[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <18dc7bfc-7533-1008-4091-5ae0560df21c@gmail.com>
Date: Mon, 13 Jun 2016 21:48:19 +0000
From: Topi Miettinen <toiwoton@...il.com>
To: Andy Lutomirski <luto@...capital.net>
Cc: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
Alexander Viro <viro@...iv.linux.org.uk>,
Ingo Molnar <mingo@...hat.com>,
Peter Zijlstra <peterz@...radead.org>,
Serge Hallyn <serge.hallyn@...onical.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Kees Cook <keescook@...omium.org>,
Christoph Lameter <cl@...ux.com>,
"Serge E. Hallyn" <serge.hallyn@...ntu.com>,
Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
"Richard W.M. Jones" <rjones@...hat.com>,
Iago López Galeiras <iago@...ocode.com>,
Chris Metcalf <cmetcalf@...hip.com>,
Andy Lutomirski <luto@...nel.org>, Jann Horn <jann@...jh.net>,
"open list:FILESYSTEMS (VFS and infrastructure)"
<linux-fsdevel@...r.kernel.org>,
"open list:CAPABILITIES" <linux-security-module@...r.kernel.org>
Subject: Re: [RFC 01/18] capabilities: track actually used capabilities
On 06/13/16 21:12, Andy Lutomirski wrote:
> On Mon, Jun 13, 2016 at 1:45 PM, Topi Miettinen <toiwoton@...il.com> wrote:
>> On 06/13/16 20:32, Andy Lutomirski wrote:
>>> On Mon, Jun 13, 2016 at 12:44 PM, Topi Miettinen <toiwoton@...il.com> wrote:
>>>> Track what capabilities are actually used and present the current
>>>> situation in /proc/self/status.
>>>
>>> What for?
>>
>
>>
>> Capabilities
>> [RFC 01/18] capabilities: track actually used capabilities
>>
>> Currently, there is no way to know which capabilities are actually used.
>> Even
>> the source code is only implicit, in-depth knowledge of each capability must
>> be used when analyzing a program to judge which capabilities the program
>> will
>> exercise."
>>
>> Should I perhaps cite some of this in the commit?
>
> Yes, but you should also clarify what users are supposed to do with
> this. Given ambient capabilities, I suspect that you'll find that
> your patch doesn't actually work very well. For example, if you run a
> shell script with ambient caps, then you won't notice caps used by
> short-lived helper processes.
>
Right, I suppose this model works well only within a single process, or
where the helper processes are always unprivileged (like Xorg runs
xkbcomp) or less privileged.
>>
>>>
>>> What is the intended behavior on fork()? Whatever the intended
>>> behavior is, there should IMO be a selftest for it.
>>>
>>> --Andy
>>>
>>
>> The capabilities could be tracked from three points of daemon
>> initialization sequence onwards:
>> fork()
>> setpcap()
>> exec()
>>
>> fork() case would be logical as the /proc entry is per task. But if you
>> consider the tools to set the capabilities (for example systemd unit
>> files), there can be between fork() and exec() further preparations
>> which need more capabilities than the program itself needs.
>>
>> setpcap() is probably the real point after which we are interested if
>> the capabilities are enough.
>>
>> The amount of setup between setpcap() and exec() is probably very low.
>
> When I asked "what is the intended behavior on fork()?", I mean "what
> should CapUsed be after fork()?". The answer should be about four
> words long and should have a test case. There should maybe also be an
> explanation of why the intended behavior is useful.
In this model:
fork: no change
setpcap: no change
exec: reset
But I hadn't thought that much where the reset happens.
>
> But, as I said above, I think that you may need to rethink this
> entirely to make it useful. You might need to do it per process tree
> or per cgroup or something.
>
> --Andy
>
I'd actually prefer the cgroup approach. Though that's much more work
than this simple patch which already gives somewhat useful information
in limited cases (once the logic is correct).
-Topi
Powered by blists - more mailing lists