Re: patch to make Linux capabilities into something useful (v 0.3.1)

On Sep 07, 2006, at 14:21:15, James Antill wrote:

David Madore <[email protected]> writes:

Hi.

As we all know, capabilities under Linux are currently crippled to the point of being useless. Attached is a patch (against 2.6.18- rc6) which attempts to make them work in a reasonably useful way and at the same time not break anything. On top of the "additional" capabilities that lead up to root, it also adds "regular" capabilities which all processes have by default and which can be removed from specifically untrusted programs.

Just a minor comment, can you break out the OPEN into at least OPEN_R, OPEN_NONFILE_W and OPEN_W (possibly OPEN_A, but I don't want that personally). The case I'm thinking about are network daemons that need to open+write to the syslog socket but only have read access elsewhere.

Also there is much more than just bind9 using capabilities, the obvious ones that come to mind are NOATIME and AUDIT.

To be honest, once you get to the point of having an OPEN_NONFILE_W capability you should really just be using SELinux. Instead of spewing policy all over your filesystem xattrs you put it all into a single set of fairly admin-readable policy files, and it includes more fine-grained operations than you have space for in 32 bits of "un"-capabilities. It also conveniently supports the existing pseudo- POSIX capabilities. You can effectively say "root, netadmin, and netuser users are allowed to run ping programs which automatically transition into the ping domain and get CAP_NET_RAW privileges" in your binary policy, then just leave ping as chmod "755" and be done with it.

Cheers,
Kyle Moffett

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• Follow-Ups:
  • Re: patch to make Linux capabilities into something useful (v 0.3.1)
    • From: James Antill <[email protected]>

• References:
  • patch to make Linux capabilities into something useful (v 0.3.1)
    • From: David Madore <[email protected]>
  • Re: patch to make Linux capabilities into something useful (v 0.3.1)
    • From: James Antill <[email protected]>

• Prev by Date: RE: bogofilter ate 3/5
• Next by Date: top displaying 50% si time and 50% idle on idle machine
• Previous by thread: Re: patch to make Linux capabilities into something useful (v 0.3.1)
• Next by thread: Re: patch to make Linux capabilities into something useful (v 0.3.1)
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]