[<prev] [next>] [day] [month] [year] [list]
Message-ID: <987c864.c84f.18ccd413a51.Coremail.mengjingzi@iie.ac.cn>
Date: Wed, 3 Jan 2024 10:57:33 +0800 (GMT+08:00)
From: 孟敬姿 <mengjingzi@....ac.cn>
To: davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
pabeni@...hat.com
Cc: netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Suggestion for Capability Check Adjustment in caif_create()
Hi!
During our code review, we noticed that both CAP_NET_ADMIN and CAP_SYS_ADMIN are currently being checked in the caif_create() function. We propose revisiting the capability checks and considering an adjustment to utilize CAP_NET_ADMIN exclusively. Here's our reasoning for this proposal:
(1) Functionality of caif_create(): The purpose of caif_create() is to initialize a caif socket, involving tasks such as allocating a socket, assigning values to specific fields, etc. Given its role in networking operations, using CAP_NET_ADMIN is more precise and aligned with the principle of least privilege.
(2) Scope of CAP_SYS_ADMIN: Introducing a CAP_SYS_ADMIN check could potentially expand the scope of the capability. As it is already considered as the new "root"(https://lwn.net/Articles/486306/), and the manual page(https://www.man7.org/linux/man-pages/man7/capabilities.7.html) states “Don't choose CAP_SYS_ADMIN if you can possibly avoid it!”. It's beneficial to use the most specific capability required for a given task.
This issue exists in several kernel versions and we have checked it on the latest stable release(Linux 6.6.9).
Your thoughts and feedback on this proposed modification would be highly appreciated. Thank you for your time and consideration
Best regards,
Jingzi
Powered by blists - more mailing lists