From: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com> To: Casey Schaufler <casey@schaufler-ca.com>, "Serge E. Hallyn" <serge@hallyn.com>, James Morris <jmorris@namei.org>, Kees Cook <keescook@chromium.org>, Andy Lutomirski <luto@amacapital.net>, John Stultz <john.stultz@linaro.org>, Jann Horn <jann@thejh.net>, "Eric W. Biederman" <ebiederm@xmission.com> Cc: mtk.manpages@gmail.com, linux-man <linux-man@vger.kernel.org>, linux-security-module <linux-security-module@vger.kernel.org>, lkml <linux-kernel@vger.kernel.org> Subject: Re: RFC: capabilities(7): notes for kernel developers Date: Fri, 16 Dec 2016 16:04:02 +0100 [thread overview] Message-ID: <1928427a-d29b-e625-37a0-52e9ffecc7e1@gmail.com> (raw) In-Reply-To: <9ed6371f-3d38-45b1-a85b-1fbb3e5b4fc7@schaufler-ca.com> On 12/15/2016 09:40 PM, Casey Schaufler wrote: > On 12/15/2016 11:41 AM, Michael Kerrisk (man-pages) wrote: >> Hello Casey, >> >> On 12/15/2016 05:29 PM, Casey Schaufler wrote: >>> On 12/15/2016 3:40 AM, Michael Kerrisk (man-pages) wrote: [...] >>>> * To determine which existing capability might best be associated >>>> with your new feature, review the list of capabilities above in >>>> order to find a "silo" into which your new feature best fits. >>> One approach to take is to determine if there are other features >>> requiring capabilities that will always be use along with the >>> new feature. If the new feature is useless without these other >>> features, you should use the same capability as the other features. >> Thanks, I've lifted those words exactly as you gave them into the man page. >> >>>> * Don't choose CAP_SYS_ADMIN if you can possibly avoid it! A >>>> vast proportion of existing capability checks are associated >>>> with this capability, to the point where it can plausibly be >>>> called "the new root". Don't make the problem worse. The only >>>> new features that should be associated with CAP_SYS_ADMIN are >>>> ones that closely match existing uses in that silo. >>> I don't agree with this advice. Use CAP_SYS_ADMIN if you are >>> preforming system administration functions. Odds are very good >>> that if a program is using one system administration feature >>> it will be using others. >> Really? To me, the CAP_SYS_ADMIN situation is a terrible mess. Around a >> third of all of the capability checks in the kernel are for that >> capability. Or, to put it another way, it is so broad, that if a process >> has to have that capability, it may as well be root. And because it is >> so broad, the number of binaries that might need that file capability is >> large. (See also https://lwn.net/Articles/486306/) > > Back in the days of the POSIX P1003.1e/2c working group > we struggled with what to do about the things that required > privilege but that were not related to the enforcement of > security policy. Everyone involved was looking to use > capabilities to meet B2* least privilege requirements in > NSA security evaluations. Because those evaluations where > of security policy, by far the easiest thing to do was to > create a single capability for all the things that didn't > show up in the security policy and declare that the people > doing the evaluation didn't have to look over there. Since > then, people have taken a more practical view that includes > security relevance in addition to security policy. Ahhh -- thanks for a bit of the history! Helps me to understand a bit more why things are as they are... > In retrospect we should have grouped all of the attribute > changes (chmod, chown, ...) into one capability and broken > the non-policy actions into a set on 2 or three. > > The way that we think of privilege has evolved. We're not > focused on policy the way we used to be. We'll never get > everyone to agree on what the *right* granularity and > grouping is, either. :-) > ----- > * The B2 least privilege requirements are amusing. > If you want more information, look up "TCSEC orange book". Maybe one day... [...] Cheers, Mcihael -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/
WARNING: multiple messages have this Message-ID (diff)
From: "Michael Kerrisk (man-pages)" <mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> To: Casey Schaufler <casey-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>, "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>, James Morris <jmorris-gx6/JNMH7DfYtjvyW6yDsg@public.gmane.org>, Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>, Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>, John Stultz <john.stultz-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>, Jann Horn <jann-XZ1E9jl8jIdeoWH0uzbU5w@public.gmane.org>, "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org> Cc: mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org, linux-man <linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>, linux-security-module <linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>, lkml <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org> Subject: Re: RFC: capabilities(7): notes for kernel developers Date: Fri, 16 Dec 2016 16:04:02 +0100 [thread overview] Message-ID: <1928427a-d29b-e625-37a0-52e9ffecc7e1@gmail.com> (raw) In-Reply-To: <9ed6371f-3d38-45b1-a85b-1fbb3e5b4fc7-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org> On 12/15/2016 09:40 PM, Casey Schaufler wrote: > On 12/15/2016 11:41 AM, Michael Kerrisk (man-pages) wrote: >> Hello Casey, >> >> On 12/15/2016 05:29 PM, Casey Schaufler wrote: >>> On 12/15/2016 3:40 AM, Michael Kerrisk (man-pages) wrote: [...] >>>> * To determine which existing capability might best be associated >>>> with your new feature, review the list of capabilities above in >>>> order to find a "silo" into which your new feature best fits. >>> One approach to take is to determine if there are other features >>> requiring capabilities that will always be use along with the >>> new feature. If the new feature is useless without these other >>> features, you should use the same capability as the other features. >> Thanks, I've lifted those words exactly as you gave them into the man page. >> >>>> * Don't choose CAP_SYS_ADMIN if you can possibly avoid it! A >>>> vast proportion of existing capability checks are associated >>>> with this capability, to the point where it can plausibly be >>>> called "the new root". Don't make the problem worse. The only >>>> new features that should be associated with CAP_SYS_ADMIN are >>>> ones that closely match existing uses in that silo. >>> I don't agree with this advice. Use CAP_SYS_ADMIN if you are >>> preforming system administration functions. Odds are very good >>> that if a program is using one system administration feature >>> it will be using others. >> Really? To me, the CAP_SYS_ADMIN situation is a terrible mess. Around a >> third of all of the capability checks in the kernel are for that >> capability. Or, to put it another way, it is so broad, that if a process >> has to have that capability, it may as well be root. And because it is >> so broad, the number of binaries that might need that file capability is >> large. (See also https://lwn.net/Articles/486306/) > > Back in the days of the POSIX P1003.1e/2c working group > we struggled with what to do about the things that required > privilege but that were not related to the enforcement of > security policy. Everyone involved was looking to use > capabilities to meet B2* least privilege requirements in > NSA security evaluations. Because those evaluations where > of security policy, by far the easiest thing to do was to > create a single capability for all the things that didn't > show up in the security policy and declare that the people > doing the evaluation didn't have to look over there. Since > then, people have taken a more practical view that includes > security relevance in addition to security policy. Ahhh -- thanks for a bit of the history! Helps me to understand a bit more why things are as they are... > In retrospect we should have grouped all of the attribute > changes (chmod, chown, ...) into one capability and broken > the non-policy actions into a set on 2 or three. > > The way that we think of privilege has evolved. We're not > focused on policy the way we used to be. We'll never get > everyone to agree on what the *right* granularity and > grouping is, either. :-) > ----- > * The B2 least privilege requirements are amusing. > If you want more information, look up "TCSEC orange book". Maybe one day... [...] Cheers, Mcihael -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/ -- To unsubscribe from this list: send the line "unsubscribe linux-man" in the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2016-12-16 15:10 UTC|newest] Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top 2016-12-15 11:40 RFC: capabilities(7): notes for kernel developers Michael Kerrisk (man-pages) 2016-12-15 11:40 ` Michael Kerrisk (man-pages) 2016-12-15 16:29 ` Casey Schaufler 2016-12-15 16:29 ` Casey Schaufler 2016-12-15 19:41 ` Michael Kerrisk (man-pages) 2016-12-15 20:40 ` Casey Schaufler 2016-12-15 20:40 ` Casey Schaufler 2016-12-16 0:31 ` John Stultz 2016-12-16 0:31 ` John Stultz 2016-12-16 0:44 ` Casey Schaufler 2016-12-16 14:55 ` Michael Kerrisk (man-pages) 2016-12-16 14:55 ` Michael Kerrisk (man-pages) 2016-12-16 20:10 ` Serge E. Hallyn 2016-12-16 20:10 ` Serge E. Hallyn 2016-12-16 20:20 ` John Stultz 2016-12-16 21:05 ` Serge E. Hallyn 2016-12-16 21:16 ` John Stultz 2016-12-16 21:16 ` John Stultz 2016-12-19 20:20 ` Rafael J. Wysocki 2016-12-19 20:20 ` Rafael J. Wysocki 2016-12-17 21:01 ` Michael Kerrisk (man-pages) 2016-12-16 15:04 ` Michael Kerrisk (man-pages) [this message] 2016-12-16 15:04 ` Michael Kerrisk (man-pages)
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1928427a-d29b-e625-37a0-52e9ffecc7e1@gmail.com \ --to=mtk.manpages@gmail.com \ --cc=casey@schaufler-ca.com \ --cc=ebiederm@xmission.com \ --cc=jann@thejh.net \ --cc=jmorris@namei.org \ --cc=john.stultz@linaro.org \ --cc=keescook@chromium.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-man@vger.kernel.org \ --cc=linux-security-module@vger.kernel.org \ --cc=luto@amacapital.net \ --cc=serge@hallyn.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.