| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 13 Jun 2016 20:45:59 +0000 From: Topi Miettinen <toiwoton@...il.com> To: Andy Lutomirski <luto@...capital.net> Cc: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, Alexander Viro <viro@...iv.linux.org.uk>, Ingo Molnar <mingo@...hat.com>, Peter Zijlstra <peterz@...radead.org>, Serge Hallyn <serge.hallyn@...onical.com>, Andrew Morton <akpm@...ux-foundation.org>, Kees Cook <keescook@...omium.org>, Christoph Lameter <cl@...ux.com>, "Serge E. Hallyn" <serge.hallyn@...ntu.com>, Andy Shevchenko <andriy.shevchenko@...ux.intel.com>, "Richard W.M. Jones" <rjones@...hat.com>, Iago López Galeiras <iago@...ocode.com>, Chris Metcalf <cmetcalf@...hip.com>, Andy Lutomirski <luto@...nel.org>, Jann Horn <jann@...jh.net>, "open list:FILESYSTEMS (VFS and infrastructure)" <linux-fsdevel@...r.kernel.org>, "open list:CAPABILITIES" <linux-security-module@...r.kernel.org> Subject: Re: [RFC 01/18] capabilities: track actually used capabilities On 06/13/16 20:32, Andy Lutomirski wrote: > On Mon, Jun 13, 2016 at 12:44 PM, Topi Miettinen <toiwoton@...il.com> wrote: >> Track what capabilities are actually used and present the current >> situation in /proc/self/status. > > What for? Excerpt from the cover letter: "There are many basic ways to control processes, including capabilities, cgroups and resource limits. However, there are far fewer ways to find out useful values for the limits, except blind trial and error. This patch series attempts to fix that by giving at least a nice starting point from the actual maximum values. I looked where each limit is checked and added a call to limit bump nearby. Capabilities [RFC 01/18] capabilities: track actually used capabilities Currently, there is no way to know which capabilities are actually used. Even the source code is only implicit, in-depth knowledge of each capability must be used when analyzing a program to judge which capabilities the program will exercise." Should I perhaps cite some of this in the commit? > > What is the intended behavior on fork()? Whatever the intended > behavior is, there should IMO be a selftest for it. > > --Andy > The capabilities could be tracked from three points of daemon initialization sequence onwards: fork() setpcap() exec() fork() case would be logical as the /proc entry is per task. But if you consider the tools to set the capabilities (for example systemd unit files), there can be between fork() and exec() further preparations which need more capabilities than the program itself needs. setpcap() is probably the real point after which we are interested if the capabilities are enough. The amount of setup between setpcap() and exec() is probably very low. -Topi
Powered by blists - more mailing lists