From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1161398AbbBEAUq (ORCPT <rfc822;w@1wt.eu>);
	Wed, 4 Feb 2015 19:20:46 -0500
Received: from h2.hallyn.com ([78.46.35.8]:40852 "EHLO h2.hallyn.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S965444AbbBEAUo (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Wed, 4 Feb 2015 19:20:44 -0500
Date: Thu, 5 Feb 2015 01:20:42 +0100
From: "Serge E. Hallyn" <serge@hallyn.com>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: Serge Hallyn <serge.hallyn@ubuntu.com>, Christoph Lameter <cl@linux.com>,
        Serge Hallyn <serge.hallyn@canonical.com>,
        Andy Lutomirski <luto@amacapital.net>,
        Jonathan Corbet <corbet@lwn.net>, Aaron Jones <aaronmdjones@gmail.com>,
        "Ted Ts'o" <tytso@mit.edu>, linux-security-module@vger.kernel.org,
        linux-kernel@vger.kernel.org, akpm@linuxfoundation.org
Subject: Re: [capabilities] Allow normal inheritance for a configurable set
 of capabilities
Message-ID: <20150205002042.GB23013@mail.hallyn.com>
References: <alpine.DEB.2.11.1502021018500.5029@gentwo.org>
 <54CFB9B8.8020701@schaufler-ca.com>
 <20150202180806.GE24351@ubuntumail>
 <54CFC942.9010502@schaufler-ca.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <54CFC942.9010502@schaufler-ca.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Quoting Casey Schaufler (casey@schaufler-ca.com):
> On 2/2/2015 10:08 AM, Serge Hallyn wrote:
> > Quoting Casey Schaufler (casey@schaufler-ca.com):
> >> I'm game to participate in such an effort. The POSIX scheme
> >> is workable, but given that it's 20 years old and hasn't
> >> developed real traction it's hard to call it successful.
> > Over the years we've several times discussed possible reasons for this
> > and how to help.  I personally think it's two things:  1. lack of
> > toolchain and fs support.  The fact that we cannot to this day enable
> > ping using capabilities by default because of cpio, tar and non-xattr
> > filesystems is disheartening.  2. It's hard for users and applications
> > to know what caps they need.  yes the API is a bear to use, but we can
> > hide that behind fancier libraries.  But using capabilities requires too
> > much in-depth knowledge of precisely what caps you might need for
> > whatever operations library may now do when you asked for something.
> 
> The fix for that is to a change to the audit system. If the audit system
> reported the capabilities relevant to the decision you'd have what you
> need. If you failed because you didn't have CAP_CHMOD or you succeeded
> because you had CAP_SYS_ADMIN it should show up in the audit record.
> Other systems have used this approach.
> 
> You could, of course, create a separate capability result log, and I
> believe that Nokia had done something along those lines. I think that
> adding it to the audit trail is a more rational approach.

I wonder how much that would end up affecting performance, assuming it
left an audit message at every ns_capable() failure.  Even if it was
only done under a certain sysctl, it could certainly be useful.