* linux capabilities oddity
@ 2006-07-23 14:36 Frank v Waveren
2006-07-25 18:47 ` Serge E. Hallyn
0 siblings, 1 reply; 3+ messages in thread
From: Frank v Waveren @ 2006-07-23 14:36 UTC (permalink / raw)
To: linux-kernel
[-- Attachment #1: Type: text/plain, Size: 1884 bytes --]
I sent this to linux-privs-discuss, but that list appears to be dead.
Perhaps someone here can help me?
While debugging an odd problem where /proc/sys/kernel/cap-bound wasn't
working, I came across the following code at
linux-2.6.x/security/commoncap.c:140:
void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
{
/* Derived from fs/exec.c:compute_creds. */
kernel_cap_t new_permitted, working;
new_permitted = cap_intersect (bprm->cap_permitted, cap_bset);
working = cap_intersect (bprm->cap_inheritable,
current->cap_inheritable);
new_permitted = cap_combine (new_permitted, working);
...
Here the new permitted set gets limited to the bits in cap_bset, which
is as it should be, but then the intersection of the of the current
and exec inheritable masks get added to that set, whereas as I
understand it, cap_bset should always be the bounding set.
This triggered a problem where the /sbin/init on a gentoo install disk
(which I was using as an quick&dirty UML root disk for testing) for
some reason did something to set its inheritable mask to ~0, which
then propagated to all the processes that ran as root, which meant
that the cap bound didn't apply to them.
I took out the cap_combine and didn't notice any ill effects on some
quick tests, though I don't know POSIX capabilities well enough to say
all the behaviour was per the standard. If someone could tell me what
those lines are for, and if its foiling of cap-bound limits is on
purpose, I'd be most grateful.
--
Frank v Waveren Key fingerprint: BDD7 D61E
fvw@var.cx 5D39 CF05 4BFC F57A
Public key: hkp://wwwkeys.pgp.net/468D62C8 FA00 7D51 468D 62C8
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: linux capabilities oddity
2006-07-23 14:36 linux capabilities oddity Frank v Waveren
@ 2006-07-25 18:47 ` Serge E. Hallyn
2006-07-27 14:19 ` Frank v Waveren
0 siblings, 1 reply; 3+ messages in thread
From: Serge E. Hallyn @ 2006-07-25 18:47 UTC (permalink / raw)
To: Frank v Waveren; +Cc: linux-kernel
Quoting Frank v Waveren (fvw@var.cx):
> I sent this to linux-privs-discuss, but that list appears to be dead.
> Perhaps someone here can help me?
>
>
> While debugging an odd problem where /proc/sys/kernel/cap-bound wasn't
> working, I came across the following code at
> linux-2.6.x/security/commoncap.c:140:
>
> void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
> {
> /* Derived from fs/exec.c:compute_creds. */
> kernel_cap_t new_permitted, working;
>
> new_permitted = cap_intersect (bprm->cap_permitted, cap_bset);
> working = cap_intersect (bprm->cap_inheritable,
> current->cap_inheritable);
> new_permitted = cap_combine (new_permitted, working);
> ...
>
> Here the new permitted set gets limited to the bits in cap_bset, which
> is as it should be, but then the intersection of the of the current
> and exec inheritable masks get added to that set, whereas as I
> understand it, cap_bset should always be the bounding set.
>
> This triggered a problem where the /sbin/init on a gentoo install disk
> (which I was using as an quick&dirty UML root disk for testing) for
> some reason did something to set its inheritable mask to ~0, which
> then propagated to all the processes that ran as root, which meant
> that the cap bound didn't apply to them.
>
> I took out the cap_combine and didn't notice any ill effects on some
> quick tests, though I don't know POSIX capabilities well enough to say
> all the behaviour was per the standard. If someone could tell me what
> those lines are for, and if its foiling of cap-bound limits is on
> purpose, I'd be most grateful.
Actually going by the faq
(http://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.4/capfaq-0.2.txt)
it seems like the cap_intersect with current->cap_inheritable is *too*
limiting. I haven't checked what the posix draft actually says, but the
bprm->cap_inheritable is called the 'forced' set, and is supposed to be
like setuid.
I suspect the reason why removing the cap_combine worked for you is
because when the file is setuid 0, the bprm->cap_permitted is also set
full on. For people actually using one of the patches implementing
filesystem capabilities, I think you might in fact change behavior.
-serge
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: linux capabilities oddity
2006-07-25 18:47 ` Serge E. Hallyn
@ 2006-07-27 14:19 ` Frank v Waveren
0 siblings, 0 replies; 3+ messages in thread
From: Frank v Waveren @ 2006-07-27 14:19 UTC (permalink / raw)
To: Serge E. Hallyn; +Cc: linux-kernel
[-- Attachment #1: Type: text/plain, Size: 2377 bytes --]
On Tue, Jul 25, 2006 at 01:47:19PM -0500, Serge E. Hallyn wrote:
> Quoting Frank v Waveren (fvw@var.cx):
> > While debugging an odd problem where /proc/sys/kernel/cap-bound wasn't
> > working, I came across the following code at
> > linux-2.6.x/security/commoncap.c:140:
> >
> > void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
> > {
> > /* Derived from fs/exec.c:compute_creds. */
> > kernel_cap_t new_permitted, working;
> >
> > new_permitted = cap_intersect (bprm->cap_permitted, cap_bset);
> > working = cap_intersect (bprm->cap_inheritable,
> > current->cap_inheritable);
> > new_permitted = cap_combine (new_permitted, working);
> > ...
> >
> > Here the new permitted set gets limited to the bits in cap_bset, which
> > is as it should be, but then the intersection of the of the current
> > and exec inheritable masks get added to that set, whereas as I
> > understand it, cap_bset should always be the bounding set.
> [...]
>
> Actually going by the faq
> (http://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.4/capfaq-0.2.txt)
> it seems like the cap_intersect with current->cap_inheritable is *too*
> limiting. I haven't checked what the posix draft actually says, but the
> bprm->cap_inheritable is called the 'forced' set, and is supposed to be
> like setuid.
I don't think the force set should be able to override the cap bound
though. Like the force/setuid analogy, I think we can compare the
cap_bset to the old securelevel system, which means that it should be
the bounding factor. Even if you have setuids on a system with a
raised securelevel, they still can't do the restricted operations.
Once again, this is not based on what the POSIX 1003.1e says, as a
matter of fact I can't find anything about lowering the systemwide
bound externally (as opposed to by not having forced-set executables
and dropping the caps from all processes) at all in a quick grep of
the document, so I suspect this is entirely outside of the spec anyway.
--
Frank v Waveren Key fingerprint: BDD7 D61E
fvw@var.cx 5D39 CF05 4BFC F57A
Public key: hkp://wwwkeys.pgp.net/468D62C8 FA00 7D51 468D 62C8
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-07-27 14:19 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-07-23 14:36 linux capabilities oddity Frank v Waveren
2006-07-25 18:47 ` Serge E. Hallyn
2006-07-27 14:19 ` Frank v Waveren
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox