From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752792AbbBWPyV (ORCPT ); Mon, 23 Feb 2015 10:54:21 -0500 Received: from [69.252.207.36] ([69.252.207.36]:43172 "EHLO resqmta-ch2-04v.sys.comcast.net" rhost-flags-FAIL-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1751055AbbBWPyT (ORCPT ); Mon, 23 Feb 2015 10:54:19 -0500 Date: Mon, 23 Feb 2015 09:53:57 -0600 (CST) From: Christoph Lameter X-X-Sender: cl@gentwo.org To: Andy Lutomirski cc: Serge Hallyn , Aaron Jones , "Ted Ts'o" , LSM List , Andrew Morton , "Andrew G. Morgan" , Mimi Zohar , Austin S Hemmelgarn , Markku Savela , Jarkko Sakkinen , "linux-kernel@vger.kernel.org" , Linux API , Michael Kerrisk , Jonathan Corbet Subject: Re: [PATCH] capabilities: Ambient capability set V1 In-Reply-To: Message-ID: References: Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 23 Feb 2015, Andy Lutomirski wrote: > At the very least, I think it needs to define and implement what > happens when a cap is added to ambient and then dropped from > permitted. We also may need LSM_UNSAFE_something to clear the ambient > set to avoid a major security issue. The ambient cap needs to stay otherwise we will have issues again if another binary/script is forked. IMHO the only way to switch off an ambient capability should be another prctl action. The intend is after all to have the cap available for all inherited processes. Frankly, I'd rather have the ambient caps separate. We could do a stronger separation by checking for permitted or ambient in capable(). > I'd like to discuss (in the hallway if nothing else) at LSF/MM with > whatever other interested people will be there. Ok. I will be at the MM meeting in Boston. 8th and 9th of March. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Christoph Lameter Subject: Re: [PATCH] capabilities: Ambient capability set V1 Date: Mon, 23 Feb 2015 09:53:57 -0600 (CST) Message-ID: References: Content-Type: TEXT/PLAIN; charset=US-ASCII Return-path: In-Reply-To: Sender: linux-api-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org To: Andy Lutomirski Cc: Serge Hallyn , Aaron Jones , Ted Ts'o , LSM List , Andrew Morton , "Andrew G. Morgan" , Mimi Zohar , Austin S Hemmelgarn , Markku Savela , Jarkko Sakkinen , "linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" , Linux API , Michael Kerrisk , Jonathan Corbet List-Id: linux-api@vger.kernel.org On Mon, 23 Feb 2015, Andy Lutomirski wrote: > At the very least, I think it needs to define and implement what > happens when a cap is added to ambient and then dropped from > permitted. We also may need LSM_UNSAFE_something to clear the ambient > set to avoid a major security issue. The ambient cap needs to stay otherwise we will have issues again if another binary/script is forked. IMHO the only way to switch off an ambient capability should be another prctl action. The intend is after all to have the cap available for all inherited processes. Frankly, I'd rather have the ambient caps separate. We could do a stronger separation by checking for permitted or ambient in capable(). > I'd like to discuss (in the hallway if nothing else) at LSF/MM with > whatever other interested people will be there. Ok. I will be at the MM meeting in Boston. 8th and 9th of March.