| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 5 Oct 2012 08:54:49 -0700
From: "Andrew G. Morgan" <morgan@...nel.org>
To: "Serge E. Hallyn" <serge@...lyn.com>
Cc: Cyrill Gorcunov <gorcunov@...nvz.org>, criu@...nvz.org,
linux-kernel@...r.kernel.org,
Serge Hallyn <serge.hallyn@...onical.com>,
linux-security-module@...r.kernel.org,
Pavel Emelyanov <xemul@...allels.com>,
Andrew Vagin <avagin@...nvz.org>
Subject: Re: [PATCH] proc: don't show nonexistent capabilities
I like the sentiment but have you considered the implications for a
default system root user trying to set all=eip ? Existing code can do
this because all bits are accessible by default. If you set the
bounding set to something less than ~0, then any code that currently
does this will start to fail in the common case.
Cheers
Andrew
On Oct 5, 2012 7:13 AM, "Serge E. Hallyn" <serge@...lyn.com> wrote:
>
> Quoting Andrew Vagin (avagin@...nvz.org):
> > Without this patch it is really hard to interpret a bounding set,
> > if CAP_LAST_CAP is unknown for a current kernel.
>
> To be clear, note that you *can* figure it out using
> prctl(PR_CAPBSET_DROP). But this is a nice improvement.
>
> > Non-existant capabilities can not be deleted from a bounding set
> > with help of prctl.
> >
> > E.g.: Here are two examples without/with this patch.
> > CapBnd: ffffffe0fdecffff
> > CapBnd: 00000000fdecffff
> >
> > I suggest to hide non-existent capabilities. Here is two reasons.
> > * It's logically and easier for using.
> > * It helps to checkpoint-restore capabilities of tasks, because tasks
> > can be restored on another kernel, where CAP_LAST_CAP is bigger.
> >
> > Cc: Serge Hallyn <serge.hallyn@...onical.com>
>
> Thanks, Andrew. I saw your other email about having run LTP, I didn't
> see any problems from userspace either. Great idea!
>
> Reviewed-by: Serge Hallyn <serge.hallyn@...onical.com>
>
> Still it's been like that for so long that, just to be safe, I'm cc:ing
> Andrew Morgan - can you see any problems with this?
>
> > Cc: Pavel Emelyanov <xemul@...allels.com>
> > Signed-off-by: Andrew Vagin <avagin@...nvz.org>
> > ---
> > include/linux/capability.h | 3 ++-
> > 1 files changed, 2 insertions(+), 1 deletions(-)
> >
> > diff --git a/include/linux/capability.h b/include/linux/capability.h
> > index d10b7ed..1642778 100644
> > --- a/include/linux/capability.h
> > +++ b/include/linux/capability.h
> > @@ -420,7 +420,8 @@ extern const kernel_cap_t __cap_init_eff_set;
> > #else /* HAND-CODED capability initializers */
> >
> > # define CAP_EMPTY_SET ((kernel_cap_t){{ 0, 0 }})
> > -# define CAP_FULL_SET ((kernel_cap_t){{ ~0, ~0 }})
> > +# define CAP_FULL_SET ((kernel_cap_t){{ ~0, \
> > + CAP_TO_MASK(CAP_LAST_CAP + 1) - 1 } })
> > # define CAP_FS_SET ((kernel_cap_t){{ CAP_FS_MASK_B0 \
> > | CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \
> > CAP_FS_MASK_B1 } })
> > --
> > 1.7.1
> >
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> > the body of a message to majordomo@...r.kernel.org
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
> > Please read the FAQ at http://www.tux.org/lkml/
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists