Re: [RFC] [PATCH] file posix capabilities

Quoting Stephen Smalley ([email protected]):
> On Tue, 2006-08-15 at 06:49 -0500, Serge E. Hallyn wrote:
> > Quoting Nicholas Miell ([email protected]):
> > > OTOH, everybody seems to have moved from capability-based security
> > > models on to TE/RBAC-based security models, so maybe this isn't worth
> > > the effort?
> > 
> > One day perhaps, but that day isn't here yet.  People are still using
> > setuid (see /sbin/passwd), so obviously they're not sufficiently
> > comfortable using *only* TE/RBAC.
> 
> The hard part of capabilities isn't the kernel mechanism - it is the

I didn't claim to be doing the hard part  :)

> proper assignment and management of the capability bits on files, and
> teaching userland that uid 0 is no longer magic.

Of course setuid still works, so it doesn't need to be done all at once.

> Which is all work that
> is already well underway for SELinux, but you would have to replicate it
> for capabilities.  And since there is no notion of equivalence classes
> ala SELinux types and the "policy" is completely distributed throughout
> the filesystem state, management is going to be even more painful for
> the capabilities.

But since file capabilities cannot survive an exec, analysis with a gui
which walks the fs could be pretty simple.

> On the kernel side, in addition to updating the bprm_secureexec logic,
> you would need to consider whether the capability module needs to
> implement capability comparisons for the other hooks, like task_kill.
> At present, many operations only involve uid comparisons and SELinux
> checks without explicitly comparing capability sets.  Properly isolating
> and protecting processes with different capability sets but the same uid
> is something SELinux already can do (based on domain), whereas the
> existing capability module doesn't really provide that. 

Very good point.  Preventing communication channels i.e. through signals
isn't a concern, but user hallyn ptracing himself running /bin/passwd
certainly is.

Thanks.

-serge
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Follow-Ups:
- Re: [RFC] [PATCH] file posix capabilities
  - From: Stephen Smalley <[email protected]>

References:
- [RFC] [PATCH] file posix capabilities
  - From: "Serge E. Hallyn" <[email protected]>
- Re: [RFC] [PATCH] file posix capabilities
  - From: "Serge E. Hallyn" <[email protected]>
- Re: [RFC] [PATCH] file posix capabilities
  - From: [email protected] (Eric W. Biederman)
- Re: [RFC] [PATCH] file posix capabilities
  - From: "Serge E. Hallyn" <[email protected]>
- Re: [RFC] [PATCH] file posix capabilities
  - From: [email protected] (Eric W. Biederman)
- Re: [RFC] [PATCH] file posix capabilities
  - From: Nicholas Miell <[email protected]>
- Re: [RFC] [PATCH] file posix capabilities
  - From: "Serge E. Hallyn" <[email protected]>
- Re: [RFC] [PATCH] file posix capabilities
  - From: Stephen Smalley <[email protected]>

Prev by Date: Re: peculiar suspend/resume bug.
Next by Date: Re: [RFC] [PATCH] file posix capabilities
Previous by thread: Re: [RFC] [PATCH] file posix capabilities
Next by thread: Re: [RFC] [PATCH] file posix capabilities
Index(es):
- Date
- Thread

[Index of Archives] [Kernel Newbies] [Netfilter] [Bugtraq] [Photo] [Stuff] [Gimp] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Video 4 Linux] [Linux for the blind] [Linux Resources]