From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752311AbcFVSO3 (ORCPT ); Wed, 22 Jun 2016 14:14:29 -0400 Received: from mail-wm0-f41.google.com ([74.125.82.41]:38819 "EHLO mail-wm0-f41.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751059AbcFVSO1 (ORCPT ); Wed, 22 Jun 2016 14:14:27 -0400 Subject: Re: [RFC] capabilities: add capability cgroup controller To: "Serge E. Hallyn" References: <1466278320-17024-1-git-send-email-toiwoton@gmail.com> <20160621154527.GA10565@mail.hallyn.com> <20160622171418.GA32495@mail.hallyn.com> Cc: linux-kernel@vger.kernel.org, Kees Cook From: Topi Miettinen Openpgp: id=A0F2EB0D8452DA908BEC8E911CF9ADDBD610E936 Message-ID: Date: Wed, 22 Jun 2016 18:14:18 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Icedove/45.1.0 MIME-Version: 1.0 In-Reply-To: <20160622171418.GA32495@mail.hallyn.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 06/22/16 17:14, Serge E. Hallyn wrote: > Quoting Topi Miettinen (toiwoton@gmail.com): >> On 06/21/16 15:45, Serge E. Hallyn wrote: >>> Quoting Topi Miettinen (toiwoton@gmail.com): >>>> On 06/19/16 20:01, serge@hallyn.com wrote: >>>>> apologies for top posting, this phone doesn't support inline) >>>>> >>>>> Where are you preventing less privileged tasks from limiting the caps of a more privileged task? It looks like you are relying on the cgroupfs for that? >>>> >>>> I didn't think that aspect. Some of that could be dealt with by >>>> preventing tasks which don't have CAP_SETPCAP to make other tasks join >>>> or set the bounding set. One problem is that the privileges would not be >>>> checked at cgroup.procs open(2) time but only when writing. In general, >>>> less privileged tasks should not be able to gain new capabilities even >>>> if they were somehow able to join the cgroup and also your case must be >>>> addressed in full. >>>> >>>>> >>>>> Overall I'm not a fan of this for several reasons. Can you tell us precisely what your use case is? >>>> >>>> There are two. >>>> >>>> 1. Capability use tracking at cgroup level. There is no way to know >>>> which capabilities have been used and which could be trimmed. With >>>> cgroup approach, we can also keep track of how subprocesses use >>>> capabilities. Thus the administrator can quickly get a reasonable >>>> estimate of a bounding set just by reading the capability.used file. >>> >>> So to estimate the privileges needed by an application? Note this >>> could also be done with something like systemtap, but that's not as >>> friendly of course. >>> >> >> I've used systemtap to track how a single process uses capabilities, but >> I can imagine that without the cgroup, using it to track several >> subprocesses could be difficult. >> >>> Keeping the tracking part separate from enforcement might be worthwhile. >>> If you wanted to push that part of the patchset, we could keep >>> discussing the enforcement aspect separately. >>> >> >> OK, I'll prepare the tracking part first. > > So this does still have some security concerns, namely leaking information > to a less privileged process about what privs a root owned process used. > That's not on the same level as giving away details about memory mappings, > but could be an issue. Kees (cc'd), do you see that as an issue ? > > thanks, > -serge > Anyone can see the full set of capabilities available to each process via /proc/pid/status. But should I for example add a new flag CFTYPE_OWNER_ONLY to limit reading capability.used file to only owner (root) and use it here? -Topi