| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALCETrW3SwYPzA5HUKMhpRET4pht-4+eOjHiXFzRqync9Hx3yg@mail.gmail.com> Date: Mon, 13 Jun 2016 14:12:37 -0700 From: Andy Lutomirski <luto@...capital.net> To: Topi Miettinen <toiwoton@...il.com> Cc: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, Alexander Viro <viro@...iv.linux.org.uk>, Ingo Molnar <mingo@...hat.com>, Peter Zijlstra <peterz@...radead.org>, Serge Hallyn <serge.hallyn@...onical.com>, Andrew Morton <akpm@...ux-foundation.org>, Kees Cook <keescook@...omium.org>, Christoph Lameter <cl@...ux.com>, "Serge E. Hallyn" <serge.hallyn@...ntu.com>, Andy Shevchenko <andriy.shevchenko@...ux.intel.com>, "Richard W.M. Jones" <rjones@...hat.com>, Iago López Galeiras <iago@...ocode.com>, Chris Metcalf <cmetcalf@...hip.com>, Andy Lutomirski <luto@...nel.org>, Jann Horn <jann@...jh.net>, "open list:FILESYSTEMS (VFS and infrastructure)" <linux-fsdevel@...r.kernel.org>, "open list:CAPABILITIES" <linux-security-module@...r.kernel.org> Subject: Re: [RFC 01/18] capabilities: track actually used capabilities On Mon, Jun 13, 2016 at 1:45 PM, Topi Miettinen <toiwoton@...il.com> wrote: > On 06/13/16 20:32, Andy Lutomirski wrote: >> On Mon, Jun 13, 2016 at 12:44 PM, Topi Miettinen <toiwoton@...il.com> wrote: >>> Track what capabilities are actually used and present the current >>> situation in /proc/self/status. >> >> What for? > > > Capabilities > [RFC 01/18] capabilities: track actually used capabilities > > Currently, there is no way to know which capabilities are actually used. > Even > the source code is only implicit, in-depth knowledge of each capability must > be used when analyzing a program to judge which capabilities the program > will > exercise." > > Should I perhaps cite some of this in the commit? Yes, but you should also clarify what users are supposed to do with this. Given ambient capabilities, I suspect that you'll find that your patch doesn't actually work very well. For example, if you run a shell script with ambient caps, then you won't notice caps used by short-lived helper processes. > >> >> What is the intended behavior on fork()? Whatever the intended >> behavior is, there should IMO be a selftest for it. >> >> --Andy >> > > The capabilities could be tracked from three points of daemon > initialization sequence onwards: > fork() > setpcap() > exec() > > fork() case would be logical as the /proc entry is per task. But if you > consider the tools to set the capabilities (for example systemd unit > files), there can be between fork() and exec() further preparations > which need more capabilities than the program itself needs. > > setpcap() is probably the real point after which we are interested if > the capabilities are enough. > > The amount of setup between setpcap() and exec() is probably very low. When I asked "what is the intended behavior on fork()?", I mean "what should CapUsed be after fork()?". The answer should be about four words long and should have a test case. There should maybe also be an explanation of why the intended behavior is useful. But, as I said above, I think that you may need to rethink this entirely to make it useful. You might need to do it per process tree or per cgroup or something. --Andy
Powered by blists - more mailing lists