lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <cdbc35f2-925e-aa65-98e7-a4ae4a5ded2c@gmail.com>
Date:   Thu, 15 Dec 2016 12:40:56 +0100
From:   "Michael Kerrisk (man-pages)" <mtk.manpages@...il.com>
To:     "Serge E. Hallyn" <serge@...lyn.com>,
        Casey Schaufler <casey@...aufler-ca.com>,
        James Morris <jmorris@...ei.org>,
        Kees Cook <keescook@...omium.org>,
        Andy Lutomirski <luto@...capital.net>,
        John Stultz <john.stultz@...aro.org>,
        Jann Horn <jann@...jh.net>,
        "Eric W. Biederman" <ebiederm@...ssion.com>
Cc:     mtk.manpages@...il.com, linux-man <linux-man@...r.kernel.org>,
        linux-security-module <linux-security-module@...r.kernel.org>,
        lkml <linux-kernel@...r.kernel.org>
Subject: RFC: capabilities(7): notes for kernel developers

Hello all,

Because the topic every now then comes up "which capability 
should I associate with the new feature that I'm adding to 
the kernel?", I propose to add the text below to the 
capabilities(7) man page [1] with some recommendations
on how to go about choosing. I would be happy
to get feedback, suggestions for improvement and
so on.

Cheers,

Michael

[1] http://man7.org/linux/man-pages/man7/capabilities.7.html


   Notes to kernel developers
       When adding a new kernel feature that  should  be  governed  by  a
       capability, consider the following points.

       *  The  goal of capabilities is divide the power of superuser into
          small pieces, such that if a program that has  capabilities  is
          compromised, its power to do damage to the system would be much
          less than a similar set-user-ID-root program.

       *  You have the choice of either creating  a  new  capability  for
          your  new  feature,  or associating the feature with one of the
          existing capabilities.  Because the size of capability sets  is
          currently  limited to 64 bits, the latter option is preferable,
          unless there are compelling reasons to take the former option.

       *  To determine which existing capability might best be associated
          with your new feature, review the list of capabilities above in
          order to find a "silo" into which your new feature best fits.

       *  Don't choose CAP_SYS_ADMIN if you can  possibly  avoid  it!   A
          vast  proportion  of  existing capability checks are associated
          with this capability, to the point where it  can  plausibly  be
          called "the new root".  Don't make the problem worse.  The only
          new features that should be associated with  CAP_SYS_ADMIN  are
          ones that closely match existing uses in that silo.

       *  If  you have determined that it really is necessary to create a
          new capability for your feature, avoid making (and  naming)  it
          as  a "single-use" capability.  Thus, for example, the addition
          of the highly specific CAP_WAKE_ALARM was probably  a  mistake.
          Instead,  try  to  identify  and  name your new capability as a
          broader silo into which other related future  use  cases  might
          fit.


-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ