lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <AANLkTimcv-0e2=B07LohKEc2VpMCKFSrGLc=9dkUef92@mail.gmail.com>
Date:	Sat, 12 Mar 2011 09:01:35 -0800
From:	"Andrew G. Morgan" <morgan@...nel.org>
To:	Greg KH <greg@...ah.com>
Cc:	Eric Paris <eparis@...hat.com>, linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org, dhowells@...hat.com,
	jmorris@...ei.org, serge.hallyn@...onical.com
Subject: Re: [PATCH -v2] capabilites: allow the application of capability
 limits to usermode helpers

I'd prefer it if the invoker had both CAP_SETPCAP and CAP_SYS_MODULE
in its pE set.

Also, have you considered an interface for setting the default values
that is something like a "clone mine"? That is, cache the invoker's
cap_inheritable, and cap_bound? (But not cap_permitted and
cap_effective!) This would take care of atomicity and also allow for
potentially including more state when folk find its logically
necessary as the kernel evolves.

Cheers

Andrew

On Wed, Mar 9, 2011 at 2:26 PM, Greg KH <greg@...ah.com> wrote:
> On Wed, Mar 09, 2011 at 05:11:12PM -0500, Eric Paris wrote:
>> On Wed, 2011-03-09 at 13:38 -0800, Greg KH wrote:
>> > > When the kernel launches a usermodehelper it will do so with these as
>> > > the bset and pI.
>> >
>> > Shouldn't the caller of these functions be the ones dictating the
>> > capabilities it should be run with?
>>
>> Yes. And no.  It depends what you mean.  The caps of the 'caller' task
>> are irrelevant.  If I run ifconfig ipv6 I need CAP_NET_ADMIN but the
>> upcall needs CAP_SYS_MODULE.  If I plug in a USB drive there is no
>> 'caller' task which makes sense.
>>
>> Now if by 'caller' you mean 'call site' then yes, we could probably
>> launch usermodehelpers with reduced privileged sets.  We know in the
>> code when we are asking to launch modprobe that we are going to need
>> CAP_SYS_MODULE and don't need caps like CAP_SYS_RAWIO and CAP_MAC_ADMIN.
>> We know when we upcall to hotplug we don't really need any priv, since
>> it's another task that is going to do the real work.  So yeah, there
>> might be some value in another patch to address this....
>
> Yes, that is what I was referring to.
>
>> But neither solves the problem of being able to eliminate capabilities
>> from a machine globally.  In olden times we had a global cap-bound but
>> it was dropped in favor of an inheritance from init type mechanism.
>> Since kthreads don't inherit from init we still end up with this patch.
>
> I'm not objecting to the patch, or the idea, just want to make sure it
> is correct.
>
> thanks,
>
> greg k-h
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ