| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 5 Feb 2015 01:20:42 +0100 From: "Serge E. Hallyn" <serge@...lyn.com> To: Casey Schaufler <casey@...aufler-ca.com> Cc: Serge Hallyn <serge.hallyn@...ntu.com>, Christoph Lameter <cl@...ux.com>, Serge Hallyn <serge.hallyn@...onical.com>, Andy Lutomirski <luto@...capital.net>, Jonathan Corbet <corbet@....net>, Aaron Jones <aaronmdjones@...il.com>, Ted Ts'o <tytso@....edu>, linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org, akpm@...uxfoundation.org Subject: Re: [capabilities] Allow normal inheritance for a configurable set of capabilities Quoting Casey Schaufler (casey@...aufler-ca.com): > On 2/2/2015 10:08 AM, Serge Hallyn wrote: > > Quoting Casey Schaufler (casey@...aufler-ca.com): > >> I'm game to participate in such an effort. The POSIX scheme > >> is workable, but given that it's 20 years old and hasn't > >> developed real traction it's hard to call it successful. > > Over the years we've several times discussed possible reasons for this > > and how to help. I personally think it's two things: 1. lack of > > toolchain and fs support. The fact that we cannot to this day enable > > ping using capabilities by default because of cpio, tar and non-xattr > > filesystems is disheartening. 2. It's hard for users and applications > > to know what caps they need. yes the API is a bear to use, but we can > > hide that behind fancier libraries. But using capabilities requires too > > much in-depth knowledge of precisely what caps you might need for > > whatever operations library may now do when you asked for something. > > The fix for that is to a change to the audit system. If the audit system > reported the capabilities relevant to the decision you'd have what you > need. If you failed because you didn't have CAP_CHMOD or you succeeded > because you had CAP_SYS_ADMIN it should show up in the audit record. > Other systems have used this approach. > > You could, of course, create a separate capability result log, and I > believe that Nokia had done something along those lines. I think that > adding it to the audit trail is a more rational approach. I wonder how much that would end up affecting performance, assuming it left an audit message at every ns_capable() failure. Even if it was only done under a certain sysctl, it could certainly be useful. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists