From: Luca Boccassi <bluca@debian.org>
To: Stephen Hemminger <stephen@networkplumber.org>
Cc: netdev@vger.kernel.org, dsahern@gmail.com, luto@amacapital.net
Subject: Re: [RFC PATCH iproute2] Drop capabilities if not running ip exec vrf with libcap
Date: Tue, 27 Mar 2018 18:43:42 +0100 [thread overview]
Message-ID: <1522172622.14111.112.camel@debian.org> (raw)
In-Reply-To: <20180327101519.473a1372@xeon-e3>
[-- Attachment #1: Type: text/plain, Size: 1317 bytes --]
On Tue, 2018-03-27 at 10:15 -0700, Stephen Hemminger wrote:
> On Tue, 27 Mar 2018 17:24:19 +0100
> Luca Boccassi <bluca@debian.org> wrote:
>
> > ip vrf exec requires root or CAP_NET_ADMIN, CAP_SYS_ADMIN and
> > CAP_DAC_OVERRIDE. It is not possible to run unprivileged commands
> > like
> > ping as non-root or non-cap-enabled due to this requirement.
> > To allow users and administrators to safely add the required
> > capabilities to the binary, drop all capabilities on start if not
> > invoked with "vrf exec".
> > Update the manpage with the requirements.
> >
> > Signed-off-by: Luca Boccassi <bluca@debian.org>
>
> Gets a little messy, but don't have a better answer.
> When a command like iproute gets involved in security policy things
> I become concerned that it may have unexpected consequences.
Yeah I understand. It requires an explicit action by the sysadmin, to
give you plausible deniability :-)
I've seen changes to let BPF permissions be managed via an LSM (I think
SELinux support is already merged in 4.15), so perhaps one day we'll be
able to do the whole shebang (subdir in /sys + load bpf + manipulate
cgroup) in a more fine-grained way, but for now I think this will do.
I'll send v1 shortly with the change asked by David.
--
Kind regards,
Luca Boccassi
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next prev parent reply other threads:[~2018-03-27 17:43 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-27 16:24 [RFC PATCH iproute2] Drop capabilities if not running ip exec vrf with libcap Luca Boccassi
2018-03-27 16:40 ` David Ahern
2018-03-27 17:05 ` Luca Boccassi
2018-03-27 17:15 ` Stephen Hemminger
2018-03-27 17:43 ` Luca Boccassi [this message]
2018-03-27 17:48 ` [PATCH iproute2 v1] " Luca Boccassi
2018-03-27 18:52 ` Stephen Hemminger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1522172622.14111.112.camel@debian.org \
--to=bluca@debian.org \
--cc=dsahern@gmail.com \
--cc=luto@amacapital.net \
--cc=netdev@vger.kernel.org \
--cc=stephen@networkplumber.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).