From: Steve Grubb <sgrubb@redhat.com>
To: "Andrew G. Morgan" <morgan@kernel.org>
Cc: "Serge E. Hallyn" <serue@us.ibm.com>,
lkml <linux-kernel@vger.kernel.org>,
linux-security-module@vger.kernel.org,
Kees Cook <kees.cook@canonical.com>,
Andreas Gruenbacher <agruen@suse.de>,
Michael Kerrisk <mtk.manpages@gmail.com>,
George Wilson <gcwilson@us.ibm.com>,
KaiGai Kohei <kaigai@kaigai.gr.jp>
Subject: Re: drop SECURITY_FILE_CAPABILITIES?
Date: Wed, 18 Nov 2009 12:49:29 -0500 [thread overview]
Message-ID: <200911181249.29140.sgrubb@redhat.com> (raw)
In-Reply-To: <551280e50911180840v5c3f2945t253c709ba2d033b2@mail.gmail.com>
On Wednesday 18 November 2009 11:40:13 am Andrew G. Morgan wrote:
> >> But back to detecting the capability version number...if I pass 0 as the
> >> version in the header, why can't the kernel just say oh you want the
> >> preferred version number, stuff it in the header, and return the syscall
> >> with success and not EINVAL?
>
> This is so a library can understand that it doesn't understand the
> current ABI.
If user space is passing a NULL for the cap_user_data_t argument, user space
has a pretty good idea that its not expecting actual capabilities to be filled
in. My basic point is that there is no way to "correctly" use the capabilities
API to determine what the preferred version is.
> For example, consider the case of some kernel of the
> future with a different ABI meeting an old library.
Right. Either user space checks version numbers to verify it knows what its
doing and errors out, or it blindly tries to set capabilities and gets an
error. Either way, if user space is *really* using the API to do work, it
won't be passing NULL as the user data argument.
Maybe if version is set to 0 and NULL is being passed for arg 2 to getcap,
that would be the secret handshake that lets the kernel know all I want is the
preferred version number and nothing else since there is no data structure to
fill in.
> The intention is for it to fail safe and not blunder on doing
> "security" related operations with an imperfect idea of the current
> kernel interface.
>
> This is how libcap figures out it can work with the hosting kernel:
capget(0x20080522, 0, NULL) = -1 EFAULT (Bad address)
Still an error.
-Steve
next prev parent reply other threads:[~2009-11-18 17:50 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-10 14:07 drop SECURITY_FILE_CAPABILITIES? Serge E. Hallyn
2009-11-10 15:28 ` Steve Grubb
2009-11-10 15:53 ` Serge E. Hallyn
2009-11-10 17:51 ` Steve Grubb
2009-11-11 0:19 ` Serge E. Hallyn
2009-11-18 16:40 ` Andrew G. Morgan
2009-11-18 17:49 ` Steve Grubb [this message]
2009-11-18 18:36 ` Andrew G. Morgan
2009-11-18 19:33 ` Steve Grubb
2009-11-18 19:39 ` Andrew G. Morgan
2009-11-19 15:35 ` Andrew G. Morgan
2009-11-19 20:26 ` Steve Grubb
2009-11-10 17:23 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200911181249.29140.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=agruen@suse.de \
--cc=gcwilson@us.ibm.com \
--cc=kaigai@kaigai.gr.jp \
--cc=kees.cook@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=morgan@kernel.org \
--cc=mtk.manpages@gmail.com \
--cc=serue@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox