Re: [PATCH 12/15] Manual pages: cap_get_file.3: NOTES: note the effect of the Ambient set - Michael Kerrisk (man-pages)

From: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
To: "Andrew G. Morgan" <morgan@kernel.org>
Cc: LSM List <linux-security-module@vger.kernel.org>
Subject: Re: [PATCH 12/15] Manual pages: cap_get_file.3: NOTES: note the effect of the Ambient set
Date: Mon, 20 Jul 2020 22:21:55 +0200	[thread overview]
Message-ID: <CAKgNAkh=oa2Rv-sfsY3mNsvUdTi5sO0hvY9PSQTGCraJ=3+3eA@mail.gmail.com> (raw)
In-Reply-To: <CALQRfL5-aL3h6M+CYqkVHSpPKQ-i3s+RWD8060AicrGPP3vSfw@mail.gmail.com>

Hi Andrew,

On Mon, 20 Jul 2020 at 17:36, Andrew G. Morgan <morgan@kernel.org> wrote:
>
> I've applied all but this one. This one seems to imply that if the
> effective bit is lowered, but the permitted bits are raised, the
> ambient will have some sort of effect. This isn't how it works. Any
> file caps (even an empty set) suppresses any effect of the ambient
> vector.

Thanks for catching that. I was trying to capture this piece of the
execve() transformation rules:

P'(effective)   = F(effective) ? P'(permitted) : P'(ambient)

But of course, I failed to capture the detail that it is the process's
*new* ambient set (which, as you note, is cleared if the file has any
attached capabilities) that is assigned to the effective set. Perhaps
the text is best left as is. If I have some better idea, I'll come
back to you.

Thanks,

Michael

> On Mon, Jul 20, 2020 at 2:14 AM Michael Kerrisk (man-pages)
> <mtk.manpages@gmail.com> wrote:
> >
> > The addition of Ambient capabilities in Linux 4.3 rendered the text on
> > the effect of the Effective bit during execve(2) out-of-date. Fix that.
> > Also add a couple of paragraph breaks to improve readability.
> >
> > Signed-off-by: Michael Kerrisk (man-pages) <mtk.manpages@gmail.com>
> > ---
> >  doc/cap_get_file.3 | 11 ++++++++---
> >  1 file changed, 8 insertions(+), 3 deletions(-)
> >
> > diff --git a/doc/cap_get_file.3 b/doc/cap_get_file.3
> > index ceacbaf..dc7b571 100644
> > --- a/doc/cap_get_file.3
> > +++ b/doc/cap_get_file.3
> > @@ -103,13 +103,18 @@ or
> >  These functions are specified by withdrawn POSIX.1e draft specification.
> >  .SH NOTES
> >  Support for file capabilities is provided on Linux since version 2.6.24.
> > -
> > +.PP
> >  On Linux, the file Effective set is a single bit.
> >  If it is enabled, then all Permitted capabilities are enabled
> >  in the Effective set of the calling process when the file is executed;
> > -otherwise, no capabilities are enabled in the process's Effective set
> > +otherwise, the process's Ambient capabilities
> > +(or, before the Linux 4.3 addition of Ambient capabilities, no capabilities)
> > +are enabled in the process's Effective set
> >  following an
> > -.BR execve (2).
> > +.BR execve (2)
> > +(see
> > +.BR capabilities (7)).
> > +.PP
> >  Because the file Effective set is a single bit,
> >  if any capability is enabled in the Effective set of the
> >  .I cap_t
> > --
> > 2.26.2
> >

-- 
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/