From mboxrd@z Thu Jan  1 00:00:00 1970
From: Luca Boccassi <bluca@debian.org>
Subject: Re: [RFC PATCH iproute2] Drop capabilities if not running ip exec
 vrf with libcap
Date: Tue, 27 Mar 2018 18:43:42 +0100
Message-ID: <1522172622.14111.112.camel@debian.org>
References: <20180327162419.8962-1-bluca@debian.org>
         <20180327101519.473a1372@xeon-e3>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512";
        protocol="application/pgp-signature"; boundary="=-zTJgO/D4OKkuUrjfPJCR"
Cc: netdev@vger.kernel.org, dsahern@gmail.com, luto@amacapital.net
To: Stephen Hemminger <stephen@networkplumber.org>
Return-path: <netdev-owner@vger.kernel.org>
Received: from mail-wr0-f179.google.com ([209.85.128.179]:44911 "EHLO
        mail-wr0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750913AbeC0Rnq (ORCPT
        <rfc822;netdev@vger.kernel.org>); Tue, 27 Mar 2018 13:43:46 -0400
Received: by mail-wr0-f179.google.com with SMTP id u46so23240337wrc.11
        for <netdev@vger.kernel.org>; Tue, 27 Mar 2018 10:43:46 -0700 (PDT)
In-Reply-To: <20180327101519.473a1372@xeon-e3>
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>


--=-zTJgO/D4OKkuUrjfPJCR
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Tue, 2018-03-27 at 10:15 -0700, Stephen Hemminger wrote:
> On Tue, 27 Mar 2018 17:24:19 +0100
> Luca Boccassi <bluca@debian.org> wrote:
>=20
> > ip vrf exec requires root or CAP_NET_ADMIN, CAP_SYS_ADMIN and
> > CAP_DAC_OVERRIDE. It is not possible to run unprivileged commands
> > like
> > ping as non-root or non-cap-enabled due to this requirement.
> > To allow users and administrators to safely add the required
> > capabilities to the binary, drop all capabilities on start if not
> > invoked with "vrf exec".
> > Update the manpage with the requirements.
> >=20
> > Signed-off-by: Luca Boccassi <bluca@debian.org>
>=20
> Gets a little messy, but don't have a better answer.
> When a command like iproute gets involved in security policy things
> I become concerned that it may have unexpected consequences.

Yeah I understand. It requires an explicit action by the sysadmin, to
give you plausible deniability :-)

I've seen changes to let BPF permissions be managed via an LSM (I think
SELinux support is already merged in 4.15), so perhaps one day we'll be
able to do the whole shebang (subdir in /sys + load bpf + manipulate
cgroup) in a more fine-grained way, but for now I think this will do.

I'll send v1 shortly with the change asked by David.

--=20
Kind regards,
Luca Boccassi
--=-zTJgO/D4OKkuUrjfPJCR
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----

iQEzBAABCgAdFiEE6g0RLAGYhL9yp9G8SylmgFB4UWIFAlq6gs4ACgkQSylmgFB4
UWIQGwf+LbvnZUdXPBuVNJdPPGU4hUABa47Lwe7I3sO8qtbKT0AVRLCvf9cT4U3a
IyFVp6f3oYniYbn6AGKvItbxJfaL/hhz+Rc2+r5rNV/pLsRhCIw7vUsB5Gn4XoA2
i7m3GO1GxL5RAS7ODS7tW7pvgv5TRN+Oay6Sc4O36aDMD/XWtDw+qlUaHCKd5fZ6
NHNj4fNvZZ6gf3MWJrivmHSJBkv5p/p7tsjpazC8mujzCT7OXe6V+rx1x2UHUQ/y
zDAirca4GFktYcceNEy5pL+IfIKO3q91y73XrC51pKnKBoGimu7dL8+5mCOhlao2
fYbLNkxm5V8roRGserkxYRg51tSkiQ==
=u5n4
-----END PGP SIGNATURE-----

--=-zTJgO/D4OKkuUrjfPJCR--