From: Frank v Waveren <fvw@var.cx>
To: "Serge E. Hallyn" <serue@us.ibm.com>
Cc: linux-kernel@vger.kernel.org
Subject: Re: linux capabilities oddity
Date: Thu, 27 Jul 2006 16:19:59 +0200 [thread overview]
Message-ID: <20060727141959.GC22794@var.cx> (raw)
In-Reply-To: <20060725184719.GA8076@sergelap.austin.ibm.com>
[-- Attachment #1: Type: text/plain, Size: 2377 bytes --]
On Tue, Jul 25, 2006 at 01:47:19PM -0500, Serge E. Hallyn wrote:
> Quoting Frank v Waveren (fvw@var.cx):
> > While debugging an odd problem where /proc/sys/kernel/cap-bound wasn't
> > working, I came across the following code at
> > linux-2.6.x/security/commoncap.c:140:
> >
> > void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
> > {
> > /* Derived from fs/exec.c:compute_creds. */
> > kernel_cap_t new_permitted, working;
> >
> > new_permitted = cap_intersect (bprm->cap_permitted, cap_bset);
> > working = cap_intersect (bprm->cap_inheritable,
> > current->cap_inheritable);
> > new_permitted = cap_combine (new_permitted, working);
> > ...
> >
> > Here the new permitted set gets limited to the bits in cap_bset, which
> > is as it should be, but then the intersection of the of the current
> > and exec inheritable masks get added to that set, whereas as I
> > understand it, cap_bset should always be the bounding set.
> [...]
>
> Actually going by the faq
> (http://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.4/capfaq-0.2.txt)
> it seems like the cap_intersect with current->cap_inheritable is *too*
> limiting. I haven't checked what the posix draft actually says, but the
> bprm->cap_inheritable is called the 'forced' set, and is supposed to be
> like setuid.
I don't think the force set should be able to override the cap bound
though. Like the force/setuid analogy, I think we can compare the
cap_bset to the old securelevel system, which means that it should be
the bounding factor. Even if you have setuids on a system with a
raised securelevel, they still can't do the restricted operations.
Once again, this is not based on what the POSIX 1003.1e says, as a
matter of fact I can't find anything about lowering the systemwide
bound externally (as opposed to by not having forced-set executables
and dropping the caps from all processes) at all in a quick grep of
the document, so I suspect this is entirely outside of the spec anyway.
--
Frank v Waveren Key fingerprint: BDD7 D61E
fvw@var.cx 5D39 CF05 4BFC F57A
Public key: hkp://wwwkeys.pgp.net/468D62C8 FA00 7D51 468D 62C8
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
prev parent reply other threads:[~2006-07-27 14:19 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-07-23 14:36 linux capabilities oddity Frank v Waveren
2006-07-25 18:47 ` Serge E. Hallyn
2006-07-27 14:19 ` Frank v Waveren [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060727141959.GC22794@var.cx \
--to=fvw@var.cx \
--cc=linux-kernel@vger.kernel.org \
--cc=serue@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox