[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1295034658.2816.16.camel@localhost.localdomain>
Date: Fri, 14 Jan 2011 14:50:57 -0500
From: Eric Paris <eparis@...hat.com>
To: "Serge E. Hallyn" <serge@...onical.com>
Cc: linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org, sgrubb@...hat.com,
Andrew Morgan <morgan@...nel.org>
Subject: Re: [PATCH] System Wide Capability Bounding Set
On Tue, 2011-01-11 at 16:02 -0600, Serge E. Hallyn wrote:
> Quoting Eric Paris (eparis@...hat.com):
> > @@ -305,6 +310,8 @@ static inline int bprm_caps_from_vfs_caps(struct cpu_vfs_cap_data *caps,
> > new->cap_permitted.cap[i] =
> > (new->cap_bset.cap[i] & permitted) |
> > (new->cap_inheritable.cap[i] & inheritable);
> > + /* the global set is global damn it */
> > + new->cap_permitted.cap[i] &= global_cap_bset.cap[i];
>
> [ If I'm thinking right: ]
>
> Global may be global, but you're changing the formula (here, for a
> non-root task executing a file with filecaps) from
>
> pP' = (X & fP) | (pI & fI)
>
> to
>
> A = (X & FP) | (pI & fI)
> pP'= Z & A // Z == global bounding set
>
> In other words, you are not simply enforcing "the intersection of
> the global and per-process bounding sets".
>
> Whereas,
>
> > if (permitted & ~new->cap_permitted.cap[i])
> > /* insufficient to execute correctly */
> > @@ -438,6 +445,9 @@ int cap_bprm_set_creds(struct linux_binprm *bprm)
> > return ret;
> >
> > if (!issecure(SECURE_NOROOT)) {
> > + kernel_cap_t bset = cap_intersect(old->cap_bset,
> > + global_cap_bset);
> > +
> > /*
> > * If the legacy file capability is set, then don't set privs
> > * for a setuid root binary run by a non-root user. Do set it
> > @@ -456,8 +466,7 @@ int cap_bprm_set_creds(struct linux_binprm *bprm)
> > */
> > if (new->euid == 0 || new->uid == 0) {
> > /* pP' = (cap_bset & ~0) | (pI & ~0) */
> > - new->cap_permitted = cap_combine(old->cap_bset,
> > - old->cap_inheritable);
> > + new->cap_permitted = cap_combine(bset, old->cap_inheritable);
>
> here (for a root task) you are using
>
> pP' = (Z & X) | pI
>
> So the inheritable tasks get masked with the global bounding set for
> non-root tasks, but not for root tasks.
I believe you are thinking correctly and I am wrong. Someone else has
some other issues with the patch but would prefer to keep that
conversation offline. I will certainly be back with changes and
explanation of changes (hopefully shortly)
Thanks Serge!
-Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists