From: Andy Lutomirski <luto@myrealbox.com>
To: Chris Wright <chrisw@osdl.org>
Cc: Andy Lutomirski <luto@myrealbox.com>,
Stephen Smalley <sds@epoch.ncsc.mil>,
Albert Cahalan <albert@users.sourceforge.net>,
linux-kernel mailing list <linux-kernel@vger.kernel.org>,
olaf+list.linux-kernel@olafdietsche.de, Valdis.Kletnieks@vt.edu
Subject: Re: [PATCH] scaled-back caps, take 4
Date: Tue, 18 May 2004 18:54:17 -0700 [thread overview]
Message-ID: <40AABE49.1050401@myrealbox.com> (raw)
In-Reply-To: <20040518182751.J21045@build.pdx.osdl.net>
Chris Wright wrote:
> * Andy Lutomirski (luto@stanford.edu) wrote:
>
>>Chris Wright wrote:
>>
>>>
>>>
>>>Thus far we've kept all this stuff out of core. I believe we should
>>>keep it that way. This could easily be left in bprm_set().
>>
>>True. But as long as linux_binprm has fields for this stuff, intuitively
>>it should always be filled in (i.e. not just in commoncap). That way we
>>can say that commoncap doesn't get special treatment :)
>>
>>Also, this seems like the right place to check for VFS caps. This way we can.
>
>
> This does change the current notion of layering. I see your point though,
> likening it to say reading inode and finding S_ISUID bit.
On the other hand, no one would put reading of a SELinux security label
here. But we already have fields in binprm specifically for commoncap. I
have no strong preference.
>>The reason I killed the old algorithm is because it's scary (in the sense
>>of being complicated and subtle for no good reason) and because I don't see
>>the point of inheritable caps. I doubt anything uses them currently on a
>>vanilla kernel because they don't _do_ anything. So I killed them.
>
>
> This does break all those caps aware apps (yeah, tongue-in-cheek ;-)
> that actually have the idea to widen the effective set, yet limit the
> inheriable set. Seriously, I don't know how much this matters.
Yah, they're broken anyway right now if that's what they're doing.
The reason I didn't go for something like your approach (other than not
thinking of it) was that, as long as we're changing the semantics, we might
as well make them as clean as possible. I also didn't mind ripping out
lots of old code :). If the inheritable mask stays, then programs need to
be audited for what happens if they are run with different inheritable
masks. I'd rather just eliminate that complication and the corresponding
blob of commoncap code. Obviously my patch fails a lot of your tests as a
result.
So do we arm-wrestle over whose implementation wins? :) I'd say mine wins
on readability (not your fault -- the old code was pretty bad to begin
with) and some simplicity, but yours has the benefit of being less intrusive.
--Andy
next prev parent reply other threads:[~2004-05-19 1:54 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <fa.dt4cg55.jnqvr5@ifi.uio.no>
[not found] ` <fa.mu5rj3d.24gtbp@ifi.uio.no>
2004-05-14 15:57 ` [PATCH] capabilites, take 2 Andy Lutomirski
2004-05-14 16:01 ` Stephen Smalley
2004-05-14 16:18 ` Andy Lutomirski
2004-05-14 16:37 ` Stephen Smalley
2004-05-14 18:07 ` Chris Wright
2004-05-14 22:48 ` [PATCH] scaled-back caps, take 4 (was Re: [PATCH] capabilites, take 2) Andy Lutomirski
2004-05-15 0:06 ` [PATCH] scaled-back caps, take 4 Olaf Dietsche
2004-05-14 22:09 ` Albert Cahalan
2004-05-15 0:27 ` Chris Wright
[not found] ` <20040517231912.H21045@build.pdx.osdl.net>
2004-05-18 9:11 ` [PATCH] scaled-back caps, take 4 (was Re: [PATCH] capabilites, take 2) Andy Lutomirski
2004-05-19 1:27 ` Chris Wright
2004-05-19 1:54 ` Andy Lutomirski [this message]
2004-05-19 7:30 ` [PATCH] scaled-back caps, take 4 Chris Wright
2004-05-23 9:28 ` Andy Lutomirski
2004-05-23 18:48 ` Olaf Dietsche
2004-05-24 23:38 ` [PATCH] caps, compromise version (was Re: [PATCH] scaled-back caps, take 4) Andy Lutomirski
2004-05-24 23:56 ` Chris Wright
2004-05-25 0:23 ` Andy Lutomirski
[not found] ` <20040517235844.I21045@build.pdx.osdl.net>
2004-05-19 1:34 ` [PATCH] support cap inheritable (Re: [PATCH] scaled-back caps, take 4 (was Re: [PATCH] capabilites, take 2) Andy Lutomirski
2004-05-19 7:27 ` Chris Wright
[not found] <fa.id6it11.41id3h@ifi.uio.no>
[not found] ` <fa.gf5v6pu.c2mkrq@ifi.uio.no>
2004-05-17 7:19 ` [PATCH] scaled-back caps, take 4 Andy Lutomirski
2004-05-17 11:59 ` Stephen Smalley
[not found] <fa.i8g63r1.9jata3@ifi.uio.no>
[not found] ` <fa.hjocttu.1cgcc3q@ifi.uio.no>
[not found] ` <40B0F65F.3020706@myrealbox.com>
2004-05-23 20:57 ` Olaf Dietsche
2004-05-24 16:55 ` Martin Schlemmer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40AABE49.1050401@myrealbox.com \
--to=luto@myrealbox.com \
--cc=Valdis.Kletnieks@vt.edu \
--cc=albert@users.sourceforge.net \
--cc=chrisw@osdl.org \
--cc=linux-kernel@vger.kernel.org \
--cc=olaf+list.linux-kernel@olafdietsche.de \
--cc=sds@epoch.ncsc.mil \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox