Is CAP_SYS_ADMIN checked by every program !?

Is CAP_SYS_ADMIN checked by every program !?

[Tetsuo Handa]

  Hello.

I found a strange behavior with kernel 2.6.9 and later. ( I haven't tested for 2.6.8 and earlier. )
It seems to me that every program calls capable(CAP_SYS_ADMIN),
even for programs such as cat(1) sed(1) ls(1).
My environment is Fedora Core 3.

The following is the patch for checking.

----- Start of Patch -----
*** sched.h.org Sat Dec 25 06:33:59 2004
--- sched.h     Wed Dec 29 13:00:53 2004
***************
*** 870,875 ****
--- 870,882 ----
  #else
  static inline int capable(int cap)
  {
+       if (cap == CAP_SYS_ADMIN) {
+               static pid_t last_pid = 0;
+               if (current->pid != last_pid) {
+                       printk("euid=%d uid=%d %s %s\n", current->euid, current->uid, cap_raised(current->cap_effective, CAP_SYS_ADMIN) ? "true" : "fa
lse", current->comm);
+                       last_pid = current->pid;
+               }
+       }
        if (cap_raised(current->cap_effective, cap)) {
                current->flags |= PF_SUPERPRIV;
                return 1;
----- End of Patch -----

Programs run as root always show "true", and run as non-root always show "false",
but it's will be OK.
I can't understand why every program checks for CAP_SYS_ADMIN .
With 2.4.28 and RedHat 9, no such behavior happens.

Is this normal behavior for 2.6 ?



I located .config at http://hp.vector.co.jp/authors/VA022513/tmp/config-2.6.10 .
(By the way, why not prepare ".config file keeper" like pgp.mit.edu ? I think it can save ML traffic. )



Regards.

-------
  Tetsuo Handa

Re: Is CAP_SYS_ADMIN checked by every program !?

[Walter Liu]

Tetsuo Handa wrote:

>  Hello.
>
>I found a strange behavior with kernel 2.6.9 and later. ( I haven't tested for 2.6.8 and earlier. )
>It seems to me that every program calls capable(CAP_SYS_ADMIN),
>even for programs such as cat(1) sed(1) ls(1).
>My environment is Fedora Core 3.
>
>The following is the patch for checking.
>
>----- Start of Patch -----
>*** sched.h.org Sat Dec 25 06:33:59 2004
>--- sched.h     Wed Dec 29 13:00:53 2004
>***************
>*** 870,875 ****
>--- 870,882 ----
>  #else
>  static inline int capable(int cap)
>  {
>+       if (cap == CAP_SYS_ADMIN) {
>+               static pid_t last_pid = 0;
>+               if (current->pid != last_pid) {
>+                       printk("euid=%d uid=%d %s %s\n", current->euid, current->uid, cap_raised(current->cap_effective, CAP_SYS_ADMIN) ? "true" : "fa
>lse", current->comm);
>+                       last_pid = current->pid;
>+               }
>+       }
>        if (cap_raised(current->cap_effective, cap)) {
>                current->flags |= PF_SUPERPRIV;
>                return 1;
>----- End of Patch -----
>
>Programs run as root always show "true", and run as non-root always show "false",
>but it's will be OK.
>I can't understand why every program checks for CAP_SYS_ADMIN .
>With 2.4.28 and RedHat 9, no such behavior happens.
>
>Is this normal behavior for 2.6 ?
>
>  
>
The POSIX capability mechanism  is  the OS privilege  mechanism ,
like the privilege mechanism in  VMS  or NT .
I think that every process  for  any capability  have to check them,
This is a must operation..

Regards
LWT

Re: Is CAP_SYS_ADMIN checked by every program !?

[Bernd Eckenfels]

In article <200412291347.JEH41956.OOtStPFFNMLJVGMYS@i-love.sakura.ne.jp> you wrote:
> even for programs such as cat(1) sed(1) ls(1).

You you tried strace, if it is actually the user mode which is doing that?
If yes, then it might be a libc issue. Perhaps hwcap or something line this.
libc for example disables some features if running suid. Maybe those checks
result in checking capabilities.

Greetings
Bernd

Re: Is CAP_SYS_ADMIN checked by every program !?

[Kyle Moffett]

On Dec 28, 2004, at 23:47, Tetsuo Handa wrote:
> It seems to me that every program calls capable(CAP_SYS_ADMIN),

Umm, the program has nothing to do with this.  Programs themselves have 
no
access to the kernel function "capable".  Probably something in the 
kernel, perhaps
triggered by libc or maybe just suid checks, is checking for 
CAP_SYS_ADMIN. It's
harmless and irrelevant, why do you care?

> +       if (cap == CAP_SYS_ADMIN) {
> +               static pid_t last_pid = 0;
> +               if (current->pid != last_pid) {
> +                       printk("euid=%d uid=%d %s %s\n", 
> current->euid, current->uid, cap_raised(current->cap_effective, 
> CAP_SYS_ADMIN) ? "true" : "fa
> lse", current->comm);
> +                       last_pid = current->pid;
> +               }
> +       }

Yes, whenever anything on the computer, including the kernel, checks if 
a program
has a capability bit set, it will print out whether or not it does in 
the dmesg.  Why
does that matter?

> I can't understand why every program checks for CAP_SYS_ADMIN .
Programs aren't, the kernel is, for whatever reason.

Cheers,
Kyle Moffett

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCM/CS/IT/U d- s++: a18 C++++>$ UB/L/X/*++++(+)>$ P+++(++++)>$
L++++(+++) E W++(+) N+++(++) o? K? w--- O? M++ V? PS+() PE+(-) Y+
PGP+++ t+(+++) 5 X R? tv-(--) b++++(++) DI+ D+ G e->++++$ h!*()>++$ r  
!y?(-)
------END GEEK CODE BLOCK------

Re: Is CAP_SYS_ADMIN checked by every program !?

[Valdis.Kletnieks]

[-- Attachment #1: Type: text/plain, Size: 412 bytes --]

On Thu, 30 Dec 2004 00:35:06 EST, Kyle Moffett said:

> Yes, whenever anything on the computer, including the kernel, checks if 
> a program
> has a capability bit set, it will print out whether or not it does in 
> the dmesg.  Why
> does that matter?

If you actually log your kernel messages it can matter, if every single
process suddenly starts dumping a line in your syslogs, especially on a
busy system...

[-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --]

Re: Is CAP_SYS_ADMIN checked by every program !?

[Bernd Eckenfels]

In article <200412300546.iBU5kVie023979@turing-police.cc.vt.edu> you wrote:
> If you actually log your kernel messages it can matter, if every single
> process suddenly starts dumping a line in your syslogs, especially on a
> busy system...

It does not, the patch is not part of the linux kernel. There is nothing
which is tracing permission checks. 

Of course this might become interesting, if you want to do full audit log,
however the current functionality in the kernel infrastructure is not very
well suited for that, since you would habe to do stack analysis for
meaningful traces (like "who checked access permission, why")


Gruss
Bernd

Re: Is CAP_SYS_ADMIN checked by every program !?

[Tetsuo Handa]

Hello,

In message <9033584D-5A24-11D9-989E-000393ACC76E@mac.com>
   "Re: Is CAP_SYS_ADMIN checked by every program !?"
   "Kyle Moffett <mrmacman_g4@mac.com>" wrote:

> On Dec 28, 2004, at 23:47, Tetsuo Handa wrote:
> > It seems to me that every program calls capable(CAP_SYS_ADMIN),
> 
> Umm, the program has nothing to do with this.  Programs themselves have 
> no
> access to the kernel function "capable".  Probably something in the 
> kernel, perhaps
> triggered by libc or maybe just suid checks, is checking for 
> CAP_SYS_ADMIN. It's
> harmless and irrelevant, why do you care?

I'm developing a kernel patch that provides simple and handy
MAC(mandatory access control) functionality, much easier than SELinux.
And now I'm porting the patch from 2.4 to 2.6,
though the patch can't support LSM, for it refers 'struct vfsmount'.

At first, I doubted that some kernel function (do_execve(), memory management
functions, or any kernel functions that are always called by every process) is
doing this CAP_SYS_ADMIN checking. But may be this CAP_SYS_ADMIN checking is
caused by the Fedora Core 3's libc, not by the kernel.
I don't have 2.6 kernel environment other than Fedora Core 3.

But anyway, I have to give up checking for CAP_SYS_ADMIN .

Thank you.
--
Tetsuo Handa

Re: Is CAP_SYS_ADMIN checked by every program !?

[Bernd Eckenfels]

In article <200412301640.FCB13564.FtFPMSMGJtSOLVOYN@i-love.sakura.ne.jp> you wrote:
> But anyway, I have to give up checking for CAP_SYS_ADMIN .

You can add dump_stack(void) from kernel.h to you patch, since there are not
many sources for SYS_ADMIN capabilities checks in the kernel. You will
quickly find the syscall in question.

Greetings
Bernd
y

Re: Is CAP_SYS_ADMIN checked by every program !?

[Tetsuo Handa]

Hello,

Bernd Eckenfels wrote:
> You can add dump_stack(void) from kernel.h to you patch, since there are not
> many sources for SYS_ADMIN capabilities checks in the kernel. You will
> quickly find the syscall in question.

Oh, this is exactly what I need.

And the following is the results of these tow lines.
  printk("\n[%s]\n", current->comm);
  dump_stack();

[ls]
 [<c01e1852>] cap_vm_enough_memory+0x82/0x1f0
 [<c0156dcd>] setup_arg_pages+0x9d/0x230
 [<c0174373>] load_elf_binary+0x473/0xca0
 [<c01334e7>] __alloc_pages+0xa7/0x360
 [<c0156bdd>] copy_strings+0x1dd/0x200
 [<c0157b00>] search_binary_handler+0x50/0x170
 [<c0157d9e>] do_execve+0x17e/0x210
 [<c01010bc>] sys_execve+0x3c/0x80
 [<c010246d>] sysenter_past_esp+0x52/0x75

[cat]
 [<c01e1852>] cap_vm_enough_memory+0x82/0x1f0
 [<c0156dcd>] setup_arg_pages+0x9d/0x230
 [<c0174373>] load_elf_binary+0x473/0xca0
 [<c01334e7>] __alloc_pages+0xa7/0x360
 [<c0156bdd>] copy_strings+0x1dd/0x200
 [<c0157b00>] search_binary_handler+0x50/0x170
 [<c0157d9e>] do_execve+0x17e/0x210
 [<c01010bc>] sys_execve+0x3c/0x80
 [<c010246d>] sysenter_past_esp+0x52/0x75

[tcsh]
 [<c01e1852>] cap_vm_enough_memory+0x82/0x1f0
 [<c0112c1e>] copy_mm+0x17e/0x360
 [<c0113686>] copy_process+0x406/0x9c0
 [<c0113d45>] do_fork+0x75/0x1ad
 [<c01e753e>] copy_to_user+0x3e/0x50
 [<c011f85e>] sys_rt_sigprocmask+0xae/0x100
 [<c010103c>] sys_clone+0x3c/0x40
 [<c010246d>] sysenter_past_esp+0x52/0x75

[sed]
 [<c01e1852>] cap_vm_enough_memory+0x82/0x1f0
 [<c0156dcd>] setup_arg_pages+0x9d/0x230
 [<c0174373>] load_elf_binary+0x473/0xca0
 [<c01334e7>] __alloc_pages+0xa7/0x360
 [<c0156bdd>] copy_strings+0x1dd/0x200
 [<c0157b00>] search_binary_handler+0x50/0x170
 [<c0157d9e>] do_execve+0x17e/0x210
 [<c01010bc>] sys_execve+0x3c/0x80
 [<c010246d>] sysenter_past_esp+0x52/0x75

[klogd]
 [<c01e179c>] cap_syslog+0x4c/0x80
 [<c011445d>] do_syslog+0x2d/0x380
 [<c0127640>] autoremove_wake_function+0x0/0x60
 [<c011cb84>] update_process_times+0x44/0x50
 [<c0127640>] autoremove_wake_function+0x0/0x60
 [<c014cda6>] vfs_read+0x116/0x160
 [<c014d0b1>] sys_read+0x51/0x80
 [<c010246d>] sysenter_past_esp+0x52/0x75

The function which calls capable(CAP_SYS_ADMIN) is
cap_vm_enough_memory() defined in security/commoncap.c ,
and this function is called whenever sys_execve() is called.
Therefore, it seemed to me that every program calls capable(CAP_SYS_ADMIN).

Thank you very much.
--
Tetsuo Handa

Re: Is CAP_SYS_ADMIN checked by every program !?

[Stephen Smalley]

On Thu, 2004-12-30 at 02:40, Tetsuo Handa wrote:
> I'm developing a kernel patch that provides simple and handy
> MAC(mandatory access control) functionality, much easier than SELinux.
> And now I'm porting the patch from 2.4 to 2.6,
> though the patch can't support LSM, for it refers 'struct vfsmount'.
> 
> At first, I doubted that some kernel function (do_execve(), memory management
> functions, or any kernel functions that are always called by every process) is
> doing this CAP_SYS_ADMIN checking. But may be this CAP_SYS_ADMIN checking is
> caused by the Fedora Core 3's libc, not by the kernel.
> I don't have 2.6 kernel environment other than Fedora Core 3.
> 
> But anyway, I have to give up checking for CAP_SYS_ADMIN .

Just override the vm_enough_memory security hook with your own function,
as we do in SELinux, to avoid auditing the CAP_SYS_ADMIN check there.
Note that this issue has also come up again on the linux-security-module
mailing list recently, and might be addressed through a change to the
cap_vm_enough_memory hook function.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency