lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <987c864.c84f.18ccd413a51.Coremail.mengjingzi@iie.ac.cn>
Date: Wed, 3 Jan 2024 10:57:33 +0800 (GMT+08:00)
From: 孟敬姿 <mengjingzi@....ac.cn>
To: davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org, 
	pabeni@...hat.com
Cc: netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Suggestion for Capability Check Adjustment in caif_create()

Hi!

During our code review, we noticed that both CAP_NET_ADMIN and CAP_SYS_ADMIN are currently being checked in the caif_create() function. We propose revisiting the capability checks and considering an adjustment to utilize CAP_NET_ADMIN exclusively. Here's our reasoning for this proposal:

(1) Functionality of caif_create(): The purpose of caif_create() is to initialize a caif socket, involving tasks such as allocating a socket, assigning values to specific fields, etc. Given its role in networking operations, using CAP_NET_ADMIN is more precise and aligned with the principle of least privilege.

(2) Scope of CAP_SYS_ADMIN: Introducing a CAP_SYS_ADMIN check could potentially expand the scope of the capability. As it is already considered as the new "root"(https://lwn.net/Articles/486306/), and the manual page(https://www.man7.org/linux/man-pages/man7/capabilities.7.html) states “Don't choose CAP_SYS_ADMIN if you can possibly avoid it!”. It's beneficial to use the most specific capability required for a given task.

This issue exists in several kernel versions and we have checked it on the latest stable release(Linux 6.6.9).

Your thoughts and feedback on this proposed modification would be highly appreciated. Thank you for your time and consideration

Best regards,
Jingzi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ