[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <7655a573-544f-05a4-36dc-0c84c73ac9ee@gmail.com>
Date: Tue, 27 Oct 2020 13:11:40 +0100
From: "Michael Kerrisk (man-pages)" <mtk.manpages@...il.com>
To: Nicolas Viennot <Nicolas.Viennot@...sigma.com>,
Christian Brauner <christian.brauner@...ntu.com>,
Adrian Reber <areber@...hat.com>,
Cyrill Gorcunov <gorcunov@...il.com>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Kirill Tkhai <ktkhai@...tuozzo.com>
Cc: mtk.manpages@...il.com, Oleg Nesterov <oleg@...hat.com>,
Pavel Emelyanov <ovzxemul@...il.com>,
Kees Cook <keescook@...omium.org>,
Casey Schaufler <casey@...aufler-ca.com>,
lkml <linux-kernel@...r.kernel.org>,
linux-security-module <linux-security-module@...r.kernel.org>,
Jann Horn <jannh@...gle.com>, Andrei Vagin <avagin@...il.com>,
Dmitry Safonov <0x7f454c46@...il.com>
Subject: Inconsistent capability requirements for prctl_set_mm_exe_file()
Hello Nicolas, Cyrill, and others,
@Nicolas, your commit ebd6de6812387a changed the capability
requirements for the prctl_set_mm_exe_file() operation from
ns_capable(CAP_SYS_ADMIN)
to
ns_capable(CAP_SYS_ADMIN) || ns_capable(CAP_CHECKPOINT_RESTORE).
That's fine I guess, but while looking at that change, I found
an anomaly.
The same prctl_set_mm_exe_file() functionality is also available
via the prctl() PR_SET_MM_EXE_FILE operation, which was added
by Cyrill's commit b32dfe377102ce668. However, there the
prctl_set_mm_exe_file() operation is guarded by a check
capable(CAP_SYS_RESOURCE).
There are two things I note:
* The capability requirements are different in the two cases.
* In one case the checks are with ns_capable(), while in the
other case the check is with capable().
In both cases, the inconsistencies predate Nicolas's patch,
and appear to have been introduced in Kirill Tkhai's commit
4d28df6152aa3ff.
I'm not sure what is right, but those inconsistencies seem
seem odd, and presumably unintended. Similarly, I'm not
sure what fix, if any, should be applied. However, I thought
it worth mentioning these details, since the situation is odd
and surprising.
Thanks,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
Powered by blists - more mailing lists