| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 13 Jun 2016 21:48:19 +0000 From: Topi Miettinen <toiwoton@...il.com> To: Andy Lutomirski <luto@...capital.net> Cc: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, Alexander Viro <viro@...iv.linux.org.uk>, Ingo Molnar <mingo@...hat.com>, Peter Zijlstra <peterz@...radead.org>, Serge Hallyn <serge.hallyn@...onical.com>, Andrew Morton <akpm@...ux-foundation.org>, Kees Cook <keescook@...omium.org>, Christoph Lameter <cl@...ux.com>, "Serge E. Hallyn" <serge.hallyn@...ntu.com>, Andy Shevchenko <andriy.shevchenko@...ux.intel.com>, "Richard W.M. Jones" <rjones@...hat.com>, Iago López Galeiras <iago@...ocode.com>, Chris Metcalf <cmetcalf@...hip.com>, Andy Lutomirski <luto@...nel.org>, Jann Horn <jann@...jh.net>, "open list:FILESYSTEMS (VFS and infrastructure)" <linux-fsdevel@...r.kernel.org>, "open list:CAPABILITIES" <linux-security-module@...r.kernel.org> Subject: Re: [RFC 01/18] capabilities: track actually used capabilities On 06/13/16 21:12, Andy Lutomirski wrote: > On Mon, Jun 13, 2016 at 1:45 PM, Topi Miettinen <toiwoton@...il.com> wrote: >> On 06/13/16 20:32, Andy Lutomirski wrote: >>> On Mon, Jun 13, 2016 at 12:44 PM, Topi Miettinen <toiwoton@...il.com> wrote: >>>> Track what capabilities are actually used and present the current >>>> situation in /proc/self/status. >>> >>> What for? >> > >> >> Capabilities >> [RFC 01/18] capabilities: track actually used capabilities >> >> Currently, there is no way to know which capabilities are actually used. >> Even >> the source code is only implicit, in-depth knowledge of each capability must >> be used when analyzing a program to judge which capabilities the program >> will >> exercise." >> >> Should I perhaps cite some of this in the commit? > > Yes, but you should also clarify what users are supposed to do with > this. Given ambient capabilities, I suspect that you'll find that > your patch doesn't actually work very well. For example, if you run a > shell script with ambient caps, then you won't notice caps used by > short-lived helper processes. > Right, I suppose this model works well only within a single process, or where the helper processes are always unprivileged (like Xorg runs xkbcomp) or less privileged. >> >>> >>> What is the intended behavior on fork()? Whatever the intended >>> behavior is, there should IMO be a selftest for it. >>> >>> --Andy >>> >> >> The capabilities could be tracked from three points of daemon >> initialization sequence onwards: >> fork() >> setpcap() >> exec() >> >> fork() case would be logical as the /proc entry is per task. But if you >> consider the tools to set the capabilities (for example systemd unit >> files), there can be between fork() and exec() further preparations >> which need more capabilities than the program itself needs. >> >> setpcap() is probably the real point after which we are interested if >> the capabilities are enough. >> >> The amount of setup between setpcap() and exec() is probably very low. > > When I asked "what is the intended behavior on fork()?", I mean "what > should CapUsed be after fork()?". The answer should be about four > words long and should have a test case. There should maybe also be an > explanation of why the intended behavior is useful. In this model: fork: no change setpcap: no change exec: reset But I hadn't thought that much where the reset happens. > > But, as I said above, I think that you may need to rethink this > entirely to make it useful. You might need to do it per process tree > or per cgroup or something. > > --Andy > I'd actually prefer the cgroup approach. Though that's much more work than this simple patch which already gives somewhat useful information in limited cases (once the logic is correct). -Topi
Powered by blists - more mailing lists