From: "Serge E. Hallyn" <serue@us.ibm.com>
To: David Howells <dhowells@redhat.com>
Cc: "Serge E. Hallyn" <serue@us.ibm.com>,
"Andrew G. Morgan" <morgan@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Linux Security Modules List
<linux-security-module@vger.kernel.org>,
lkml <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 2/4] security: filesystem capabilities bugfix2
Date: Mon, 30 Jun 2008 14:49:09 -0500 [thread overview]
Message-ID: <20080630194909.GE30669@us.ibm.com> (raw)
In-Reply-To: <14854.1214853041@redhat.com>
Quoting David Howells (dhowells@redhat.com):
> Serge E. Hallyn <serue@us.ibm.com> wrote:
>
> > > With Andrew's patch, capabilities are downgraded regardless of whether we
> > > have CAP_SETPCAP or not. I guess that means that if you're tracing a
> > > binary whose filecaps say that it wants CAP_SETPCAP, then it retains
> > > CAP_SETPCAP.
> >
> > I don't understand where that last sentence comes from. Why would it
> > retain CAP_SETPCAP?
>
> It seems I missed a bit out. It should've read:
>
> I guess that means that if you're tracing a binary that has
> CAP_SETPCAP already, and whose filecaps say that it wants CAP_SETPCAP,
> then it retains CAP_SETPCAP.
>
> If the debugger has CAP_SYS_PTRACE, then it can attach to a binary that has
> CAP_SETPCAP according to cap_ptrace(), even if the debugger doesn't.
Ah. Yes. I think that's the desirable behavior in all proposals.
> > > I wonder if the tracing task should be examined here, and any capability the
> > > tracer isn't permitted should be denied the process doing the exec.
> >
> > That sounds reasonable on its own, but it opens up a dangerous ability
> > for the partially-privileged tracer to manipulate the capability set for
> > the traced task.
>
> Does it, though? It would only reduce the capabilities of the inferior
> process; it wouldn't allow the inferior process or the debugger to get
> additional capabilities, apart from what's available under CAP_SETPCAP.
And the uids won't change unless capable(CAP_SETUID)... so I think
you're right, it does sound safe.
thanks,
-serge
next prev parent reply other threads:[~2008-06-30 20:01 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-06-26 8:48 [PATCH 2/4] security: filesystem capabilities bugfix2 Andrew G. Morgan
2008-06-27 20:59 ` Serge E. Hallyn
2008-06-30 14:53 ` David Howells
2008-06-30 18:53 ` Serge E. Hallyn
2008-06-30 19:10 ` David Howells
2008-06-30 19:49 ` Serge E. Hallyn [this message]
2008-06-27 23:04 ` David Howells
2008-06-30 5:41 ` Andrew G. Morgan
2008-06-30 9:45 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080630194909.GE30669@us.ibm.com \
--to=serue@us.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=dhowells@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=morgan@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox