From: "Serge E. Hallyn" <serge@hallyn.com>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: Andy Lutomirski <luto@amacapital.net>,
Serge Hallyn <serge.hallyn@ubuntu.com>,
Christoph Lameter <cl@linux.com>,
Serge Hallyn <serge.hallyn@canonical.com>,
Jonathan Corbet <corbet@lwn.net>,
Aaron Jones <aaronmdjones@gmail.com>, "Ted Ts'o" <tytso@mit.edu>,
LSM List <linux-security-module@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Andrew Morton <akpm@linuxfoundation.org>
Subject: Re: [capabilities] Allow normal inheritance for a configurable set of capabilities
Date: Tue, 3 Feb 2015 16:51:22 +0100 [thread overview]
Message-ID: <20150203155122.GD2923@mail.hallyn.com> (raw)
In-Reply-To: <54CFE3E8.2030402@schaufler-ca.com>
Quoting Casey Schaufler (casey@schaufler-ca.com):
> On 2/2/2015 12:37 PM, Andy Lutomirski wrote:
> > On Mon, Feb 2, 2015 at 10:08 AM, Serge Hallyn <serge.hallyn@ubuntu.com> wrote:
> >> Quoting Casey Schaufler (casey@schaufler-ca.com):
> >>> I'm game to participate in such an effort. The POSIX scheme
> >>> is workable, but given that it's 20 years old and hasn't
> >>> developed real traction it's hard to call it successful.
> >> Over the years we've several times discussed possible reasons for this
> >> and how to help. I personally think it's two things: 1. lack of
> >> toolchain and fs support. The fact that we cannot to this day enable
> >> ping using capabilities by default because of cpio, tar and non-xattr
> >> filesystems is disheartening. 2. It's hard for users and applications
> >> to know what caps they need. yes the API is a bear to use, but we can
> >> hide that behind fancier libraries. But using capabilities requires too
> >> much in-depth knowledge of precisely what caps you might need for
> >> whatever operations library may now do when you asked for something.
> > None of this could address the problem here, though: if I hold a
> > capability and I want to pass that capability to an exec'd helper, I
> > shouldn't need the fs's help to do this.
>
> One of the holes in the 1003.1e spec is what to do with a program file
> that does not have a capability set attached to it. The two options are
> drop all capabilities and leave the capabilities alone. The latter gives
> you what you're asking for. The former is arguably safer.
Hm, so if we were to change that, what should we do in the case of (a)
an fs which doesn't support xattrs, (2) expanding a tarball/cpio which
didn't have xattrs (should tar/cpio fill them in with empty sets?),
and (3) do we add a default empty set in the case of an fs mounted with
NOSUID?
It's an interesting notion.
next prev parent reply other threads:[~2015-02-03 15:57 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-02 16:21 [capabilities] Allow normal inheritance for a configurable set of capabilities Christoph Lameter
2015-02-02 17:12 ` Serge Hallyn
2015-02-02 17:18 ` Andy Lutomirski
2015-02-02 18:09 ` Serge Hallyn
2015-02-03 15:16 ` Christoph Lameter
2015-02-03 15:23 ` Christoph Lameter
2015-02-03 15:55 ` Serge E. Hallyn
2015-02-03 17:18 ` Christoph Lameter
2015-02-03 17:26 ` Serge E. Hallyn
2015-02-04 15:15 ` Andrew G. Morgan
2015-02-04 15:50 ` Christoph Lameter
2015-02-04 15:56 ` Serge E. Hallyn
2015-02-04 16:12 ` Andrew G. Morgan
2015-02-04 16:34 ` Andy Lutomirski
2015-02-04 16:54 ` Andrew G. Morgan
2015-02-04 17:34 ` Serge E. Hallyn
2015-02-04 18:12 ` Christoph Lameter
2015-02-04 16:43 ` Christoph Lameter
2015-02-04 16:27 ` Andy Lutomirski
2015-02-05 0:34 ` Serge E. Hallyn
2015-02-05 15:23 ` Serge E. Hallyn
2015-02-25 21:50 ` Pavel Machek
2015-02-25 23:59 ` Christoph Lameter
2015-02-26 12:27 ` Pavel Machek
2015-02-27 20:15 ` Andy Lutomirski
2015-02-27 20:48 ` Pavel Machek
2015-02-27 20:56 ` Andy Lutomirski
2015-02-27 22:47 ` Pavel Machek
2015-02-02 17:54 ` Casey Schaufler
2015-02-02 18:08 ` Serge Hallyn
2015-02-02 18:47 ` Mimi Zohar
2015-02-02 19:05 ` Austin S Hemmelgarn
2015-02-02 20:35 ` Casey Schaufler
2015-02-03 16:04 ` Serge E. Hallyn
2015-02-02 19:00 ` Casey Schaufler
2015-02-05 0:20 ` Serge E. Hallyn
2015-02-02 20:37 ` Andy Lutomirski
2015-02-02 20:54 ` Casey Schaufler
2015-02-03 15:51 ` Serge E. Hallyn [this message]
2015-02-03 16:37 ` Casey Schaufler
2015-02-03 17:28 ` Serge E. Hallyn
2015-02-03 17:50 ` Casey Schaufler
2015-02-03 19:45 ` Christoph Lameter
2015-02-03 20:13 ` Andy Lutomirski
2015-02-03 23:14 ` Christoph Lameter
2015-02-03 23:17 ` Andy Lutomirski
2015-02-04 2:27 ` Christoph Lameter
2015-02-04 6:05 ` Markku Savela
2015-02-04 13:17 ` Christoph Lameter
2015-02-04 13:41 ` Markku Savela
2015-02-04 14:56 ` Jarkko Sakkinen
2015-02-03 15:17 ` Christoph Lameter
2015-02-03 15:40 ` Casey Schaufler
2015-02-03 15:46 ` Serge E. Hallyn
2015-02-03 17:19 ` Christoph Lameter
2015-02-03 17:29 ` Serge E. Hallyn
2015-02-25 21:50 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150203155122.GD2923@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=aaronmdjones@gmail.com \
--cc=akpm@linuxfoundation.org \
--cc=casey@schaufler-ca.com \
--cc=cl@linux.com \
--cc=corbet@lwn.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=serge.hallyn@canonical.com \
--cc=serge.hallyn@ubuntu.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox