lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 24 May 2020 19:01:54 -0700 From: Casey Schaufler <casey@...aufler-ca.com> To: Andrei Vagin <avagin@...il.com> Cc: Adrian Reber <areber@...hat.com>, Christian Brauner <christian.brauner@...ntu.com>, Eric Biederman <ebiederm@...ssion.com>, Pavel Emelyanov <ovzxemul@...il.com>, Oleg Nesterov <oleg@...hat.com>, Dmitry Safonov <0x7f454c46@...il.com>, Nicolas Viennot <Nicolas.Viennot@...sigma.com>, Michał Cłapiński <mclapinski@...gle.com>, Kamil Yurtsever <kyurtsever@...gle.com>, Dirk Petersen <dipeit@...il.com>, Christine Flood <chf@...hat.com>, Mike Rapoport <rppt@...ux.ibm.com>, Radostin Stoyanov <rstoyanov1@...il.com>, Cyrill Gorcunov <gorcunov@...nvz.org>, Serge Hallyn <serge@...lyn.com>, Stephen Smalley <stephen.smalley.work@...il.com>, Sargun Dhillon <sargun@...gun.me>, Arnd Bergmann <arnd@...db.de>, Aaron Goidel <acgoide@...ho.nsa.gov>, linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org, selinux@...r.kernel.org, Eric Paris <eparis@...isplace.org>, Jann Horn <jannh@...gle.com>, Casey Schaufler <casey@...aufler-ca.com> Subject: Re: [PATCH] capabilities: Introduce CAP_RESTORE On 5/22/2020 9:27 PM, Andrei Vagin wrote: > On Fri, May 22, 2020 at 09:40:37AM -0700, Casey Schaufler wrote: >> On 5/21/2020 10:53 PM, Adrian Reber wrote: >>> There are probably a few more things guarded by CAP_SYS_ADMIN required >>> to run checkpoint/restore as non-root, >> If you need CAP_SYS_ADMIN anyway you're not gaining anything by >> separating out CAP_RESTORE. >> >>> but by applying this patch I can >>> already checkpoint and restore processes as non-root. As there are >>> already multiple workarounds I would prefer to do it correctly in the >>> kernel to avoid that CRIU users are starting to invent more workarounds. >> You've presented a couple of really inappropriate implementations >> that would qualify as workarounds. But the other two are completely >> appropriate within the system security policy. They don't "get around" >> the problem, they use existing mechanisms as they are intended. >> > With CAP_CHECKPOINT_RESTORE, we will need to use the same mechanisms. Then why call them out as objectionable "workarounds"? > The problem is that CAP_SYS_ADMIN is too wide. This is well understood, and irrelevant. If we broke out CAP_SYS_ADMIN properly we'd have hundreds of capabilities, and no one would be able to manage the capability sets on anything. Just breaking out of CAP_SYS_ADMIN, especially if the process is going to need other capabilities anyway, gains you nothing. > If a process has > CAP_SYS_ADMIN, it can do a lot of things and the operation of forking a > process with a specified pid isn't the most dangerous one in this case. > Offten security policies don't allow to grant CAP_SYS_ADMIN to any > third-party tools even in non-root user namespaces. >
Powered by blists - more mailing lists