From: nicolas@belouin.fr
To: Casey Schaufler <casey@schaufler-ca.com>,
Jan Kara <jack@suse.com>, "Theodore Ts'o" <tytso@mit.edu>,
Andreas Dilger <adilger.kernel@dilger.ca>,
Jaegeuk Kim <jaegeuk@kernel.org>, Chao Yu <yuchao0@huawei.com>,
David Woodhouse <dwmw2@infradead.org>,
Dave Kleikamp <shaggy@kernel.org>,
Mark Fasheh <mfasheh@versity.com>,
Joel Becker <jlbec@evilplan.org>,
Miklos Szeredi <miklos@szeredi.hu>,
Phillip Lougher <phillip@squashfs.org.uk>,
Richard Weinberger <richard@nod.at>,
Artem Bityutskiy <dedekind1@gmail.com>,
Adrian Hunter <adrian.hunter@intel.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Serge Hallyn <serge@hallyn.com>, Paul Moore <paul@paul-moore.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
Eric Paris <eparis@parisplace.org>,
James.Morris@smtp5.infomaniak.ch
Subject: Re: [kernel-hardening] [RFC PATCH 1/2] security, capabilities: create CAP_TRUSTED
Date: Sat, 21 Oct 2017 21:04:48 +0200 [thread overview]
Message-ID: <201710211904.v9LJ4o1X046943@smtp5.infomaniak.ch> (raw)
In-Reply-To: <d3e1c911-138d-082a-b941-651217d0faf8@schaufler-ca.com>
<james.l.morris@oracle.com>,linux-ext4@vger.kernel.org,linux-kernel@vger.kernel.org,linux-f2fs-devel@lists.sourceforge.net,linux-fsdevel@vger.kernel.org,linux-mtd@lists.infradead.org,jfs-discussion@lists.sourceforge.net,ocfs2-devel@oss.oracle.com,linux-unionfs@vger.kernel.org,reiserfs-devel@vger.kernel.org,linux-security-module@vger.kernel.org,selinux@tycho.nsa.gov,linux-api@vger.kernel.org,kernel-hardening@lists.openwall.com
From: Nicolas Belouin <nicolas@belouin.fr>
Message-ID: <E5A1BDA4-A309-4118-84D5-72780F619EBA@belouin.fr>
On October 21, 2017 7:25:21 PM GMT+02:00, Casey Schaufler <casey@schaufler-ca.com> wrote:
>On 10/21/2017 6:45 AM, Nicolas Belouin wrote:
>> with CAP_SYS_ADMIN being bloated, the usefulness of using it to
>> flag a process to be entrusted for e.g reading and writing trusted
>> xattr is near zero.
>> CAP_TRUSTED aims to provide userland with a way to mark a process as
>> entrusted to do specific (not specially admin-centered) actions. It
>> would for example allow a process to red/write the trusted xattrs.
>
>Please explain how this is different from CAP_MAC_ADMIN in
>any existing use case. If it is significantly different, how
>would the two interact?
>From my point of view, CAP_MAC_ADMIN allows one to read/write security xattrs, those are meant to describe security policies. As far as I know of, trusted xattrs are intended for a privileged process to read or write arbitrary data. I don't have any real world example in mind that use trusted xattrs, but I'll try to find one.
>
>> Signed-off-by: Nicolas Belouin <nicolas@belouin.fr>
>> ---
>> include/uapi/linux/capability.h | 6 +++++-
>> security/selinux/include/classmap.h | 5 +++--
>> 2 files changed, 8 insertions(+), 3 deletions(-)
>>
>> diff --git a/include/uapi/linux/capability.h
>b/include/uapi/linux/capability.h
>> index ce230aa6d928..27e457b93c84 100644
>> --- a/include/uapi/linux/capability.h
>> +++ b/include/uapi/linux/capability.h
>> @@ -369,7 +369,11 @@ struct vfs_ns_cap_data {
>>
>> #define CAP_SYS_MOUNT 38
>>
>> -#define CAP_LAST_CAP CAP_SYS_MOUNT
>> +/* Allow read/write trusted xattr */
>> +
>> +#define CAP_TRUSTED 39
>> +
>> +#define CAP_LAST_CAP CAP_TRUSTED
>>
>> #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
>>
>> diff --git a/security/selinux/include/classmap.h
>b/security/selinux/include/classmap.h
>> index a873dce97fd5..f5dc8e109f5a 100644
>> --- a/security/selinux/include/classmap.h
>> +++ b/security/selinux/include/classmap.h
>> @@ -24,9 +24,10 @@
>> "audit_control", "setfcap"
>>
>> #define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \
>> - "wake_alarm", "block_suspend", "audit_read", "sys_mount"
>> + "wake_alarm", "block_suspend", "audit_read", "sys_mount", \
>> + "trusted"
>>
>> -#if CAP_LAST_CAP > CAP_SYS_MOUNT
>> +#if CAP_LAST_CAP > CAP_TRUSTED
>> #error New capability defined, please update COMMON_CAP2_PERMS.
>> #endif
>>
Nicolas
WARNING: multiple messages have this Message-ID (diff)
From: nicolas@belouin.fr (nicolas at belouin.fr)
To: linux-security-module@vger.kernel.org
Subject: [kernel-hardening] [RFC PATCH 1/2] security, capabilities: create CAP_TRUSTED
Date: Sat, 21 Oct 2017 21:04:48 +0200 [thread overview]
Message-ID: <201710211904.v9LJ4o1X046943@smtp5.infomaniak.ch> (raw)
In-Reply-To: <d3e1c911-138d-082a-b941-651217d0faf8@schaufler-ca.com>
<james.l.morris@oracle.com>,linux-ext4 at vger.kernel.org,linux-kernel at vger.kernel.org,linux-f2fs-devel at lists.sourceforge.net,linux-fsdevel at vger.kernel.org,linux-mtd at lists.infradead.org,jfs-discussion at lists.sourceforge.net,ocfs2-devel at oss.oracle.com,linux-unionfs at vger.kernel.org,reiserfs-devel at vger.kernel.org,linux-security-module at vger.kernel.org,selinux at tycho.nsa.gov,linux-api at vger.kernel.org,kernel-hardening at lists.openwall.com
From: Nicolas Belouin <nicolas@belouin.fr>
Message-ID: <E5A1BDA4-A309-4118-84D5-72780F619EBA@belouin.fr>
On October 21, 2017 7:25:21 PM GMT+02:00, Casey Schaufler <casey@schaufler-ca.com> wrote:
>On 10/21/2017 6:45 AM, Nicolas Belouin wrote:
>> with CAP_SYS_ADMIN being bloated, the usefulness of using it to
>> flag a process to be entrusted for e.g reading and writing trusted
>> xattr is near zero.
>> CAP_TRUSTED aims to provide userland with a way to mark a process as
>> entrusted to do specific (not specially admin-centered) actions. It
>> would for example allow a process to red/write the trusted xattrs.
>
>Please explain how this is different from CAP_MAC_ADMIN in
>any existing use case. If it is significantly different, how
>would the two interact?
>From my point of view, CAP_MAC_ADMIN allows one to read/write security xattrs, those are meant to describe security policies. As far as I know of, trusted xattrs are intended for a privileged process to read or write arbitrary data. I don't have any real world example in mind that use trusted xattrs, but I'll try to find one.
>
>> Signed-off-by: Nicolas Belouin <nicolas@belouin.fr>
>> ---
>> include/uapi/linux/capability.h | 6 +++++-
>> security/selinux/include/classmap.h | 5 +++--
>> 2 files changed, 8 insertions(+), 3 deletions(-)
>>
>> diff --git a/include/uapi/linux/capability.h
>b/include/uapi/linux/capability.h
>> index ce230aa6d928..27e457b93c84 100644
>> --- a/include/uapi/linux/capability.h
>> +++ b/include/uapi/linux/capability.h
>> @@ -369,7 +369,11 @@ struct vfs_ns_cap_data {
>>
>> #define CAP_SYS_MOUNT 38
>>
>> -#define CAP_LAST_CAP CAP_SYS_MOUNT
>> +/* Allow read/write trusted xattr */
>> +
>> +#define CAP_TRUSTED 39
>> +
>> +#define CAP_LAST_CAP CAP_TRUSTED
>>
>> #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
>>
>> diff --git a/security/selinux/include/classmap.h
>b/security/selinux/include/classmap.h
>> index a873dce97fd5..f5dc8e109f5a 100644
>> --- a/security/selinux/include/classmap.h
>> +++ b/security/selinux/include/classmap.h
>> @@ -24,9 +24,10 @@
>> "audit_control", "setfcap"
>>
>> #define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \
>> - "wake_alarm", "block_suspend", "audit_read", "sys_mount"
>> + "wake_alarm", "block_suspend", "audit_read", "sys_mount", \
>> + "trusted"
>>
>> -#if CAP_LAST_CAP > CAP_SYS_MOUNT
>> +#if CAP_LAST_CAP > CAP_TRUSTED
>> #error New capability defined, please update COMMON_CAP2_PERMS.
>> #endif
>>
Nicolas
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: nicolas@belouin.fr
To: Casey Schaufler <casey@schaufler-ca.com>,
Jan Kara <jack@suse.com>, "Theodore Ts'o" <tytso@mit.edu>,
Andreas Dilger <adilger.kernel@dilger.ca>,
Jaegeuk Kim <jaegeuk@kernel.org>, Chao Yu <yuchao0@huawei.com>,
David Woodhouse <dwmw2@infradead.org>,
Dave Kleikamp <shaggy@kernel.org>,
Mark Fasheh <mfasheh@versity.com>,
Joel Becker <jlbec@evilplan.org>,
Miklos Szeredi <miklos@szeredi.hu>,
Phillip Lougher <phillip@squashfs.org.uk>,
Richard Weinberger <richard@nod.at>,
Artem Bityutskiy <dedekind1@gmail.com>,
Adrian Hunter <adrian.hunter@intel.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Serge Hallyn <serge@hallyn.com>, Paul Moore <paul@paul-moore.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
Eric Paris <eparis@parisplace.org>,
James.Morris@smtp5.infomaniak.ch
Subject: Re: [kernel-hardening] [RFC PATCH 1/2] security, capabilities: create CAP_TRUSTED
Date: Sat, 21 Oct 2017 21:04:48 +0200 [thread overview]
Message-ID: <201710211904.v9LJ4o1X046943@smtp5.infomaniak.ch> (raw)
In-Reply-To: <d3e1c911-138d-082a-b941-651217d0faf8@schaufler-ca.com>
<james.l.morris@oracle.com>,linux-ext4@vger.kernel.org,linux-kernel@vger.kernel.org,linux-f2fs-devel@lists.sourceforge.net,linux-fsdevel@vger.kernel.org,linux-mtd@lists.infradead.org,jfs-discussion@lists.sourceforge.net,ocfs2-devel@oss.oracle.com,linux-unionfs@vger.kernel.org,reiserfs-devel@vger.kernel.org,linux-security-module@vger.kernel.org,selinux@tycho.nsa.gov,linux-api@vger.kernel.org,kernel-hardening@lists.openwall.com
From: Nicolas Belouin <nicolas@belouin.fr>
Message-ID: <E5A1BDA4-A309-4118-84D5-72780F619EBA@belouin.fr>
On October 21, 2017 7:25:21 PM GMT+02:00, Casey Schaufler <casey@schaufler-ca.com> wrote:
>On 10/21/2017 6:45 AM, Nicolas Belouin wrote:
>> with CAP_SYS_ADMIN being bloated, the usefulness of using it to
>> flag a process to be entrusted for e.g reading and writing trusted
>> xattr is near zero.
>> CAP_TRUSTED aims to provide userland with a way to mark a process as
>> entrusted to do specific (not specially admin-centered) actions. It
>> would for example allow a process to red/write the trusted xattrs.
>
>Please explain how this is different from CAP_MAC_ADMIN in
>any existing use case. If it is significantly different, how
>would the two interact?
From my point of view, CAP_MAC_ADMIN allows one to read/write security xattrs, those are meant to describe security policies. As far as I know of, trusted xattrs are intended for a privileged process to read or write arbitrary data. I don't have any real world example in mind that use trusted xattrs, but I'll try to find one.
>
>> Signed-off-by: Nicolas Belouin <nicolas@belouin.fr>
>> ---
>> include/uapi/linux/capability.h | 6 +++++-
>> security/selinux/include/classmap.h | 5 +++--
>> 2 files changed, 8 insertions(+), 3 deletions(-)
>>
>> diff --git a/include/uapi/linux/capability.h
>b/include/uapi/linux/capability.h
>> index ce230aa6d928..27e457b93c84 100644
>> --- a/include/uapi/linux/capability.h
>> +++ b/include/uapi/linux/capability.h
>> @@ -369,7 +369,11 @@ struct vfs_ns_cap_data {
>>
>> #define CAP_SYS_MOUNT 38
>>
>> -#define CAP_LAST_CAP CAP_SYS_MOUNT
>> +/* Allow read/write trusted xattr */
>> +
>> +#define CAP_TRUSTED 39
>> +
>> +#define CAP_LAST_CAP CAP_TRUSTED
>>
>> #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
>>
>> diff --git a/security/selinux/include/classmap.h
>b/security/selinux/include/classmap.h
>> index a873dce97fd5..f5dc8e109f5a 100644
>> --- a/security/selinux/include/classmap.h
>> +++ b/security/selinux/include/classmap.h
>> @@ -24,9 +24,10 @@
>> "audit_control", "setfcap"
>>
>> #define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \
>> - "wake_alarm", "block_suspend", "audit_read", "sys_mount"
>> + "wake_alarm", "block_suspend", "audit_read", "sys_mount", \
>> + "trusted"
>>
>> -#if CAP_LAST_CAP > CAP_SYS_MOUNT
>> +#if CAP_LAST_CAP > CAP_TRUSTED
>> #error New capability defined, please update COMMON_CAP2_PERMS.
>> #endif
>>
Nicolas
next prev parent reply other threads:[~2017-10-21 19:08 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-21 13:45 [RFC PATCH 1/2] security, capabilities: create CAP_TRUSTED Nicolas Belouin
2017-10-21 13:45 ` [kernel-hardening] " Nicolas Belouin
2017-10-21 13:45 ` Nicolas Belouin
2017-10-21 13:45 ` Nicolas Belouin
2017-10-21 13:45 ` [RFC PATCH 2/2] fs: Grant CAP_TRUSTED rw access to trusted xattrs Nicolas Belouin
2017-10-21 13:45 ` Nicolas Belouin
2017-10-21 13:45 ` [kernel-hardening] " Nicolas Belouin
2017-10-21 13:45 ` Nicolas Belouin
2017-10-21 13:45 ` Nicolas Belouin
2017-10-21 13:45 ` Nicolas Belouin
2017-10-21 16:03 ` [RFC PATCH 1/2] security, capabilities: create CAP_TRUSTED Serge E. Hallyn
2017-10-21 16:03 ` [kernel-hardening] " Serge E. Hallyn
2017-10-21 16:03 ` Serge E. Hallyn
2017-10-21 16:03 ` Serge E. Hallyn
2017-10-21 19:09 ` nicolas
2017-10-21 19:09 ` nicolas at belouin.fr
2017-10-21 19:09 ` nicolas
2017-10-21 19:09 ` nicolas
2017-10-21 19:09 ` nicolas
[not found] ` <20171021160302.GA2842-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2017-10-21 19:09 ` nicolas-6zwZCx3K5ONGWvitb5QawA
2017-10-21 19:09 ` nicolas
2017-10-21 17:25 ` [kernel-hardening] " Casey Schaufler
2017-10-21 17:25 ` Casey Schaufler
2017-10-21 17:25 ` Casey Schaufler
2017-10-21 17:25 ` [kernel-hardening] " Casey Schaufler
2017-10-21 17:25 ` Casey Schaufler
[not found] ` <20171021134558.21195-1-nicolas-6zwZCx3K5ONGWvitb5QawA@public.gmane.org>
2017-10-21 13:45 ` [RFC PATCH 2/2] fs: Grant CAP_TRUSTED rw access to trusted xattrs Nicolas Belouin
2017-10-21 17:25 ` [kernel-hardening] [RFC PATCH 1/2] security, capabilities: create CAP_TRUSTED Casey Schaufler
2017-10-21 17:25 ` Casey Schaufler
2017-10-21 17:25 ` Casey Schaufler
2017-10-21 17:25 ` Casey Schaufler
2017-10-21 17:25 ` Casey Schaufler
2017-10-21 17:25 ` Casey Schaufler
[not found] ` <d3e1c911-138d-082a-b941-651217d0faf8-iSGtlc1asvQWG2LlvL+J4A@public.gmane.org>
2017-10-21 19:04 ` nicolas-6zwZCx3K5ONGWvitb5QawA
2017-10-21 19:04 ` nicolas
2017-10-21 19:04 ` nicolas [this message]
2017-10-21 19:04 ` nicolas
2017-10-21 19:04 ` nicolas at belouin.fr
2017-10-21 19:04 ` nicolas
2017-10-21 19:04 ` nicolas
2017-10-21 19:04 ` nicolas
2017-10-21 17:25 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201710211904.v9LJ4o1X046943@smtp5.infomaniak.ch \
--to=nicolas@belouin.fr \
--cc=James.Morris@smtp5.infomaniak.ch \
--cc=adilger.kernel@dilger.ca \
--cc=adrian.hunter@intel.com \
--cc=casey@schaufler-ca.com \
--cc=dedekind1@gmail.com \
--cc=dwmw2@infradead.org \
--cc=eparis@parisplace.org \
--cc=jack@suse.com \
--cc=jaegeuk@kernel.org \
--cc=jlbec@evilplan.org \
--cc=mfasheh@versity.com \
--cc=miklos@szeredi.hu \
--cc=paul@paul-moore.com \
--cc=phillip@squashfs.org.uk \
--cc=richard@nod.at \
--cc=sds@tycho.nsa.gov \
--cc=serge@hallyn.com \
--cc=shaggy@kernel.org \
--cc=tytso@mit.edu \
--cc=viro@zeniv.linux.org.uk \
--cc=yuchao0@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.