| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20110822203102.GA22687@stro.at> Date: Mon, 22 Aug 2011 22:31:02 +0200 From: maximilian attems <max@...o.at> To: Mike Waychison <mikew@...gle.com> Cc: "H. Peter Anvin" <hpa@...or.com>, "Andrew G. Morgan" <agm@...gle.com>, Alan Cox <alan@...rguk.ukuu.org.uk>, Eric Northup <digitaleric@...gle.com>, Eric Paris <eparis@...isplace.org>, klibc@...or.com, linux-kernel@...r.kernel.org Subject: Re: [PATCH v3] kinit: Add drop_capabilities support. On Wed, 03 Aug 2011, Mike Waychison wrote: > This patch adds the ability to kinit to allow the dropping of POSIX > capabilities. > > kinit is modified by this change, such that it understands the new > kernel command line "drop_capabilities=" that specifies a comma > separated list of capability names that should be dropped before > switching over to the next init in the boot strap (typically on the root > disk). > > Dropping of capabilities happens in three parts. We explicitly drop the > capability from init's inherited masks. We also drop the capability > from the bounding set using PR_CAPBSET_DROP so that later setuid execs > are bounded. Lastly, we drop the capabilities from the bset and > inherited masks exposed at /proc/sys/kernel/usermodehelper if available > (introduced in Linux v3.0.0). > > In all paths, we treat errors as fatal, as we do not want to continue to > boot if there was a problem dropping capabilities. We fail because the > new drop_capabilities= option on the command line mandates enforcement > of a security policy, and we should err on the side of caution if we > ever fail to satisfy the administrator's intention. > > Signed-off-by: Mike Waychison <mikew@...gle.com> > --- > v3 > - Removed special handling of dropping CAP_SETPCAP now that we are > only dropping the capability from the inherited mask as suggested > by Andrew Morgan. > v2 > - Only drop from the inherited capabilities mask. Only this mask > was required as per Andrew Morgan. This also allows us to > continue having capabilities to call run-init later on, allowing > the following: > - Moved dropping of capabilities out of run-init and into kinit. > This was required to ensure access to the proc filesystem, which > is required for manipulating the masks the kernel uses when > spawning new tasks on the kernel's behalf via the > call_usermodehelper() routine. > - Fixed paths to the usermodehelper settings files. > - Fixed sscanf to allow for a newline character when reading the > usermodehelper capability mask settings. > - Fixed the return check of the write to the usermodehelper files. > These proc files return 0 on successful write(2). > - Added a format atttribute to the fail() wrapper for better > compiler warnings. > - Removed kernel version check. The boot will now always fail if we > could not manipulate the usermodehelper settings. > - Sent as a single patch as capset/capget are now in klibc master. > --- Should appear shortly on: http://git.kernel.org/?p=libs/klibc/klibc.git;a=summary Applied and pushed. Thank you! -- maks -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists