Re: implement-file-posix-capabilities.patch


--- "Serge E. Hallyn" <serue@xxxxxxxxxx> wrote:

Quoting Casey Schaufler (casey@xxxxxxxxxxxxxxxx):

--- Andrew Morgan <morgan@xxxxxxxxxx> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Serge E. Hallyn wrote:
Does that explain it?

Yes, thanks, but then it still could come in handy to have fE be a full
bitset, so the application gets some eff caps automatically, while
others it has to manually set...

[We touched on this a number of emails back.]

If an application is capability aware, it can manipulate its own
capabilities and should have fE=0.

If an application is not capability aware, it needs to have *all* of its
capabilities enabled at exec() time. Otherwise, it won't work.

The intent of the fE vector in the POSIX draft is that those capabilities
are set on exec (lower vectors permitting). There are cases where it
does make sense to raise just some (e.g. ping).

The only reason for having an fE bitmap is to allow a capability-aware
program (you really trust to do its privileged operations carefully) to
be lazy and get some of its capabilities raised for free. Perhaps you
can clarify why this is a desirable thing? :-)

No, it's to allow you to grant a subset of the available capabilities
to a program that is not aware of capabilities. You can give "date"
the capability to reset the clock without giving it the capability
to remove other people's files without changing the code or running
it setuid.

Would there be a difference between that and setting either fI or fP
(depending on your intent) to those caps, and setting fE=1 in Andrew's
scheme?

Arg, you're making me think. The POSIX group went through this,
let me see if I can reconstruct the logic.

The main issue is one if there being a possible case where you
have a capability ignorant program that you want to exec with
a different fP and fE. On first glance it seems that since the
program is capability ignorant it can't matter. But what if your
capability ignorant program exec's a capability aware program
to perform a helper function? You may well want the first program
to have a capability that it does not use in fP (but not fE)
to pass along to the helper program. True, you could probably
come up with a way to set the capabilities on the helper program
to account for this use, but there may be design and security
constraints that make doing so complicated.



Casey Schaufler
casey@xxxxxxxxxxxxxxxx
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Relevant Pages

  • Re: implement-file-posix-capabilities.patch
    ... The POSIX group went through this, ... program is capability ignorant it can't matter. ... If program A executes helper program B, ...
    (Linux-Kernel)
  • Re: implement-file-posix-capabilities.patch
    ... The POSIX group went through this, ... program is capability ignorant it can't matter. ... If program A executes helper program B, ... with a vector over a scalar I'm good with either scheme. ...
    (Linux-Kernel)