Re: implement-file-posix-capabilities.patch

---

• From: Andrew Morgan <morgan@xxxxxxxxxx>
• Date: Thu, 28 Jun 2007 08:50:13 -0700

---

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Casey Schaufler wrote:

The only reason for having an fE bitmap is to allow a capability-aware
program (you really trust to do its privileged operations carefully) to
be lazy and get some of its capabilities raised for free. Perhaps you
can clarify why this is a desirable thing? :-)

No, it's to allow you to grant a subset of the available capabilities
to a program that is not aware of capabilities. You can give "date"
the capability to reset the clock without giving it the capability
to remove other people's files without changing the code or running
it setuid.

This is precisely what fE = 0 or ~0 provides.

Recall, an exec()'d program gets its p*' capabilities from a convolution
of its exec()er's inheritable set (pI) *and* the file's capabilities
(fI,fP,fE):

pI' = pI
pP' = (X & fP) | (pI & fI)
pE' = pP' & fE

[Linux essentially has cap_bset for X.]

The fine-grain ability for ping to do its thing without becoming
powerful enough to load a kernel module, for example, is facilitated by
the "pP' &" part of the derivation of pE' (and not simply the unfiltered
value of fE!).

As I said before, either the program knows how to raise and lower bits
in its pE set, or it doesn't. In the former case, fE=0. In the latter
case, fE=~0 will ensure that it gets all of the capabilities it is
permitted to exercise at time of execution.

Could you cite some examples of where this position is unreasonable?

Thanks

Andrew

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGg9i1+bHCR3gb8jsRAvViAJ9T5x1fHrLGF4niRq7VhRqg4sej3wCgxkom
oAFQEQwLkd/D6J5gi7Fb3Ww=
=+ZLb
-----END PGP SIGNATURE-----
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

---

• References:
  • Re: implement-file-posix-capabilities.patch
    • From: Casey Schaufler

• Prev by Date: Re: New format Intel microcode...
• Next by Date: Re: [RFC PATCH 0/6] Convert all tasklets to workqueues
• Previous by thread: Re: implement-file-posix-capabilities.patch
• Next by thread: [PATCH] signed binaries support [0/4]
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: [opensuse] Hard Disk Failing ... S.M.A.R.T capabilities of the drive, (it is possible that it has no ... transient reports from time to time, ... Robert Smits information rather confirms what I have suspected for some ... Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org ... (SuSE) Re: [fw-wiz] GLBP Alternative ... Its more like an redundancy solution, but provided with Load Balancing ... capabilities, for L3 devices. ... Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org ... (Firewall-Wizards) Re: [PATCH] Exporting capability code/name pairs ... If a program tries to use specific capabilities explicitly, ... It can cause a matter when we want to use this feature on ... I'm not altogether clear how you intend this to work. ... Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org ... (Linux-Kernel) openntpd adjtime call fails - capabilities falsely set? ... Openntpd tries to set the time but fails. ... capabilities as a user. ... where to find suitable documentation)? ... Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org ... (Debian-User) Re: posix capabilities inheritance ... Can a process have capabilities in its inheritable set and not ... this is apparent to me in reading the spec. ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)