From: "Serge E. Hallyn" <serge@hallyn.com>
To: Andrew Morgan <morgan@kernel.org>
Cc: "Serge E. Hallyn" <serue@us.ibm.com>,
Chris Wright <chrisw@sous-sol.org>,
Andrew Morgan <agm@google.com>,
casey@schaufler-ca.com, Andrew Morton <akpm@google.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
James Morris <jmorris@namei.org>,
linux-security-module@vger.kernel.org,
lkml <linux-kernel@vger.kernel.org>
Subject: Re: implement-file-posix-capabilities.patch
Date: Mon, 2 Jul 2007 09:38:16 -0500 [thread overview]
Message-ID: <20070702143816.GA17723@vino.hallyn.com> (raw)
In-Reply-To: <467CD63B.4000703@kernel.org>
All,
Regarding future/backward compatibility of file capabilities:
Quoting Andrew Morgan (morgan@kernel.org):
> -----BEGIN PGP SIGNED MESSAGE-----
...
> #define VFS_CAP_REVISION_MASK 0xFF000000
> #define VFS_CAP_REVISION 0x01000000
>
> #define VFS_CAP_FLAGS_MASK ~VFS_CAP_REVISION_MASK
> #define VFS_CAP_FLAGS_EFFECTIVE 0x000001
>
> struct vfs_cap_data {
> __u32 magic_etc;
> struct {
> __u32 permitted; /* Little endian */
> __u32 inheritable; /* Little endian */
> } data[1];
> };
...
> 3) The cap_from_disk() interface checking needs some work.... Most
> notably, size must be greater than sizeof(u32) or the very first line
> will do something nasty... I'd recommend you use code like this:
>
> [...] cap_from_disk(...)
> {
> if (size != sizeof(struct vfs_cap_data)) {
> printk(KERN_WARNING "%s: invalid cap size %d for file %s\n",
> __FUNCTION__, size, bprm->filename);
> return -EINVAL;
> }
>
> switch ((version & VFS_CAP_REVISION_MASK)) {
> case VFS_CAP_REVISION:
> bprm->cap_effective = (version & VFS_CAP_FLAGS_EFFECTIVE)
> ? CAP_FULL_SET : CAP_EMPTY_SET;
> bprm->cap_permitted =
> to_cap_t( le32_to_cpu(dcap->data[0].permitted) );
> bprm->cap_inheritable =
> to_cap_t( le32_to_cpu(dcap->data[0].inheritable) );
> return 0;
> default:
> return -EINVAL;
> }
> }
>
> Basically, I don't believe in designing a secure interface to be forward
> compatible - things never work out that way and the legacy you are
> implicitly committing to will haunt you in the future... FWIW I've known
> a few x86 MSR designers over the years and each one has made this
> mistake at least once... The future is uncertain, so don't trust it will
> look the way you want it to. ;-)
There are a few obvious approaches we can take:
1. Exactly Andrew describes. Once userspace switches to a new cap
format, an older kernel simply won't support them
2. As Andrew describes, but also encode the version number into the
capability name, i.e. security.capability.v3. Now userspace can
optionally tack on more than one capability version to be backward
compatible.
3. Somewhat different than Andrew describes. We mandate that any
capability version N+1 consist of
struct vfs_cap_data {
__u32 magic;
capability_version_1;
capability_version_2;
...
capability_version_N;
capability_version_N+1;
};
Or, for brevity,
struct vfs_cap_data {
__u32 first_magic;
__u32 last_magic;
capability_version_first;
...
capability_version_last;
};
4. Stick to the current plan, where switching to 64-bit caps will be
done as
struct vfs_cap_data_disk {
__le32 version;
__le32 data[]; /* eff[0], perm[0], inh[0], eff[1], ... */
};
What would people prefer?
thanks,
-serge
next prev parent reply other threads:[~2007-07-02 14:38 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20070611123714.GA2063@sergelap.austin.ibm.com>
[not found] ` <878322.98602.qm@web36606.mail.mud.yahoo.com>
[not found] ` <afff21250706110926l244ddc28i44289cb08a6721e2@mail.gmail.com>
[not found] ` <20070617135239.GA17689@sergelap>
[not found] ` <4676007F.7060503@kernel.org>
[not found] ` <20070618044017.GW3723@sequoia.sous-sol.org>
[not found] ` <20070620171037.GA28670@sergelap.ibm.com>
[not found] ` <20070620174613.GF3723@sequoia.sous-sol.org>
2007-06-21 16:00 ` implement-file-posix-capabilities.patch Serge E. Hallyn
2007-06-23 8:13 ` implement-file-posix-capabilities.patch Andrew Morgan
2007-06-24 15:51 ` implement-file-posix-capabilities.patch Serge E. Hallyn
2007-06-24 16:18 ` implement-file-posix-capabilities.patch James Morris
2007-06-24 20:58 ` [PATCH][RFC] security: Convert LSM into a static interface James Morris
2007-06-24 22:09 ` Chris Wright
2007-06-24 22:37 ` James Morris
2007-06-25 1:38 ` Chris Wright
2007-06-24 23:40 ` Casey Schaufler
2007-06-25 1:39 ` Chris Wright
2007-06-25 3:37 ` Casey Schaufler
2007-06-25 3:57 ` Chris Wright
2007-06-25 13:02 ` Casey Schaufler
2007-06-25 14:24 ` Roberto De Ioris
2007-06-25 4:33 ` [PATCH try #2] " James Morris
2007-06-25 4:48 ` Petr Vandrovec
2007-06-25 4:58 ` James Morris
2007-06-25 16:59 ` Stephen Smalley
2007-06-25 23:56 ` [PATCH try #3] " James Morris
2007-06-25 20:37 ` [PATCH try #2] " Andreas Gruenbacher
2007-06-25 21:14 ` James Morris
2007-06-26 3:57 ` Serge E. Hallyn
2007-06-26 13:15 ` Adrian Bunk
2007-06-26 14:06 ` Serge E. Hallyn
2007-06-26 14:59 ` Adrian Bunk
2007-06-26 15:53 ` Serge E. Hallyn
2007-06-26 18:52 ` Adrian Bunk
2007-06-26 18:18 ` Greg KH
2007-06-26 18:40 ` Serge E. Hallyn
2007-06-26 4:09 ` Kyle Moffett
2007-06-26 4:25 ` Kyle Moffett
2007-06-26 13:47 ` Serge E. Hallyn
2007-06-27 0:07 ` Kyle Moffett
2007-06-27 0:57 ` Crispin Cowan
2007-06-27 1:22 ` Kyle Moffett
2007-06-27 4:24 ` Chris Wright
2007-06-27 13:41 ` Serge E. Hallyn
2007-06-27 14:36 ` James Morris
2007-06-27 17:21 ` Serge E. Hallyn
2007-06-27 18:51 ` Serge E. Hallyn
2007-06-27 19:28 ` James Morris
2007-06-28 2:48 ` Serge E. Hallyn
2007-06-25 3:57 ` [PATCH][RFC] " Serge E. Hallyn
2007-06-25 4:10 ` Chris Wright
2007-06-25 4:54 ` Serge E. Hallyn
2007-06-25 13:50 ` Casey Schaufler
2007-06-25 13:54 ` James Morris
2007-06-25 14:32 ` Serge E. Hallyn
2007-06-25 15:08 ` Casey Schaufler
2007-06-27 5:00 ` implement-file-posix-capabilities.patch Andrew Morgan
2007-06-27 13:16 ` implement-file-posix-capabilities.patch Serge E. Hallyn
2007-06-28 6:19 ` implement-file-posix-capabilities.patch Andrew Morgan
2007-06-28 13:36 ` implement-file-posix-capabilities.patch Serge E. Hallyn
2007-06-28 15:14 ` implement-file-posix-capabilities.patch Casey Schaufler
2007-06-28 15:38 ` implement-file-posix-capabilities.patch Serge E. Hallyn
2007-06-28 15:56 ` implement-file-posix-capabilities.patch Casey Schaufler
2007-06-29 5:30 ` implement-file-posix-capabilities.patch Andrew Morgan
2007-06-29 13:24 ` implement-file-posix-capabilities.patch Serge E. Hallyn
2007-06-29 14:46 ` implement-file-posix-capabilities.patch Casey Schaufler
2007-06-28 15:50 ` implement-file-posix-capabilities.patch Andrew Morgan
2007-07-02 14:38 ` Serge E. Hallyn [this message]
2007-07-04 21:29 ` implement-file-posix-capabilities.patch Andrew Morgan
2007-07-04 23:00 ` implement-file-posix-capabilities.patch Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070702143816.GA17723@vino.hallyn.com \
--to=serge@hallyn.com \
--cc=agm@google.com \
--cc=akpm@google.com \
--cc=casey@schaufler-ca.com \
--cc=chrisw@sous-sol.org \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=morgan@kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=serue@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).