From: "Serge E. Hallyn" <serge@hallyn.com>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: Serge Hallyn <serge.hallyn@ubuntu.com>,
Christoph Lameter <cl@linux.com>,
Serge Hallyn <serge.hallyn@canonical.com>,
Andy Lutomirski <luto@amacapital.net>,
Jonathan Corbet <corbet@lwn.net>,
Aaron Jones <aaronmdjones@gmail.com>, "Ted Ts'o" <tytso@mit.edu>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, akpm@linuxfoundation.org
Subject: Re: [capabilities] Allow normal inheritance for a configurable set of capabilities
Date: Thu, 5 Feb 2015 01:20:42 +0100 [thread overview]
Message-ID: <20150205002042.GB23013@mail.hallyn.com> (raw)
In-Reply-To: <54CFC942.9010502@schaufler-ca.com>
Quoting Casey Schaufler (casey@schaufler-ca.com):
> On 2/2/2015 10:08 AM, Serge Hallyn wrote:
> > Quoting Casey Schaufler (casey@schaufler-ca.com):
> >> I'm game to participate in such an effort. The POSIX scheme
> >> is workable, but given that it's 20 years old and hasn't
> >> developed real traction it's hard to call it successful.
> > Over the years we've several times discussed possible reasons for this
> > and how to help. I personally think it's two things: 1. lack of
> > toolchain and fs support. The fact that we cannot to this day enable
> > ping using capabilities by default because of cpio, tar and non-xattr
> > filesystems is disheartening. 2. It's hard for users and applications
> > to know what caps they need. yes the API is a bear to use, but we can
> > hide that behind fancier libraries. But using capabilities requires too
> > much in-depth knowledge of precisely what caps you might need for
> > whatever operations library may now do when you asked for something.
>
> The fix for that is to a change to the audit system. If the audit system
> reported the capabilities relevant to the decision you'd have what you
> need. If you failed because you didn't have CAP_CHMOD or you succeeded
> because you had CAP_SYS_ADMIN it should show up in the audit record.
> Other systems have used this approach.
>
> You could, of course, create a separate capability result log, and I
> believe that Nokia had done something along those lines. I think that
> adding it to the audit trail is a more rational approach.
I wonder how much that would end up affecting performance, assuming it
left an audit message at every ns_capable() failure. Even if it was
only done under a certain sysctl, it could certainly be useful.
next prev parent reply other threads:[~2015-02-05 0:20 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-02 16:21 [capabilities] Allow normal inheritance for a configurable set of capabilities Christoph Lameter
2015-02-02 17:12 ` Serge Hallyn
2015-02-02 17:18 ` Andy Lutomirski
2015-02-02 18:09 ` Serge Hallyn
2015-02-03 15:16 ` Christoph Lameter
2015-02-03 15:23 ` Christoph Lameter
2015-02-03 15:55 ` Serge E. Hallyn
2015-02-03 17:18 ` Christoph Lameter
2015-02-03 17:26 ` Serge E. Hallyn
2015-02-04 15:15 ` Andrew G. Morgan
2015-02-04 15:50 ` Christoph Lameter
2015-02-04 15:56 ` Serge E. Hallyn
2015-02-04 16:12 ` Andrew G. Morgan
2015-02-04 16:34 ` Andy Lutomirski
2015-02-04 16:54 ` Andrew G. Morgan
2015-02-04 17:34 ` Serge E. Hallyn
2015-02-04 18:12 ` Christoph Lameter
2015-02-04 16:43 ` Christoph Lameter
2015-02-04 16:27 ` Andy Lutomirski
2015-02-05 0:34 ` Serge E. Hallyn
2015-02-05 15:23 ` Serge E. Hallyn
2015-02-25 21:50 ` Pavel Machek
2015-02-25 23:59 ` Christoph Lameter
2015-02-26 12:27 ` Pavel Machek
2015-02-27 20:15 ` Andy Lutomirski
2015-02-27 20:48 ` Pavel Machek
2015-02-27 20:56 ` Andy Lutomirski
2015-02-27 22:47 ` Pavel Machek
2015-02-02 17:54 ` Casey Schaufler
2015-02-02 18:08 ` Serge Hallyn
2015-02-02 18:47 ` Mimi Zohar
2015-02-02 19:05 ` Austin S Hemmelgarn
2015-02-02 20:35 ` Casey Schaufler
2015-02-03 16:04 ` Serge E. Hallyn
2015-02-02 19:00 ` Casey Schaufler
2015-02-05 0:20 ` Serge E. Hallyn [this message]
2015-02-02 20:37 ` Andy Lutomirski
2015-02-02 20:54 ` Casey Schaufler
2015-02-03 15:51 ` Serge E. Hallyn
2015-02-03 16:37 ` Casey Schaufler
2015-02-03 17:28 ` Serge E. Hallyn
2015-02-03 17:50 ` Casey Schaufler
2015-02-03 19:45 ` Christoph Lameter
2015-02-03 20:13 ` Andy Lutomirski
2015-02-03 23:14 ` Christoph Lameter
2015-02-03 23:17 ` Andy Lutomirski
2015-02-04 2:27 ` Christoph Lameter
2015-02-04 6:05 ` Markku Savela
2015-02-04 13:17 ` Christoph Lameter
2015-02-04 13:41 ` Markku Savela
2015-02-04 14:56 ` Jarkko Sakkinen
2015-02-03 15:17 ` Christoph Lameter
2015-02-03 15:40 ` Casey Schaufler
2015-02-03 15:46 ` Serge E. Hallyn
2015-02-03 17:19 ` Christoph Lameter
2015-02-03 17:29 ` Serge E. Hallyn
2015-02-25 21:50 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150205002042.GB23013@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=aaronmdjones@gmail.com \
--cc=akpm@linuxfoundation.org \
--cc=casey@schaufler-ca.com \
--cc=cl@linux.com \
--cc=corbet@lwn.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=serge.hallyn@canonical.com \
--cc=serge.hallyn@ubuntu.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).