Re: [RFC] Capabilities still can't be inherited by normal programs

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Markku Savela <msa@moth.iki.fi>
To: Andy Lutomirski <luto@amacapital.net>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
	"Andrew G. Morgan" <morgan@kernel.org>,
	linux-kernel@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	Kees Cook <keescook@chromium.org>,
	James Morris <james.l.morris@oracle.com>,
	Eric Paris <eparis@redhat.com>,
	"Serge E. Hallyn" <serge@canonical.com>
Subject: Re: [RFC] Capabilities still can't be inherited by normal programs
Date: Wed, 05 Dec 2012 22:12:15 +0200	[thread overview]
Message-ID: <50BFAA9F.7090001@moth.iki.fi> (raw)
In-Reply-To: <CALCETrW05JtRZSSJ0v=jz8B7_av1QS+D5qux5=q8aO3iWZHB1A@mail.gmail.com>

On 12/05/2012 09:32 PM, Andy Lutomirski wrote:
>> >Anyway, implementing the features you want in a new module is encouraged,
>> >so long as the behavior of existing module stays the same.
> I'll think about it some more and do it possibly using a sysctl.
> Adding this kind of stuff in a module is asking for even worse
> incomprehensibility of which capability bit means what.

For what is worth, and just for information. This module approach
has been attempted, sort of: I did implement capabilities inheritance
in Nokia N9 (Aegis). The capabilities started to inherit when task
entered "aegis mode" (a bit in secure bits).

The experience was "interesting". There are many "simplified" articles
about running root with less than full capabilities, and we did that.
However, it also caused a lot of headache, because many people got
hit by this "root is no more omnipotent" thing and complained. It was
a pain to manage and find correct required for each task and often
end result was to grant all (or at least too much).

next prev parent reply	other threads:[~2012-12-05 20:20 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-12-02  3:04 [RFC] Capabilities still can't be inherited by normal programs Andy Lutomirski
2012-12-02 17:21 ` Andrew G. Morgan
2012-12-02 18:35   ` Andy Lutomirski
2012-12-02 22:26     ` Andrew G. Morgan
2012-12-02 23:04       ` Andy Lutomirski
2012-12-03  2:20         ` Andrew G. Morgan
2012-12-03  4:48           ` Andy Lutomirski
2012-12-04 13:54             ` Serge E. Hallyn
2012-12-05 19:32               ` Andy Lutomirski
2012-12-05 20:12                 ` Markku Savela [this message]
2012-12-05 21:05                 ` Serge Hallyn
2012-12-05 21:46                   ` Andy Lutomirski
2012-12-05 22:20                     ` Serge Hallyn
2012-12-07  0:57                       ` Casey Schaufler
2012-12-07 14:42                         ` Serge E. Hallyn
2012-12-07 17:00                           ` Casey Schaufler
2012-12-07 17:07                           ` Andrew G. Morgan
2012-12-07 18:39                             ` Andy Lutomirski
2012-12-08 22:33                               ` Andrew G. Morgan
2012-12-08 23:37                                 ` Andy Lutomirski
2012-12-08 23:57                                   ` Andy Lutomirski
2012-12-12 18:29                                     ` Andy Lutomirski
2012-12-12 18:45                                       ` Serge Hallyn
2012-12-19 13:14                                       ` Pádraig Brady
2012-12-10 14:59                                   ` Serge Hallyn
2012-12-10 15:47                                     ` Casey Schaufler
2012-12-10 16:27                                       ` Serge Hallyn
2012-12-10 18:12                                       ` Andy Lutomirski
2012-12-10 19:13                                         ` Casey Schaufler
2012-12-10 19:31                                           ` Andy Lutomirski
2012-12-10 19:51                                             ` Casey Schaufler
2012-12-10 19:55                                               ` Andy Lutomirski
2012-12-10 20:17                                                 ` Kees Cook
2012-12-10 18:05                                     ` Andy Lutomirski
2012-12-10 14:36                                 ` Serge Hallyn
     [not found]                           ` <CALQRfL6UWLFpTfvan9oirtLdozJqZX4oZwDuQFVnJp8MP06C_Q@mail.gmail.com>
2012-12-10 14:27                             ` Serge Hallyn

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=50BFAA9F.7090001@moth.iki.fi \
    --to=msa@moth.iki.fi \
    --cc=eparis@redhat.com \
    --cc=james.l.morris@oracle.com \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=luto@amacapital.net \
    --cc=morgan@kernel.org \
    --cc=serge@canonical.com \
    --cc=serge@hallyn.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox