lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHC9VhRjM6FxTrrbFPLu3eupzfMZOWCinHprPye0g0Gq5kuWcQ@mail.gmail.com>
Date:	Tue, 12 Jul 2016 18:00:06 -0400
From:	Paul Moore <paul@...l-moore.com>
To:	"Eric W. Biederman" <ebiederm@...ssion.com>
Cc:	Topi Miettinen <toiwoton@...il.com>, linux-kernel@...r.kernel.org,
	pmladek@...e.com, luto@...nel.org, serge@...lyn.com,
	keescook@...omium.org, Eric Paris <eparis@...hat.com>,
	Tejun Heo <tj@...nel.org>, Li Zefan <lizefan@...wei.com>,
	Johannes Weiner <hannes@...xchg.org>,
	"moderated list:AUDIT SUBSYSTEM" <linux-audit@...hat.com>,
	"open list:CONTROL GROUP (CGROUP)" <cgroups@...r.kernel.org>,
	"open list:CAPABILITIES" <linux-security-module@...r.kernel.org>
Subject: Re: [PATCH] capabilities: audit capability use

On Tue, Jul 12, 2016 at 9:16 AM, Eric W. Biederman
<ebiederm@...ssion.com> wrote:
> Not logging capabilities outside of the initial user namespace is
> certainly the conservative place to start, and what selinux does.

FYI, we added some basic userns capability smarts to SELinux in Linux 4.7.

  commit 8e4ff6f228e4722cac74db716e308d1da33d744f
  Author: Stephen Smalley <sds@...ho.nsa.gov>
  Date:   Fri Apr 8 13:52:00 2016 -0400

   selinux: distinguish non-init user namespace capability checks

   Distinguish capability checks against a target associated
   with the init user namespace versus capability checks against
   a target associated with a non-init user namespace by defining
   and using separate security classes for the latter.

   This is needed to support e.g. Chrome usage of user namespaces
   for the Chrome sandbox without needing to allow Chrome to also
   exercise capabilities on targets in the init user namespace.

   Suggested-by: Dan Walsh <dwalsh@...hat.com>
   Signed-off-by: Stephen Smalley <sds@...ho.nsa.gov>
   Signed-off-by: Paul Moore <paul@...l-moore.com>

-- 
paul moore
www.paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ