Re: [RFC] [PATCH] file posix capabilities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Quoting Eric W. Biederman ([email protected]):
> "Serge E. Hallyn" <[email protected]> writes:
> 
> > Quoting Serge E. Hallyn ([email protected]):
> >> This patch implements file (posix) capabilities.  This allows
> >> a binary to gain a subset of root's capabilities without having
> >> the file actually be setuid root.
> >> 
> >> There are some other implementations out there taking various
> >> approaches.  This patch keeps all the changes within the
> >> capability LSM, and stores the file capabilities in xattrs
> >> named "security.capability".  First question is, do we want
> >> this in the kernel?  Second is, is this sort of implementation
> >> we'd want?
> >> 
> >> Some userspace tools to manipulate the fscaps are at
> >> www.sr71.net/~hallyn/fscaps/.  For instance,
> >> 
> >> 	setcap writeroot "cap_dac_read_search,cap_dac_override+eip"
> >> 
> >> allows the 'writeroot' testcase to write to /root/ab when
> >> run as a normal user.
> >> 
> >> This patch doesn't address the need to update
> >> cap_bprm_secureexec().
> 
> Looking at your ondisk format it doesn't look like you include a
> version.  There is no reason to believe the current set of kernel
> capabilities is fixed for all time.

In fact my version knowingly ignores CAP_AUDIT_WRITE and
CAP_AUDIT_CONTROL (because on my little test .iso they didn't exist).
So a version number may make sense.

> So we need some for of
> forward/backward compatibility.  Maybe in the cap name?

You mean as in use 'security.capability_v32" for the xattr name?
Or do you really mean add a cap name to the structure?

thanks,
-serge
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux