| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 24 Oct 2011 22:03:14 -0500 From: "Serge E. Hallyn" <serge.hallyn@...onical.com> To: "Andrew G. Morgan" <morgan@...nel.org> Cc: "Serge E. Hallyn" <serge@...lyn.com>, David Howells <dhowells@...hat.com>, linux-kernel@...r.kernel.org, ebiederm@...ssion.com, akpm@...ux-foundation.org, oleg@...hat.com, richard@....at, mikevs@...all.net, segoon@...nwall.com, gregkh@...e.de, eparis@...hat.com Subject: Re: [PATCH 05/10] user namespace: clamp down users of cap_raised Quoting Andrew G. Morgan (morgan@...nel.org): > On Mon, Oct 24, 2011 at 10:28 AM, Serge E. Hallyn > <serge.hallyn@...onical.com> wrote: > > Quoting Andrew G. Morgan (morgan@...nel.org): > >> Serge, > >> > >> It seems as if this whole thing is really idiomatic. How about? > >> > >> #define IN_ROOT_USER_NS_CAPABLE(cap) \ > >> ((current_user_ns() == &init_user_ns) && cap_raised(current_cap(), cap)) > > > > My objection to this was that it seems to encourage others to use it :) I'm > > not sure we want that. Also, IN_ROOT_USER_NS seems more generally useful. > > What is driving the choice of when its appropriate? How can a I'd like to say it's never appropriate. The reason is that it bypasses the whole security_ops->capable() sequence, so for instance SELinux is kept in the dark. > developer determine this? If you make it hard, presumably folk won't > do it by default, but will that create a burdon on others to go round > patching things like this up? > > > But if I'm the only one who feels this way I'll go ahead and do it... > > I'm more of a optimize for a human to read the source code (ie. debug > a problem) kind of person. If IN_ROOT_USER_NS is useful, you could > always define IN_ROOT_USER_NS_CAPABLE in terms of IN_ROOT_USER_NS && My other objection is that, in contrast to IN_ROOT_USER_NS(), which is very clear, IN_ROOT_USER_NS_CAPABLE() is not as helpful. I'm sure a better name is out there somewhere, though. > ... and provide both. > > I guess I'm unclear, however, when you want developers to use one or > the other variant of the basic capable() functionality. Since I'm not > clear, I'm suspecting this is a fragile situation. I think only security code (LSMs) should be using cap_raised directly. Everything else should go through the capable()/has_capability() family of functions. Which, incidentally, have been (or are about to be) made less of a mess and thus less fragile by Eric Paris' patchset starting at http://www.spinics.net/linux/fedora/linux-security-module/msg11896.html -serge -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists