCT (1 + CAP_SYS_PACCT)
+#define CAP_SYSCTL_SYS_ADMIN (1 + CAP_SYS_ADMIN)
+#define CAP_SYSCTL_SYS_BOOT (1 + CAP_SYS_BOOT)
+#define CAP_SYSCTL_SYS_NICE (1 + CAP_SYS_NICE)
+#define CAP_SYSCTL_SYS_RESOURCE (1 + CAP_SYS_RESOURCE)
+#define CAP_SYSCTL_SYS_TIME (1 + CAP_SYS_TIME)
+#define CAP_SYSCTL_SYS_TTY_CONFIG (1 + CAP_SYS_TTY_CONFIG)
+#define CAP_SYSCTL_MKNOD (1 + CAP_MKNOD)
+#define CAP_SYSCTL_LEASE (1 + CAP_LEASE)
+#define MAX_CAPABILITY CAP_SYSCTL_LEASE
+
+#define CAPABILITY_SYSCTL_ENABLED 0
+#define CAPABILITY_SYSCTL_DISABLED 1
+#define CAPABILITY_SYSCTL_ROOT 2
+#define CAPABILITY_SYSCTL_NONE 3
+
+
+/* you've got to be kidding me */
+#define MKCTL(x, y) \
+ { \
+ .ctl_name = CAP_SYSCTL_##x, \
+ .procname = #y , \
+ .extra1 = (void *)&capability_sysctl_zero, \
+ .extra2 = (void *)&capability_sysctl_one, \
+ .data = &capability_sysctl_state[CAP_SYSCTL_##x],\
+ .mode = 0644, \
+ .strategy = sysctl_intvec, \
+ .proc_handler = proc_dointvec_minmax, \
+ .maxlen = sizeof(int), \
+ },
+
+static int capability_sysctl_state[MAX_CAPABILITY];
+static const int capability_sysctl_zero = 0;
+static const int capability_sysctl_one = 1;
+static int secondary;
+static struct ctl_table_header *capability_sysctl_table_header;
+
+static struct ctl_table capability_sysctl_table[] = {
+ MKCTL(CHOWN, chown)
+ MKCTL(DAC_OVERRIDE, dac_override)
+ MKCTL(DAC_READ_SEARCH, dac_read_search)
+ MKCTL(FOWNER, fowner)
+ MKCTL(FSETID, fsetid)
+ MKCTL(KILL, kill)
+ MKCTL(SETGID, setgid)
+ MKCTL(SETUID, setuid)
+ MKCTL(SETPCAP, setpcap)
+ MKCTL(LINUX_IMMUTABLE, immutable)
+ MKCTL(NET_BIND_SERVICE, bind)
+ MKCTL(NET_BROADCAST, broadcast)
+ MKCTL(NET_ADMIN, net_admin)
+ MKCTL(NET_RAW, net_raw)
+ MKCTL(IPC_LOCK, ipc_lock)
+ MKCTL(IPC_OWNER, ipc_owner)
+ MKCTL(SYS_MODULE, module)
+ MKCTL(SYS_RAWIO, rawio)
+ MKCTL(SYS_CHROOT, chroot)
+ MKCTL(SYS_PTRACE, ptrace)
+ MKCTL(SYS_PACCT, pacct)
+ MKCTL(SYS_ADMIN, sys_admin)
+ MKCTL(SYS_BOOT, boot)
+ MKCTL(SYS_NICE, nice)
+ MKCTL(SYS_RESOURCE, resource)
+ MKCTL(SYS_TIME, time)
+ MKCTL(SYS_TTY_CONFIG, tty_config)
+ MKCTL(MKNOD, mknod)
+ MKCTL(LEASE, lease)
+ {
+ .ctl_name = 0,
+ },
+};
+
+static int capability_sysctl_capable(task_t *, int);
+
+static struct ctl_table capability_sysctl_root_table[] = {
+ {
+ .ctl_name = CTL_KERN,
+ .procname = "capability",
+ .mode = 0644,
+ .child = capability_sysctl_table,
+ },
+ {
+ .ctl_name = 0,
+ },
+};
+
+static struct security_operations capability_sysctl_ops = {
+ .ptrace = cap_ptrace,
+ .capget = cap_capget,
+ .capset_check = cap_capset_check,
+ .capset_set = cap_capset_set,
+ .capable = capability_sysctl_capable,
+ .netlink_send = cap_netlink_send,
+ .netlink_recv = cap_netlink_recv,
+ .bprm_compute_creds = cap_bprm_compute_creds,
+ .bprm_set_security = cap_bprm_set_security,
+ .bprm_secureexec = cap_bprm_secureexec,
+ .inode_setxattr = cap_inode_setxattr,
+ .inode_removexattr = cap_inode_removexattr,
+ .task_post_setuid = cap_task_post_setuid,
+ .task_reparent_to_init = cap_task_reparent_to_init,
+ .syslog = cap_syslog,
+ .vm_enough_memory = cap_vm_enough_memory,
+};
+
+
+static int capability_sysctl_capable(task_t *task, int cap)
+{
+ if (cap < 0 || cap >= MAX_CAPABILITY)
+ return -EINVAL;
+ switch (capability_sysctl_state[cap-1]) {
+ case CAPABILITY_SYSCTL_ROOT:
+ if (current->uid == 0)
+ return 0;
+ /* fall through */
+ case CAPABILITY_SYSCTL_ENABLED:
+ if (cap_raised(task->cap_effective, cap))
+ return 0;
+ else
+ return -EPERM;
+ break;
+ case CAPABILITY_SYSCTL_DISABLED:
+ return 0;
+ break;
+ case CAPABILITY_SYSCTL_NONE:
+ return -EPERM;
+ break;
+ default:
+ return -EINVAL;
+ }
+}
+
+static int capability_sysctl_proc_init(void)
+{
+ capability_sysctl_table_header =
+ register_sysctl_table(capability_sysctl_root_table, 0);
+ if (!capability_sysctl_table_header)
+ return -ENOMEM;
+ else
+ return 0;
+}
+
+static int __init capability_sysctl_init(void)
+{
+ if (!register_security(&capability_sysctl_ops)) {
+ secondary = 0;
+ return 0;
+ }
+ if (!mod_reg_security("capability_sysctl", &capability_sysctl_ops)) {
+ secondary = 1;
+ return 0;
+ }
+ printk(KERN_INFO "failure registering sysctl capability disablement\n");
+ return -EINVAL;
+}
+
+static void __exit capability_sysctl_fini(void)
+{
+ if (secondary)
+ mod_unreg_security("capability_sysctl", &capability_sysctl_ops);
+ else
+ unregister_security(&capability_sysctl_ops);
+ if (capability_sysctl_table_header)
+ unregister_sysctl_table(capability_sysctl_table_header);
+}
+security_initcall(capability_sysctl_init);
+module_init(capability_sysctl_proc_init);
+module_exit(capability_sysctl_fini);
+MODULE_DESCRIPTION("Sysctl-based capability check disablement");
+MODULE_LICENSE("GPL");
Index: mm4-2.6.5-rc3/security/Makefile
===================================================================
--- mm4-2.6.5-rc3.orig/security/Makefile 2004-03-29 19:26:54.000000000 -0800
+++ mm4-2.6.5-rc3/security/Makefile 2004-04-01 07:37:41.000000000 -0800
@@ -15,3 +15,4 @@
obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o
obj-$(CONFIG_SECURITY_CAPABILITIES) += commoncap.o capability.o
obj-$(CONFIG_SECURITY_ROOTPLUG) += commoncap.o root_plug.o
+obj-$(CONFIG_SECURITY_CAPABILITY_SYSCTL) += commoncap.o sysctl_capable.o
Index: mm4-2.6.5-rc3/security/Kconfig
===================================================================
--- mm4-2.6.5-rc3.orig/security/Kconfig 2004-03-29 19:26:47.000000000 -0800
+++ mm4-2.6.5-rc3/security/Kconfig 2004-04-01 07:38:49.000000000 -0800
@@ -44,6 +44,12 @@
If you are unsure how to answer this question, answer N.
+config SECURITY_CAPABILITY_SYSCTL
+ bool "Disable capabilities via sysctl"
+ depends on SECURITY!=n
+ help
+ This allows you to disable capabilities with sysctls.
+
source security/selinux/Kconfig
endmenu
next prev parent reply other threads:[~2004-04-01 16:48 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-04-01 13:59 disable-cap-mlock Andrea Arcangeli
2004-04-01 14:12 ` disable-cap-mlock Martin Zwickel
2004-04-01 16:48 ` William Lee Irwin III [this message]
2004-04-01 16:59 ` disable-cap-mlock Andrea Arcangeli
2004-04-01 17:11 ` disable-cap-mlock Marc-Christian Petersen
2004-04-01 17:16 ` disable-cap-mlock William Lee Irwin III
2004-04-01 17:34 ` disable-cap-mlock Andrea Arcangeli
2004-04-01 17:38 ` disable-cap-mlock William Lee Irwin III
2004-04-01 17:42 ` disable-cap-mlock Andrea Arcangeli
2004-04-01 17:37 ` disable-cap-mlock Stephen Smalley
2004-04-01 17:44 ` disable-cap-mlock William Lee Irwin III
2004-04-01 17:49 ` disable-cap-mlock Andrea Arcangeli
2004-04-01 17:51 ` disable-cap-mlock William Lee Irwin III
2004-04-01 18:12 ` disable-cap-mlock William Lee Irwin III
2004-04-01 17:52 ` disable-cap-mlock Marc-Christian Petersen
2004-04-01 17:54 ` disable-cap-mlock William Lee Irwin III
2004-04-01 18:47 ` disable-cap-mlock Stephen Smalley
2004-04-01 19:26 ` disable-cap-mlock William Lee Irwin III
2004-04-01 20:23 ` disable-cap-mlock Marc-Christian Petersen
2004-04-01 21:13 ` disable-cap-mlock William Lee Irwin III
2004-04-01 21:31 ` disable-cap-mlock Marc-Christian Petersen
2004-04-01 18:34 ` disable-cap-mlock Andrew Morton
2004-04-01 18:49 ` disable-cap-mlock Andrea Arcangeli
2004-04-01 18:52 ` disable-cap-mlock Chen, Kenneth W
2004-04-01 18:59 ` disable-cap-mlock William Lee Irwin III
2004-04-01 19:27 ` disable-cap-mlock James Morris
2004-04-02 10:39 ` disable-cap-mlock Pavel Machek
2004-04-02 23:44 ` disable-cap-mlock William Lee Irwin III
2004-04-01 19:44 ` disable-cap-mlock Rik van Riel
2004-04-01 19:52 ` disable-cap-mlock Andrew Morton
2004-04-01 22:36 ` disable-cap-mlock Andrea Arcangeli
2004-04-01 22:43 ` disable-cap-mlock Marc-Christian Petersen
2004-04-01 23:08 ` disable-cap-mlock Rik van Riel
2004-04-01 23:26 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 0:59 ` disable-cap-mlock Chris Wright
2004-04-01 22:29 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 1:07 ` disable-cap-mlock Chris Wright
2004-04-02 1:18 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 1:30 ` disable-cap-mlock Chris Wright
2004-04-02 1:35 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 2:04 ` disable-cap-mlock Chris Wright
2004-04-02 2:13 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 2:21 ` disable-cap-mlock Chris Wright
2004-04-02 2:38 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 2:48 ` disable-cap-mlock Chris Wright
2004-04-02 1:30 ` disable-cap-mlock Andrew Morton
2004-04-02 1:59 ` disable-cap-mlock Chris Wright
2004-04-02 2:09 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 2:30 ` disable-cap-mlock Andrew Morton
2004-04-02 2:33 ` disable-cap-mlock Chris Wright
2004-04-02 2:45 ` disable-cap-mlock Andrew Morton
2004-04-02 2:51 ` disable-cap-mlock Chris Wright
2004-04-02 3:21 ` disable-cap-mlock William Lee Irwin III
2004-04-02 2:41 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 2:49 ` disable-cap-mlock Andrew Morton
2004-04-02 3:07 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 21:35 ` disable-cap-mlock Andrew Morton
2004-04-02 22:36 ` disable-cap-mlock Chris Wright
2004-04-02 22:56 ` disable-cap-mlock Andrea Arcangeli
2004-04-02 23:01 ` disable-cap-mlock Andrew Morton
2004-04-02 23:18 ` disable-cap-mlock Chris Wright
2004-04-05 12:13 ` disable-cap-mlock Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040401164825.GD791@holomorphy.com \
--to=wli@holomorphy.com \
--cc=akpm@osdl.org \
--cc=andrea@suse.de \
--cc=kenneth.w.chen@intel.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox